UCF STIG Viewer Logo

If the McAfee MOVE AV [Multi-Platform] Client General policy is configured with path or file exclusions, those exclusions must be formally documented and approved by the IAO/IAM.


Overview

Finding ID Version Rule ID IA Controls Severity
V-42947 AV-MOVE-CLT-013 SV-55676r1_rule Medium
Description
When scanning for malware, excluding specific file types will increase the risk of a malware-infected file going undetected. By configuring antivirus software to scan all file types, the scanner has a higher success rate at detecting and eradicating malware. The excluding files, paths, and processes from being scanned expands the potential for malware to be allowed onto the information system. While it is recognized that some file types might need to be excluded for operational reasons and/or because there is protection afforded to those files through a different mechanism, allowing those exclusions should always be vetted, documented, and approved before applying.
STIG Date
McAfee MOVE 2.6 Multi-Platform Client STIG 2014-01-15

Details

Check Text ( C-49133r1_chk )
From the ePO server console System Tree, select the Systems tab, find and click on the asset to which the McAfee MOVE AV Client has been deployed. Select Actions, select Agent, and select Modify Policies on a Single System.

From the product drop-down list, select MOVE AV [Multi-Platform] Client. Click on the MOVE AV [Multi-Platform] Client policy to open the properties.

Under the Scan Items tab, locate the "Path Exclusions:" label. Ensure no items other than the default "**\McAfee\Common Framework\" are listed.

If any exclusions other than the default "**McAfee\Common Framework" are configured, those exclusions must be formally documented and approved by the IAO/IAM.

If the "Path Exclusions:" label contains any items other than the default "**\McAfee\Common Framework\" that have not been formally documented and approved by the IAO/IAM, this is a finding.

On the local client, access a cmd window, running as administrator.
Navigate to the path to which the McAfee AV Client has been installed (default is C:\Program Files\McAfee\MOVE AV Client on 32-bit systems or C:\Program Files(x86)\McAfee\MOVE AV Client on 64-bit systems).

Execute the following command:
mvadm excludepath list

If the list returned by the above command has any path other than the default "McAfee\Common Framework\", those exclusions must be formally documented and approved by the IAO/IAM.
If the list returned by the above command has any path other than the default "McAfee\Common Framework\", and those exclusions have not been formally documented and approved by the IAO/IAM, this is a finding.
Fix Text (F-48526r1_fix)
From the ePO server console System Tree, select the Systems tab, find and click on the asset to which the McAfee MOVE AV Client has been deployed. Select Actions, select Agent, and select Modify Policies on a Single System.

From the product drop-down list, select MOVE AV [Multi-Platform] Client. Click on the MOVE AV [Multi-Platform] Client policy to open the properties.

Under the Scan Items tab, locate the "Path Exclusions:" label. Remove any items listed other than the default "**\McAfee\Common Framework\" exclusion.

For any paths and processes required to be excluded for operational purposes, formally document those exclusions and obtain approval from the IAO/IAM.

Click Save.