Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-42953 | AV-MOVE-CLT-019 | SV-55682r1_rule | Medium |
Description |
---|
The quarantine on each system represents a potential danger should the files contained within the quarantine inadvertently be executed. Deleting the quarantine contents on a regular basis will alleviate the ability of malware from being executed. An organization's incident response policy should also contain steps in removing quarantined items after their forensic value has been depleted. |
STIG | Date |
---|---|
McAfee MOVE 2.6 Multi-Platform Client STIG | 2014-01-15 |
Check Text ( C-49139r1_chk ) |
---|
From the ePO server console System Tree, select the Systems tab, find and click on the asset to which the McAfee MOVE AV Client has been deployed. Select Actions, select Agent, and select Modify Policies on a Single System. From the product drop-down list, select MOVE AV [Multi-Platform] Client. Click on the MOVE AV [Multi-Platform] Client policy to open the properties. Under the Quarantine tab, locate the "Quarantined data retention:" label. Ensure the "Automatically delete quarantined data after the specified number of days" check box is selected. Under the Quarantine tab, locate the "Quarantined data retention:" label. Ensure the value for "Number of days to keep backed-up data in the quarantine directory:" is 28 days or less. If the "Automatically delete quarantined data after the specified number of days" check box is not selected, this is a finding. If the "Number of days to keep backed-up data in the quarantine directory:" is not set to 28 days or less, this is a finding. On the local client, access a cmd window, running as administrator. Navigate to the path to which the McAfee AV Client has been installed (default is C:\Program Files\McAfee\MOVE AV Client on 32-bit systems or C:\Program Files(x86)\McAfee\MOVE AV Client on 64-bit systems). Execute the following command: mvadm config show If the "QuarantineDays" does not have a value from 1 through 28, this is a finding. |
Fix Text (F-48532r1_fix) |
---|
From the ePO server console System Tree, select the Systems tab, find and click on the asset to which the McAfee MOVE AV Client has been deployed. Select Actions, select Agent, and select Modify Policies on a Single System. From the product drop-down list, select MOVE AV [Multi-Platform] Client. Click on the MOVE AV [Multi-Platform] Client policy to open the properties. Under the Quarantine tab, locate the "Quarantined data retention:" label. Select the "Automatically delete quarantined data after the specified number of days" check box. Under the Quarantine tab, locate the "Quarantined data retention:" label. Input a value of 28 days or less for "Number of days to keep backed-up data in the quarantine directory:". Click Save. |