UCF STIG Viewer Logo

The Virtual Machine must have VMware vShield Endpoint thin client installed and shown as protected in the vShield Manager.


Overview

Finding ID Version Rule ID IA Controls Severity
V-43788 AV-MOVE-VM-001 SV-56609r1_rule High
Description
The vShield Manager is the centralized network management component of vShield, and is installed as a virtual appliance on an ESX host in a vCenter Server environment. The vShield Manager user interface or vSphere Client plug-in is used by administrators to install, configure, and maintain vShield components. vShield Endpoint offloads antivirus and anti-malware agent processing to a dedicated secure virtual appliance delivered by VMware partners. Since the secure virtual appliance (unlike a guest virtual machine) does not go offline, it can continuously update antivirus signatures thereby giving uninterrupted protection to the virtual machines on the host. Also, new virtual machines (or existing virtual machines that went offline) are immediately protected with the most current antivirus signatures when they come online. vShield Endpoint installs as a hypervisor module and security virtual appliance from a third-party antivirus vendor (VMware partners) on an ESX host. The hypervisor scans guest virtual machines from the outside, removing the need for agents in every virtual machine. This makes vShield Endpoint efficient in avoiding resource bottlenecks while optimizing memory use. McAfee MOVE AV Agentless requires vShield Endpoint to be installed on a virtual machine in order for the McAfee MOVE Security Virtual Appliance to protect it. If the virtual machine did not have vShield Endpoint installed, the virtual machine would not be protected from malware and viruses.
STIG Date
McAfee MOVE Agentless 3.0/3.6.1 Security Virtual Appliance STIG 2016-04-05

Details

Check Text ( C-49405r3_chk )
This STIG setting validates whether a virtual machine is protected by the McAfee MOVE Agentless 3.0.

With the assistance of the System Administrator, log into the VMware vShield Manager via a web browser.

Set View to "Host & Datacenters", select the ESX host that contains the virtual machine being configured/reviewed.
In the right screen, select the Endpoint tab.
Verify the virtual machine is listed and shows a "Type" of "Protected VM".

If the organization is not using VMware vShield Manager or does not have vShield Endpoint installed and configured, this is a finding.
If the organization does use VMware vShield Manager and has vShield Endpoint installed and configured but the virtual machine being reviewed is not listed, or not showing as "Protected VM", this is a finding.
Fix Text (F-49394r1_fix)
If VMware vShield Manager is not being used or the vShield Endpoint is not installed and configured, install and configure vShield Manager. Add component and vShield Endpoint licenses in vCenter. Install vShield Endpoint on the hypervisor(s).

If the virtual machine is not showing as a "Protected VM", install VMware Tools on the guest VM and select Custom install of VMware tools. In the vSphere Client, right-click the appropriate VM, select Guest | Install/Upgrade VMware Tools.
In the Install/Upgrade Tools dialog box, select Interactive Tools Upgrade and click OK.
Depending on the environment, select setup.exe or setup64.exe and run it as administrator.
Select Custom then click Next.
Expand VMware Device Drivers | VMCI Drivers, then select vShield Drivers | This feature will be installed on local hard drive.
Access vShield Manager to confirm the virtual machine is showing as a "Protected VM".