The McAfee MOVE AV [Multi-Platform] Client General policy must be configured to cache scan results for files smaller than 40MB.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-42942	AV-MOVE-CLT-007	SV-55671r2_rule		Medium

Description
This setting configures the maximum file size (in MB) up to which scan results should be cached. The default setting is 40MB. Files smaller than this threshold are copied completely to the Offload Scan Server and scanned. If the file is found to be clean, its scan result is cached based on its SHA 1 checksum for faster future access. Files larger than this size threshold are transferred in chunks that are requested by the Offload Scan Server and scanned and setting that threshold higher could impact the performance of the scan processes.

Description

This setting configures the maximum file size (in MB) up to which scan results should be cached. The default setting is 40MB. Files smaller than this threshold are copied completely to the Offload Scan Server and scanned. If the file is found to be clean, its scan result is cached based on its SHA 1 checksum for faster future access. Files larger than this size threshold are transferred in chunks that are requested by the Offload Scan Server and scanned and setting that threshold higher could impact the performance of the scan processes.

STIG	Date
McAfee MOVE 3.6.1 Multi-Platform Client STIG	2016-09-29

Details

Check Text ( C-49128r3_chk )
From the ePO server console System Tree, select the Systems tab, find and click on the asset to which the McAfee MOVE AV Client has been deployed. Select Actions, select Agent, and select Modify Policies on a Single System. From the product drop-down list, select MOVE AV [Multi-Platform] Client. Click on either the MOVE AV [Multi-Platform] Client General or Offload Scan Server Assignment policies to open the properties. Under the General tab, locate the "Scan Result Cache:" label. Ensure the "Cache scan results for files smaller than (MB):" box is configured with a value of 40. If the "Cache scan results for files smaller than (MB):" setting is not configured with a value of 40, this is a finding. On the local client, access a cmd window, running as administrator. Navigate to the path to which the McAfee AV Client has been installed (default is C:\Program Files\McAfee\MOVE AV Client on 32-bit systems or C:\Program Files(x86)\McAfee\MOVE AV Client on 64-bit systems). Execute the following command: mvadm config show If the "MaxFileSize" is not set to 40, this is a finding.

Check Text ( C-49128r3_chk )

From the ePO server console System Tree, select the Systems tab, find and click on the asset to which the McAfee MOVE AV Client has been deployed. Select Actions, select Agent, and select Modify Policies on a Single System.

From the product drop-down list, select MOVE AV [Multi-Platform] Client. Click on either the MOVE AV [Multi-Platform] Client General or Offload Scan Server Assignment policies to open the properties.

Under the General tab, locate the "Scan Result Cache:" label. Ensure the "Cache scan results for files smaller than (MB):" box is configured with a value of 40.

If the "Cache scan results for files smaller than (MB):" setting is not configured with a value of 40, this is a finding.

On the local client, access a cmd window, running as administrator.
Navigate to the path to which the McAfee AV Client has been installed (default is C:\Program Files\McAfee\MOVE AV Client on 32-bit systems or C:\Program Files(x86)\McAfee\MOVE AV Client on 64-bit systems).

Execute the following command:
mvadm config show

If the "MaxFileSize" is not set to 40, this is a finding.

Fix Text (F-48521r2_fix)
From the ePO server console System Tree, select the Systems tab, find and click on the asset to which the McAfee MOVE AV Client has been deployed. Select Actions, select Agent, and select Modify Policies on a Single System. From the product drop-down list, select MOVE AV [Multi-Platform] Client. Click on either the MOVE AV [Multi-Platform] Client General or Offload Scan Server Assignment policies to open the properties. Under the General tab, locate the "Scan Result Cache:" label. In the "Cache scan results for files smaller than (MB):" box, input a value of 40. Click Save.

Fix Text (F-48521r2_fix)