McAfee MOVE 3.6.1 Multi-Platform Client STIG

Overview

Version	Date	Finding Count (23)			Downloads
1	2016-09-29	CAT I (High): 2	CAT II (Med): 21	CAT III (Low): 0	Excel	JSON	XML

STIG Description
The McAfee MOVE 3.6.1 Multi-Platform Client STIG is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the NIST 800-53 and related documents. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil.

Available Profiles

Classified	Public	Sensitive
I - Mission Critical Classified	I - Mission Critical Public	I - Mission Critical Sensitive	II - Mission Support Classified	II - Mission Support Public	II - Mission Support Sensitive	III - Administrative Classified	III - Administrative Public	III - Administrative Sensitive

Findings (MAC I - Mission Critical Classified)

Finding ID	Severity	Title	Description
V-42954	High	The selfprotection feature of the McAfee MOVE AV [Multi-Platform] Client, designed to prevent malicious attacks on McAfee MOVE AV Multi-Platform software components, must be enabled.	The self-protection feature defends files, services, and registry keys on virtual machines and will ensure uninterrupted protection.
V-42936	High	The McAfee MOVE AV [Multi-Platform] Client General policy must be configured to enable malware protection.	Antivirus software should be installed as soon after OS installation as possible and then updated with the latest signatures and antivirus software patches (to eliminate any known vulnerabilities...
V-42939	Medium	The McAfee MOVE AV [Multi-Platform] Client General policy must be configured with the IP address of the secondary Offload Scan Server used by all virtual machines using this policy.	Organizations should use centrally managed antivirus software that is controlled and monitored regularly by antivirus administrators, who are also typically responsible for acquiring, testing,...
V-42958	Medium	If the McAfee MOVE AV [Multi-Platform] Client General policy is configured with process exclusions, those exclusions must be formally documented and approved by the ISSO/ISSM.	When scanning for malware, excluding specific file types will increase the risk of a malware-infected file going undetected. By configuring antivirus software to scan all file types, the scanner...
V-42956	Medium	The McAfee MOVE AV [Multi-Platform] Client General policy must be configured with the listening port of the primary Offload Scan Server used by all virtual machines using this policy.	Organizations should use centrally managed antivirus software that is controlled and monitored regularly by antivirus administrators, who are also typically responsible for acquiring, testing,...
V-42957	Medium	The McAfee MOVE AV [Multi-Platform] Client General policy must be configured with the listening port of the secondary Offload Scan Server used by all virtual machines using this policy.	Organizations should use centrally managed antivirus software that is controlled and monitored regularly by antivirus administrators, who are also typically responsible for acquiring, testing,...
V-42933	Medium	All other antivirus products must be removed from the virtual machine while the McAfee AV Client is running.	Organizations should deploy antivirus software on all hosts for which satisfactory antivirus software is available. Antivirus software should be installed as soon after OS installation as possible...
V-42952	Medium	The McAfee MOVE AV [Multi-Platform] Client General policy must be configured with the location of SYSTEM_DRIVE\quarantine to ensure consistency across all systems.	The quarantine on each system represents a potential danger should the files contained within the quarantine inadvertently be executed. To better manage the quarantine on all systems, the...
V-42935	Medium	The McAfee MOVE AV [Multi-Platform] Client policies must be configured with, and managed by, the HBSS ePO server.	Organizations should use centrally managed antivirus software that is controlled and monitored regularly by antivirus administrators, who are also typically responsible for acquiring, testing,...
V-42937	Medium	The McAfee MOVE AV [Multi-Platform] Client General policy must be configured with the IP address of the primary Offload Scan Server used by all virtual machines using this policy.	Organizations should use centrally managed antivirus software that is controlled and monitored regularly by antivirus administrators, who are also typically responsible for acquiring, testing,...
V-42955	Medium	The McAfee MOVE AV [Multi-Platform] Client General policy must be configured to deny access to files if first action fails.	Malware incident containment has two major components: stopping the spread of malware and preventing further damage to hosts. Disinfecting a file is generally preferable to quarantining it...
V-42953	Medium	The McAfee MOVE AV [Multi-Platform] Client General policy must be configured to automatically delete quarantined data after a time period of no more than 28 days.	The quarantine on each system represents a potential danger should the files contained within the quarantine inadvertently be executed. Deleting the quarantine contents on a regular basis will...
V-42950	Medium	The McAfee MOVE AV [Multi-Platform] Client General policy must be configured to delete files automatically as first action.	Malware incident containment has two major components: stopping the spread of malware and preventing further damage to hosts. Disinfecting a file is generally preferable to quarantining it...
V-42951	Medium	The McAfee MOVE AV [Multi-Platform] Client General policy must be configured to enable the quarantine.	Malware incident containment has two major components: stopping the spread of malware and preventing further damage to hosts. Disinfecting a file is generally preferable to quarantining it...
V-42940	Medium	The McAfee MOVE AV [Multi-Platform] Client General policy must be configured with a scan timeout of 45 seconds or more.	This setting configures the amount of time to wait for a scan to complete, in seconds. The default setting is 45 seconds. This is the duration for which a McAfee MOVE AV Agent will wait for scan...
V-42943	Medium	The McAfee MOVE AV [Multi-Platform] Client General policy must be configured to expire cached scan results after a time period of no more than 24 hours.	Antivirus software should be installed as soon after OS installation as possible and then updated with the latest signatures and antivirus software patches (to eliminate any known vulnerabilities...
V-42942	Medium	The McAfee MOVE AV [Multi-Platform] Client General policy must be configured to cache scan results for files smaller than 40MB.	This setting configures the maximum file size (in MB) up to which scan results should be cached. The default setting is 40MB. Files smaller than this threshold are copied completely to the Offload...
V-42945	Medium	The McAfee MOVE AV [Multi-Platform] General policy must be configured to scan when reading from disk.	Antivirus software is the most commonly used technical control for malware threat mitigation. Real-time scanning of files as they are read from disk is a crucial first line of defense from malware attacks.
V-42944	Medium	The McAfee MOVE AV [Multi-Platform] Client General policy must be configured to scan when writing to disk.	Antivirus software is the most commonly used technical control for malware threat mitigation. Real-time scanning of files as they are written to disk is a crucial first line of defense from...
V-42947	Medium	If the McAfee MOVE AV [Multi-Platform] Client General policy is configured with path or file exclusions, those exclusions must be formally documented and approved by the ISSO/ISSM.	When scanning for malware, excluding specific file types will increase the risk of a malware-infected file going undetected. By configuring antivirus software to scan all file types, the scanner...
V-42946	Medium	The McAfee MOVE AV [Multi-Platform] Client General policy must be configured to scan all file types.	When scanning for malware, excluding specific file types will increase the risk of a malware-infected file going undetected. By configuring antivirus software to scan all file types, the scanner...
V-42949	Medium	The McAfee MOVE AV [Multi-Platform] Client General policy must be configured to send malware detection events to the HBSS ePO server.	Forensic identification is the practice of identifying infected hosts by looking for evidence of recent infections. The evidence may be very recent (only a few minutes old) or not so recent (hours...
V-42948	Medium	The McAfee MOVE AV [Multi-Platform] Client General policy must be configured to report malware detections to the client event log.	Forensic identification is the practice of identifying infected hosts by looking for evidence of recent infections. The evidence may be very recent (only a few minutes old) or not so recent (hours...