The McAfee MOVE AV [Multi-Platform] Offload Scan Server General policy Scan Settings must be configured to scan inside archive files.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-42973	AV-MOVE-OSS-007	SV-55702r3_rule		Medium

Description
Malware is often packaged within an archive. In addition, archives might have other archives within. Not scanning archive files introduces the risk of infected files being introduced into the environment.

STIG	Date
McAfee MOVE 3.6.1 Multi-Platform OSS STIG	2016-09-30

Details

Check Text ( C-49150r5_chk )
Note: If the regularly scheduled scan includes the scanning of archive files, this requirement can alternatively be not configured and marked as Not Applicable. From the ePO server console System Tree, select the "Systems" tab, find and click on the asset representing the McAfee MOVE Offload Scan Server to open its properties, select "Actions", select "Agent", and select "Modify Policies on a Single System". From the product drop-down list, select "MOVE AV [Multi-Platform] Offload Scan Server 3.6.1". Click on the MOVE AV [Multi-Platform] Offload Scan Server policy to open the properties. On the "Scan Settings" tab, ensure the "Scan Archive Files:” has a check in the "Enable scanning inside of archive files" check box. If the "Enable scanning inside of archive files." check box is not selected, this is a finding. On the system designated as the McAfee MOVE Offload Scan Server, access a cmd window, running as administrator. Navigate to the path to which the McAfee MOVE AV Server software has been installed (default is C:\Program Files (x86)\McAfee\MOVE AV Server). Execute the following command: mvadm config show From the displayed configuration, ensure the "ScanArchiveFiles" value is set to "1". If the "ScanArchiveFiles" is set to "0", this is a finding.

Check Text ( C-49150r5_chk )

Note: If the regularly scheduled scan includes the scanning of archive files, this requirement can alternatively be not configured and marked as Not Applicable.

From the ePO server console System Tree, select the "Systems" tab, find and click on the asset representing the McAfee MOVE Offload Scan Server to open its properties, select "Actions", select "Agent", and select "Modify Policies on a Single System".
From the product drop-down list, select "MOVE AV [Multi-Platform] Offload Scan Server 3.6.1". Click on the MOVE AV [Multi-Platform] Offload Scan Server policy to open the properties.
On the "Scan Settings" tab, ensure the "Scan Archive Files:” has a check in the "Enable scanning inside of archive files" check box.

If the "Enable scanning inside of archive files." check box is not selected, this is a finding.

On the system designated as the McAfee MOVE Offload Scan Server, access a cmd window, running as administrator.
Navigate to the path to which the McAfee MOVE AV Server software has been installed (default is C:\Program Files (x86)\McAfee\MOVE AV Server).

Execute the following command:
mvadm config show

From the displayed configuration, ensure the "ScanArchiveFiles" value is set to "1".

If the "ScanArchiveFiles" is set to "0", this is a finding.

Fix Text (F-48553r2_fix)
From the ePO server console System Tree, select the Systems tab, find and click on the asset representing the McAfee MOVE Offload Scan Server to open its properties, select Actions, select Agent, and select Modify Policies on a Single System. From the product drop-down list, select MOVE AV [Multi-Platform] Offload Scan Server 3.6.1. Click on the MOVE AV [Multi-Platform] Offload Scan Server policy to open the properties. On the Scan Settings tab, place a check in the "Scan Archive Files: Enable scanning inside of archive files." check box. Click Save.

Fix Text (F-48553r2_fix)

From the ePO server console System Tree, select the Systems tab, find and click on the asset representing the McAfee MOVE Offload Scan Server to open its properties, select Actions, select Agent, and select Modify Policies on a Single System.

From the product drop-down list, select MOVE AV [Multi-Platform] Offload Scan Server 3.6.1. Click on the MOVE AV [Multi-Platform] Offload Scan Server policy to open the properties.

On the Scan Settings tab, place a check in the "Scan Archive Files: Enable scanning inside of archive files." check box.

Click Save.