UCF STIG Viewer Logo

The McAfee VirusScan Enterprise Access Protection rules must be used for self-protection of the registry keys of Offload Scan Server configuration.


Overview

Finding ID Version Rule ID IA Controls Severity
V-42986 AV-MOVE-OSS-016 SV-55715r1_rule High
Description
The VirusScan Enterprise Access Protection rules will defend files, services, and registry keys on the Offload Scan Server.
STIG Date
McAfee MOVE 2.6 Multi-Platform OSS STIG 2015-10-05

Details

Check Text ( C-49159r2_chk )
The McAfee MOVE AV [Multi-Platform] Offload Scan Server does not have a built-in protection mechanism. In order to protect the McAfee MOVE AV ]Multi-Platform] Offload Scan Server's files, services, and registry keys, the McAfee VirusScan Enterprise Access Protection features are used.

From the ePO server console System Tree, select the Systems tab, find and click on the asset representing the McAfee MOVE Offload Scan Server to open its properties, select Actions, select Agent, and select Modify Policies on a Single System.

From the product drop-down list, select VirusScan Enterprise 8.8.x. Click on the Access Protection Policies policy to open the properties.

In the "Access protection rules:" settings, under "Categories", click to select the "User-defined Rules".

Under "Block/Report/Rules", ensure three rules are configured for McAfee MOVE OSS registry key protection.
If multiple User-defined rules are created, consult with the System Administration to determine the rules for the purpose of this requirement.

For each of the Access Protection Rules created to protect the McAfee MOVE OSS registry keys, ensure both the "Block" and "Report" check boxes are selected.

There should be three individual Registry Blocking Rules, one for each of the following criteria:

Ensure a Registry Access Protection Rule exists that has "HKCCS\services\mvserver" identified as the "Registry Key or value to protect:", with "Write to key or value", "Create key or value", and "Delete key or value" selected under the "Registry actions to block:" section. Under the "Processes to exclude:", "mvserver.exe" should be reflected.

Ensure a Registry Access Protection Rule exists that has "HKCCS\services\mvserver\Parameters" identified as the "Registry Key or value to protect:", with "Write to key or value", "Create key or value", and "Delete key or value" selected under the "Registry actions to block:" section. Under the "Processes to exclude:", "mvserver.exe" should be reflected.

Ensure a Registry Access Protection Rule exists that has "HKCCS\services\mvserver\Parameters\ODS" identified as the "Registry Key or value to protect:", with "Write to key or value", "Create key or value", and "Delete key or value" selected under the "Registry actions to block:" section. Under the "Processes to exclude:", "mvserver.exe" should be reflected.

If three Registry Blocking Rules do not exist to protect each of the "HKCCS\services\mvserver", "HKCCS\services\mvserver\Parameters", and "HKCCS\services\mvserver\Parameters\ODS" registry keys and values, this is a finding.

On the system designated as the McAfee MOVE OSS Server, access the local McAfee VirusScan Enterprise Console.
Under the Task column, select "Access Protection", right click and select "Properties".
In the "Access protection rules:" settings, under "Categories", click to select the "User-defined Rules".

Under "Block/Report/Rules", ensure three rules are configured for McAfee MOVE OSS registry key protection.
If multiple User-defined rules are created, consult with the System Administration to determine the rules for the purpose of this requirement.

For each of the Access Protection Rules created to protect the McAfee MOVE OSS registry keys, ensure both the "Block" and "Report" check boxes are selected.

There should be three individual Registry Blocking Rules, one for each of the following criteria:

Ensure a Registry Access Protection Rule exists that has "HKCCS\services\mvserver" identified as the "Registry Key or value to protect:", with "Write to key or value", "Create key or value", and "Delete key or value" selected under the "Registry actions to block:" section. Under the "Processes to exclude:", "mvserver.exe" should be reflected.

Ensure a Registry Access Protection Rule exists that has "HKCCS\services\mvserver\Parameters" identified as the "Registry Key or value to protect:", with "Write to key or value", "Create key or value", and "Delete key or value" selected under the "Registry actions to block:" section. Under the "Processes to exclude:", "mvserver.exe" should be reflected.

Ensure a Registry Access Protection Rule exists that has "HKCCS\services\mvserver\Parameters\ODS" identified as the "Registry Key or value to protect:", with "Write to key or value", "Create key or value", and "Delete key or value" selected under the "Registry actions to block:" section. Under the "Processes to exclude:", "mvserver.exe" should be reflected.

If three Registry Blocking Rules do not exist to protect each of the "HKCCS\services\mvserver", "HKCCS\services\mvserver\Parameters", and "HKCCS\services\mvserver\Parameters\ODS" registry keys and values, this is a finding.
Fix Text (F-48565r1_fix)
The McAfee MOVE AV [Multi-Platform] Offload Scan Server does not have a built-in protection mechanism. In order to protect the McAfee MOVE AV ]Multi-Platform] Offload Scan Server's files, services, and registry keys, the McAfee VirusScan Enterprise Access Protection features are used.

From the ePO server console System Tree, select the Systems tab, find and click on the asset representing the McAfee MOVE Offload Scan Server to open its properties, select Actions, select Agent, and select Modify Policies on a Single System.

From the product drop-down list, select VirusScan Enterprise 8.8.x. Click on the Access Protection Policies policy to open the properties.

In the "Access protection rules:" settings, under "Categories", click to select the "User-defined Rules" and click on "New".

Click New to create each of the following three "Registry Blocking Rules:", naming each rule according to the protection they afford.

"HKCCS/services/mvserver" identified as the "Registry Key or value to protect:", with "Write to key or value", "Create key or value", and "Delete key or value" selected under the "Registry actions to block:" section. Under the "Processes to exclude:", "mvserver.exe" should be reflected.

"HKCCS/services/mvserver/Parameters" identified as the "Registry Key or value to protect:", with "Write to key or value", "Create key or value", and "Delete key or value" selected under the "Registry actions to block:" section. Under the "Processes to exclude:", "mvserver.exe" should be reflected.

"HKCCS/services/mvserver/Parameters/ODS" identified as the "Registry Key or value to protect:", with "Write to key or value", "Create key or value", and "Delete key or value" selected under the "Registry actions to block:" section. Under the "Processes to exclude:", "mvserver.exe" should be reflected.

After each of the above rules are created, select both the "Block" and "Report" check boxes.

Click Save.