The McAfee MOVE AV [Multi-Platform] Client General policy must be configured with the location of SYSTEM_DRIVE\quarantine to ensure consistency across all systems.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-42952	AV-MOVE-CLT-018	SV-55681r2_rule		Medium

Description
The quarantine on each system represents a potential danger should the files contained within the quarantine inadvertently be executed. To better manage the quarantine on all systems, the quarantine should always be configured the same across all systems, which will allow management to better control access to those locations.

STIG	Date
McAfee MOVE 3.6.1 Multi-Platform Client STIG	2016-09-29

Details

Check Text ( C-49138r2_chk )
From the ePO server console System Tree, select the Systems tab, find and click on the asset to which the McAfee MOVE AV Client has been deployed. Select Actions, select Agent, and select Modify Policies on a Single System. From the product drop-down list, select MOVE AV [Multi-Platform] Client. Click on either the MOVE AV [Multi-Platform] Client General or Offload Scan Server Assignment policies to open the properties. Under the Quarantine tab, locate the "Quarantine Directory:" label. Ensure "\Quarantine" is configured in the text box. If "\Quarantine" is not configured in the text box, this is a finding. On the local client, access a cmd window, running as administrator. Navigate to the path to which the McAfee AV Client has been installed (default is C:\Program Files\McAfee\MOVE AV Client on 32-bit systems or C:\Program Files(x86)\McAfee\MOVE AV Client on 64-bit systems). Execute the following command: mvadm config show If the "QuarantineFolder" does not have value of "C:\quarantine", this is a finding.

Check Text ( C-49138r2_chk )

From the ePO server console System Tree, select the Systems tab, find and click on the asset to which the McAfee MOVE AV Client has been deployed. Select Actions, select Agent, and select Modify Policies on a Single System.

From the product drop-down list, select MOVE AV [Multi-Platform] Client. Click on either the MOVE AV [Multi-Platform] Client General or Offload Scan Server Assignment policies to open the properties.

Under the Quarantine tab, locate the "Quarantine Directory:" label. Ensure "\Quarantine" is configured in the text box.

If "\Quarantine" is not configured in the text box, this is a finding.

On the local client, access a cmd window, running as administrator.
Navigate to the path to which the McAfee AV Client has been installed (default is C:\Program Files\McAfee\MOVE AV Client on 32-bit systems or C:\Program Files(x86)\McAfee\MOVE AV Client on 64-bit systems).

Execute the following command:
mvadm config show

If the "QuarantineFolder" does not have value of "C:\quarantine", this is a finding.

Fix Text (F-48531r2_fix)
From the ePO server console System Tree, select the Systems tab, find and click on the asset to which the McAfee MOVE AV Client has been deployed. Select Actions, select Agent, and select Modify Policies on a Single System. From the product drop-down list, select MOVE AV [Multi-Platform] Client. Click on either the MOVE AV [Multi-Platform] Client General or Offload Scan Server Assignment policies to open the properties. Under the Quarantine tab, locate the "Quarantine Directory:" label. Input "\Quarantine" in the text box. Click Save.

Fix Text (F-48531r2_fix)