The McAfee MOVE AV [Multi-Platform] Client General policy must be configured to scan when writing to disk.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-42944	AV-MOVE-CLT-009	SV-55673r2_rule		Medium

Description
Antivirus software is the most commonly used technical control for malware threat mitigation. Real-time scanning of files as they are written to disk is a crucial first line of defense from malware attacks.

STIG	Date
McAfee MOVE 3.6.1 Multi-Platform Client STIG	2016-09-29

Details

Check Text ( C-49130r2_chk )
From the ePO server console System Tree, select the Systems tab, find and click on the asset to which the McAfee MOVE AV Client has been deployed. Select Actions, select Agent, and select Modify Policies on a Single System. From the product drop-down list, select MOVE AV [Multi-Platform] Client. Click on either the MOVE AV [Multi-Platform] Client General or Offload Scan Server Assignment policies to open the properties. Under the Scan Items tab, locate the "Scan files:" label. Ensure the "When writing to disk" check box is selected. If the "When writing to disk" check box is not selected, this is a finding. On the local client, access a cmd window, running as administrator. Navigate to the path to which the McAfee AV Client has been installed (default is C:\Program Files\McAfee\MOVE AV Client on 32-bit systems or C:\Program Files(x86)\McAfee\MOVE AV Client on 64-bit systems). Execute the following command: mvadm config show The ScanFlags value will show a value of 1 for "Reading from disk", 2 for "Writing to disk", 3 for "Reading from disk" and "Writing to disk", 6 for "Writing to disk" and "Opened for backup", and 7 for "Reading from disk", "Writing to disk", and "Opened for backup". A value of 2, 3, 6, or 7 is valid for this requirement. If the "ScanFlags" setting does not have a value of 2, 3, 6, or 7, this is a finding.

Check Text ( C-49130r2_chk )

From the ePO server console System Tree, select the Systems tab, find and click on the asset to which the McAfee MOVE AV Client has been deployed. Select Actions, select Agent, and select Modify Policies on a Single System.

From the product drop-down list, select MOVE AV [Multi-Platform] Client. Click on either the MOVE AV [Multi-Platform] Client General or Offload Scan Server Assignment policies to open the properties.

Under the Scan Items tab, locate the "Scan files:" label. Ensure the "When writing to disk" check box is selected.

If the "When writing to disk" check box is not selected, this is a finding.

On the local client, access a cmd window, running as administrator.
Navigate to the path to which the McAfee AV Client has been installed (default is C:\Program Files\McAfee\MOVE AV Client on 32-bit systems or C:\Program Files(x86)\McAfee\MOVE AV Client on 64-bit systems).

Execute the following command:
mvadm config show

The ScanFlags value will show a value of 1 for "Reading from disk", 2 for "Writing to disk", 3 for "Reading from disk" and "Writing to disk", 6 for "Writing to disk" and "Opened for backup", and 7 for "Reading from disk", "Writing to disk", and "Opened for backup". A value of 2, 3, 6, or 7 is valid for this requirement.

If the "ScanFlags" setting does not have a value of 2, 3, 6, or 7, this is a finding.

Fix Text (F-48523r3_fix)
From the ePO server console System Tree, select the Systems tab, find and click on the asset to which the McAfee MOVE AV Client has been deployed. Select Actions, select Agent, and select Modify Policies on a Single System. From the product drop-down list, select MOVE AV [Multi-Platform] Client. Click on either the MOVE AV [Multi-Platform] Client General or Offload Scan Server Assignment policies to open the properties. Under the Scan Items tab, locate the "Scan files:" label. Select the "When writing to disk" check box. Click Save.

Fix Text (F-48523r3_fix)