The McAfee VirusScan Enterprise Access Protection rules must be used for self-protection of the files and folder of Offload Scan Server configuration.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-42983	AV-MOVE-OSS-015	SV-55712r2_rule		High

Description
The VirusScan Enterprise Access Protection rules will defend files, services, and registry keys on the Offload Scan Server.

STIG	Date
McAfee MOVE 3.6.1 Multi-Platform OSS STIG	2016-09-30

Details

Check Text ( C-49158r2_chk )
The McAfee MOVE AV [Multi-Platform] Offload Scan Server does not have a built-in protection mechanism. In order to protect the McAfee MOVE AV [Multi-Platform] Offload Scan Server's files, services, and registry keys, the McAfee VirusScan Enterprise Access Protection features are used. From the ePO server console System Tree, select the Systems tab, find and click on the asset representing the McAfee MOVE Offload Scan Server to open its properties, select Actions, select Agent, and select Modify Policies on a Single System. From the product drop-down list, select VirusScan Enterprise 8.8.x. Click on the Access Protection Policies policy to open the properties. From the Settings for: drop-down list, select Server. In the "Access protection rules:" settings, under "Categories", click to select the "User-defined Rules". Under "Block/Report/Rules", ensure rules are configured for McAfee MOVE OSS protection. If multiple User-defined rules are created, consult with the System Administration to determine the rules for the purpose of this requirement. For the File/Folder Access Protection Rule created to protect the MOVE AV Server folder, ensure both the Block and Report check boxes are selected. Select the rule, and click on Edit. Ensure "mvserver.exe" and "naPrdMgr.exe" are reflected under the "Processes to exclude:" section. Ensure the path to which the McAfee MOVE Offload Scan Server has been installed (default is C:\Program Files (x86)\McAfee\MOVE AV Server\) is reflected in the "File or folder name to block:" section. Ensure "Write access to files", "New files being created", and "Files being deleted" are selected under the "File actions to prevent:" section. If a File/Folder Blocking Rule does not exist to protect the path to which the McAfee MOVE OSS Server has been installed (default is C:\Program Files (x86)\McAfee\MOVE AV Server), this is a finding. On the system designated as the McAfee MOVE OSS Server, access the local McAfee VirusScan Enterprise Console. Under the Task column, select "Access Protection", right click and select "Properties". In the "Access protection rules:" settings, under "Categories", click to select the "User-defined Rules". Under "Block/Report/Rules", ensure rules are configured for McAfee MOVE OSS protection. If multiple User-defined rules are created, consult with the System Administration to determine the rules for the purpose of this requirement. For the File/Folder Access Protection Rule created to protect the MOVE AV Server folder, ensure both the Block and Report check boxes are selected. Select the rule, and click Edit. Ensure "mvserver.exe" is reflected under the "Processes to exclude:" section. Ensure the path to which the McAfee MOVE Offload Scan Server has been installed (default is C:\Program Files (x86)\McAfee\MOVE AV Server\) is reflected in the "File or folder name to block:" section. Ensure "Write access to files", "New files being created", and "Files being deleted" are selected under the "File actions to prevent:" section. If a File/Folder Blocking Rule does not exist to protect the path to which the McAfee MOVE OSS Server has been installed (default is C:\Program Files (x86)\McAfee\MOVE AV Server), this is a finding.

Check Text ( C-49158r2_chk )

The McAfee MOVE AV [Multi-Platform] Offload Scan Server does not have a built-in protection mechanism. In order to protect the McAfee MOVE AV [Multi-Platform] Offload Scan Server's files, services, and registry keys, the McAfee VirusScan Enterprise Access Protection features are used.

From the ePO server console System Tree, select the Systems tab, find and click on the asset representing the McAfee MOVE Offload Scan Server to open its properties, select Actions, select Agent, and select Modify Policies on a Single System.

From the product drop-down list, select VirusScan Enterprise 8.8.x. Click on the Access Protection Policies policy to open the properties. From the Settings for: drop-down list, select Server.

In the "Access protection rules:" settings, under "Categories", click to select the "User-defined Rules".
Under "Block/Report/Rules", ensure rules are configured for McAfee MOVE OSS protection.
If multiple User-defined rules are created, consult with the System Administration to determine the rules for the purpose of this requirement.

For the File/Folder Access Protection Rule created to protect the MOVE AV Server folder, ensure both the Block and Report check boxes are selected.
Select the rule, and click on Edit.

Ensure "mvserver.exe" and "naPrdMgr.exe" are reflected under the "Processes to exclude:" section.
Ensure the path to which the McAfee MOVE Offload Scan Server has been installed (default is C:\Program Files (x86)\McAfee\MOVE AV Server\**) is reflected in the "File or folder name to block:" section.
Ensure "Write access to files", "New files being created", and "Files being deleted" are selected under the "File actions to prevent:" section.

If a File/Folder Blocking Rule does not exist to protect the path to which the McAfee MOVE OSS Server has been installed (default is C:\Program Files (x86)\McAfee\MOVE AV Server), this is a finding.

On the system designated as the McAfee MOVE OSS Server, access the local McAfee VirusScan Enterprise Console.
Under the Task column, select "Access Protection", right click and select "Properties".

In the "Access protection rules:" settings, under "Categories", click to select the "User-defined Rules".

Under "Block/Report/Rules", ensure rules are configured for McAfee MOVE OSS protection.
If multiple User-defined rules are created, consult with the System Administration to determine the rules for the purpose of this requirement.

For the File/Folder Access Protection Rule created to protect the MOVE AV Server folder, ensure both the Block and Report check boxes are selected.
Select the rule, and click Edit.

Ensure "mvserver.exe" is reflected under the "Processes to exclude:" section.
Ensure the path to which the McAfee MOVE Offload Scan Server has been installed (default is C:\Program Files (x86)\McAfee\MOVE AV Server\**) is reflected in the "File or folder name to block:" section.
Ensure "Write access to files", "New files being created", and "Files being deleted" are selected under the "File actions to prevent:" section.

If a File/Folder Blocking Rule does not exist to protect the path to which the McAfee MOVE OSS Server has been installed (default is C:\Program Files (x86)\McAfee\MOVE AV Server), this is a finding.

Fix Text (F-48563r2_fix)
The McAfee MOVE AV [Multi-Platform] Offload Scan Server does not have a built-in protection mechanism. In order to protect the McAfee MOVE AV [Multi-Platform] Offload Scan Server's files, services, and registry keys, the McAfee VirusScan Enterprise Access Protection features are used. From the ePO server console System Tree, select the Systems tab, find and click on the asset representing the McAfee MOVE Offload Scan Server to open its properties, select Actions, select Agent, and select Modify Policies on a Single System. From the product drop-down list, select VirusScan Enterprise 8.8.x. Click on the Access Protection Policies policy to open the properties. From the Settings for: drop-down list, select Server. In the "Access protection rules:" settings, under "Categories", click to select the "User-defined Rules" and click on "New". Choose "File/Folder Blocking Rule" to create the rule identified as the File protection rule. Specify an appropriate Rule name: (i.e., McAfee MOVE OSS File and Folder Protection). Enter "mvserver.exe" and "naPrdMgr.exe" under the "Processes to exclude:" section. Enter the path to which the McAfee MOVE OSS has been installed (default is C:\Program Files (x86)\McAfee\MOVE AV Server\**) in the "File or folder name to block:" section. Select the "Write access to files", "New files being created", and "Files being deleted" under the "File actions to prevent:" section. Click OK. After rule is created, select the "Block" and "Report" check boxes. Click Save.

Fix Text (F-48563r2_fix)