UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The McAfee MOVE AV [Multi-Platform] Client General policy must be configured to send malware detection events to the HBSS ePO server.


Overview

Finding ID Version Rule ID IA Controls Severity
V-42949 AV-MOVE-CLT-015 SV-55678r2_rule Medium
Description
Forensic identification is the practice of identifying infected hosts by looking for evidence of recent infections. The evidence may be very recent (only a few minutes old) or not so recent (hours or days old); the older the information is, the less accurate it is likely to be. The most obvious sources of evidence are those that are designed to identify malware activity, such as antivirus software, content filtering (e.g., anti-spam measures), IPS, and SIEM technologies. The logs of security applications might contain detailed records of suspicious activity, and might also indicate whether a security compromise occurred or was prevented. While logging is imperative to forensic analysis, logs could grow to the point of impacting disk space on the system. In order to avoid the risk of logs growing to the size of impacting the operating system, the log size and number of log files will be restricted, but must also be large enough to retain forensic value.
STIG Date
McAfee MOVE 3.6.1 Multi-Platform Client STIG 2016-09-29

Details

Check Text ( C-49135r4_chk )
From the ePO server console System Tree, select the Systems tab, find and click on the asset to which the McAfee MOVE AV Client has been deployed. Select Actions, select Agent, and select Modify Policies on a Single System.

From the product drop-down list, select MOVE AV [Multi-Platform] Client. Click on either the MOVE AV [Multi-Platform] Client General or Offload Scan Server Assignment policies to open the properties.

Under the Alerts tab, locate the "Threat Alerts:" label. Ensure the "Malware detection events are sent to ePolicy Orchestrator." check box is selected.

If the "Malware detection events are sent to ePolicy Orchestrator." check box is not selected, this is a finding.

On the local client, access a cmd window, running as administrator.
Navigate to the path to which the McAfee AV Client has been installed (default is C:\Program Files\McAfee\MOVE AV Client on 32-bit systems or C:\Program Files(x86)\McAfee\MOVE AV Client on 64-bit systems).

Execute the following command:
mvadm config show

An "EventSink" value of 0 indicates no events are recorded. A value of 2 indicates events are sent to the client event log. A value of 4 indicates events are sent to the ePO server. A value of 6 indicates events are sent to both the client event log and the ePO server. A value of 14 indicates events are sent to the client event log, the ePO server and are displayed as a pop-up on the client. A value of 4, 6 or 14 would be valid for this requirement.

If the "EventSink" value is not set to a 4, 6, or 14, this is a finding.
Fix Text (F-48528r2_fix)
From the ePO server console System Tree, select the Systems tab, find and click on the asset to which the McAfee MOVE AV Client has been deployed. Select Actions, select Agent, and select Modify Policies on a Single System.

From the product drop-down list, select MOVE AV [Multi-Platform] Client. Click on either the MOVE AV [Multi-Platform] Client General or Offload Scan Server Assignment policies to open the properties.

On the Alerts Tab place a check in the "Threat Alerts: Malware detection events are sent to the ePolicy Orchestrator:" checkbox.

Click Save.