If the McAfee MOVE AV [Multi-Platform] Client General policy is configured with process exclusions, those exclusions must be formally documented and approved by the ISSO/ISSM.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-42958	AV-MOVE-CLT-024	SV-55687r2_rule		Medium

Description
When scanning for malware, excluding specific file types will increase the risk of a malware-infected file going undetected. By configuring antivirus software to scan all file types, the scanner has a higher success rate at detecting and eradicating malware. The excluding files, paths, and processes from being scanned expands the potential for malware to be allowed onto the information system. While it is recognized that some file types might need to be excluded for operational reasons and/or because there is protection afforded to those files through a different mechanism, allowing those exclusions should always be vetted, documented, and approved before applying.

Description

When scanning for malware, excluding specific file types will increase the risk of a malware-infected file going undetected. By configuring antivirus software to scan all file types, the scanner has a higher success rate at detecting and eradicating malware. The excluding files, paths, and processes from being scanned expands the potential for malware to be allowed onto the information system. While it is recognized that some file types might need to be excluded for operational reasons and/or because there is protection afforded to those files through a different mechanism, allowing those exclusions should always be vetted, documented, and approved before applying.

STIG	Date
McAfee MOVE 3.6.1 Multi-Platform Client STIG	2016-09-29

Details

Check Text ( C-49144r6_chk )
From the ePO server console System Tree, select the Systems tab, find and click on the asset to which the McAfee MOVE AV Client has been deployed. Select Actions, select Agent, and select Modify Policies on a Single System. From the product drop-down list, select MOVE AV [Multi-Platform] Client. Click on either the MOVE AV [Multi-Platform] Client General or Offload Scan Server Assignment policies to open the properties. Under the Scan Items tab, locate the "Process Exclusions:" label. Ensure no processes other than the following default processes are listed for McAfee MOVE AV (Multi-Platform] version 3.6.1. UserProfileManager.exe %WINDIR%\system32\mssearch.exe %WINDIR%\system32\mssfh.exe %WINDIR%\system32\mssdmn.exe %WINDIR%\system32\winfs\winfs.exe %WINDIR%\system32\searchindexer.exe If any exclusions other than the specified defaults are configured, those exclusions must be formally documented and approved by the ISSO/ISSM. If the "Process Exclusions:" label contains any processes other than the specified defaults that have not been formally documented and approved by the ISSO/ISSM, this is a finding. On the local client, access a cmd window, running as administrator. Navigate to the path to which the McAfee AV Client has been installed (default is C:\Program Files\McAfee\MOVE AV Client on 32-bit systems or C:\Program Files(x86)\McAfee\MOVE AV Client on 64-bit systems). Execute the following command: mvadm pp list If the list returned by the above command has any process other than the specified defaults, those exclusions must be formally documented and approved by the ISSO/ISSM. If the list returned by the above command has any process other than the specified defaults, and those exclusions have not been formally documented and approved by the ISSO/ISSM, this is a finding.

Check Text ( C-49144r6_chk )

From the ePO server console System Tree, select the Systems tab, find and click on the asset to which the McAfee MOVE AV Client has been deployed. Select Actions, select Agent, and select Modify Policies on a Single System.

From the product drop-down list, select MOVE AV [Multi-Platform] Client. Click on either the MOVE AV [Multi-Platform] Client General or Offload Scan Server Assignment policies to open the properties.

Under the Scan Items tab, locate the "Process Exclusions:" label.

Ensure no processes other than the following default processes are listed for McAfee MOVE AV (Multi-Platform] version 3.6.1.

UserProfileManager.exe
%WINDIR%\system32\mssearch.exe
%WINDIR%\system32\mssfh.exe
%WINDIR%\system32\mssdmn.exe
%WINDIR%\system32\winfs\winfs.exe
%WINDIR%\system32\searchindexer.exe

If any exclusions other than the specified defaults are configured, those exclusions must be formally documented and approved by the ISSO/ISSM.

If the "Process Exclusions:" label contains any processes other than the specified defaults that have not been formally documented and approved by the ISSO/ISSM, this is a finding.

On the local client, access a cmd window, running as administrator.

Navigate to the path to which the McAfee AV Client has been installed (default is C:\Program Files\McAfee\MOVE AV Client on 32-bit systems or C:\Program Files(x86)\McAfee\MOVE AV Client on 64-bit systems).

Execute the following command:
mvadm pp list

If the list returned by the above command has any process other than the specified defaults, those exclusions must be formally documented and approved by the ISSO/ISSM.

If the list returned by the above command has any process other than the specified defaults, and those exclusions have not been formally documented and approved by the ISSO/ISSM, this is a finding.

Fix Text (F-48538r7_fix)
NOTE: The Offload Scan Server IP address can be configured in either the General or Offload Scan Server Assignment policy (the values entered in the Offload Scan Server Assignment policy will override the options defined in the General policy). If using the SVA Manager, the SVA Manager IP address, host name, or FQDN and MOVE SVA Manager Port should be entered in the Offload Scan Server Assignment policy. From the ePO server console System Tree, select the Systems tab, find and click on the asset to which the McAfee MOVE AV Client has been deployed. Select Actions, select Agent, and select Modify Policies on a Single System. From the product drop-down list, select MOVE AV [Multi-Platform] Client. Click on either the MOVE AV [Multi-Platform] Client General or Offload Scan Server Assignment policies to open the properties. Under the Scan Items tab, locate the "Process Exclusions:" label. Remove any processes listed other than the following default exclusions for McAfee AV MOVE Multi-Platform version 3.6.1. UserProfileManager.exe %WINDIR%\system32\mssearch.exe %WINDIR%\system32\mssfh.exe %WINDIR%\system32\mssdmn.exe %WINDIR%\system32\winfs\winfs.exe %WINDIR%\system32\searchindexer.exe For any paths and processes required to be excluded for operational purposes, formally document those exclusions and obtain approval from the ISSO/ISSM. Click Save.

Fix Text (F-48538r7_fix)

NOTE: The Offload Scan Server IP address can be configured in either the General or Offload Scan Server Assignment policy (the values entered in the Offload Scan Server Assignment policy will override the options defined in the General policy). If using the SVA Manager, the SVA Manager IP address, host name, or FQDN and MOVE SVA Manager Port should be entered in the Offload Scan Server Assignment policy.

From the ePO server console System Tree, select the Systems tab, find and click on the asset to which the McAfee MOVE AV Client has been deployed. Select Actions, select Agent, and select Modify Policies on a Single System.

From the product drop-down list, select MOVE AV [Multi-Platform] Client. Click on either the MOVE AV [Multi-Platform] Client General or Offload Scan Server Assignment policies to open the properties.

Under the Scan Items tab, locate the "Process Exclusions:" label.

Remove any processes listed other than the following default exclusions for McAfee AV MOVE Multi-Platform version 3.6.1.

UserProfileManager.exe
%WINDIR%\system32\mssearch.exe
%WINDIR%\system32\mssfh.exe
%WINDIR%\system32\mssdmn.exe
%WINDIR%\system32\winfs\winfs.exe
%WINDIR%\system32\searchindexer.exe

For any paths and processes required to be excluded for operational purposes, formally document those exclusions and obtain approval from the ISSO/ISSM.

Click Save.