UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

For any path or file exclusions configured in the McAfee MOVE AV Agentless Scan policy, those exclusions must be formally documented by the System Administrator and approved by the IAO/IAM.


Overview

Finding ID Version Rule ID IA Controls Severity
V-48863 AV-MOVE-SVA-113 SV-61741r2_rule Medium
Description
When scanning for malware, excluding specific file types will increase the risk of a malware-infected file going undetected. By configuring antivirus software to scan all file types, the scanner has a higher success rate at detecting and eradicating malware. The excluding of files, paths, and processes from being scanned expands the potential for malware to be allowed onto the information system. While it is recognized that some file types might need to be excluded for operational reasons and/or because there is protection afforded to those files through a different mechanism, allowing those exclusions should always be vetted, documented and approved before applying.
STIG Date
McAfee MOVE Agentless 3.0/3.6.1 Security Virtual Appliance STIG 2016-04-05

Details

Check Text ( C-49467r5_chk )
From the ePO server console System Tree, select "My Organization". Select the Systems tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page.

Click on Actions | Agent | Modify Policies on a Single System.

For McAfee MOVE AV Agentless 3.0:

From the "Product:" drop-down list, select “MOVE AV [Agentless] 3.0.0”. Locate "Scan" under the "Category" column and select the policy corresponding to it, found under the "Policy" column.

In the “Exclusions” tab, verify the "Path exclusions:" does not have any entry other than the default "**\McAfee\Common Framework\".

If any entries other than the default "**\McAfee\Common Framework\" do exist, verify those exclusions have been formally documented by the System Administrator and approved by the ISSO/ISSM.

If there are entries in the "Path exclusions:" other than the default "**\McAfee\Common Framework\" and those exclusions have not been formally documented by the System Administrator and approved by the ISSO/ISSM, this is a finding.

If the "Path Exclusions:" has been populated with any exclusions other than the default, and those exclusions have been formally documented by the System Administrator and approved by the ISSO/ISSM, this is not a finding.

For McAfee MOVE AV Agentless 3.6.1:

From the "Product:" drop-down list, select “MOVE AV [Agentless] 3.6.1”. Locate "Scan" under the "Category" column and select the policy corresponding to it, found under the "Policy" column.

In the “Exclusions” tab, verify the "Path and File Exclusion:" does not have any entry other than the default "**\McAfee\Common Framework\".

If any entries other than the default "**\McAfee\Common Framework\" do exist, verify those exclusions have been formally documented by the System Administrator and approved by the ISSO/ISSM.

If there are entries in the "Path and File Exclusion:" other than the default "**\McAfee\Common Framework\" and those exclusions have not been formally documented by the System Administrator and approved by the ISSO/ISSM, this is a finding.

If the "Path and File Exclusion:" has been populated with any exclusions other than the default, and those exclusions have been formally documented by the System Administrator and approved by the ISSO/ISSM, this is not a finding.
Fix Text (F-49579r3_fix)
From the ePO server console System Tree, select "My Organization". Select the Systems tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page.

Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select "MOVE AV [Agentless] 3.0.0/3.6.1". Locate "Scan" under the "Category" column and select the policy corresponding to it, found under the "Policy" column.

In the Exclusions tab, remove any entries from the "Path exclusions:" which have not been documented by the System Administrator and approved by the IAO/IAM.

Click on Save.