acceptedMcAfee MOVE Agentless 3.0 VSEL 1.9 for SVA STIGThe McAfee MOVE 3.0 Agentless VSEL for SVA STIG is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the NIST 800-53 and related documents. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.letterkenny.FSO.mbx.stig-customer-support-mailbox@mail.mil.DISA, Field Security OperationsSTIG.DOD.MILRelease: 1 Benchmark Date: 02 May 20141I - Mission Critial Classified<ProfileDescription></ProfileDescription>I - Mission Critial Public<ProfileDescription></ProfileDescription>I - Mission Critial Sensitive<ProfileDescription></ProfileDescription>II - Mission Support Classified<ProfileDescription></ProfileDescription>II - Mission Support Public<ProfileDescription></ProfileDescription>II - Mission Support Sensitive<ProfileDescription></ProfileDescription>III - Administrative Classified<ProfileDescription></ProfileDescription>III - Administrative Public<ProfileDescription></ProfileDescription>III - Administrative Sensitive<ProfileDescription></ProfileDescription>DTAVSEL-109-McAfee VSEL for SVA Web User Interface status<GroupDescription></GroupDescription>DTAVSEL-109The McAfee VirusScan Enterprise for Linux 1.9.0 Web UI must be disabled.<VulnDiscussion>If the Web UI was left enabled, the system to which the VSEL has been installed would be vulnerable for Web attacks. Disabling the Web UI will prevent the system from listening on HTTP.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls></IAControls>DPMS Target McAfee VirusScan Enterprise for Linux (VSEL) 1.9DISA FSODPMS TargetMcAfee VirusScan Enterprise for Linux (VSEL) 1.92580CCI-001242From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page.
Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select "VirusScan Enterprise for Linux 1.9.0". From the "Policy" column, click on the policy for the "General Policies".
In the "Advanced" tab, select the check box for "Disable client Web UI:".
Click Save.From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page.
Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select "VirusScan Enterprise for Linux 1.9.0". From the "Policy" column, click on the policy for the "General Policies".
In the "Advanced" tab, verify the check box for "Disable client Web UI:" is selected.
If the check box for "Disable client Web UI:" is not selected, this is a finding.DTAVSEL-001 McAfee MOVE Agentless antivirus signature age<GroupDescription></GroupDescription>DTAVSEL-001The antivirus signature file age must not exceed 7 days.<VulnDiscussion>Antivirus signature files are updated almost daily by antivirus software vendors. These files are made available to antivirus clients as they are published. Keeping virus signature files as current as possible is vital to the security of any system. By configuring a system to attempt an antivirus update on a daily basis, the system is ensured of maintaining an antivirus signature age of 7 days or less. If the update attempt were to be configured for only once a week, and that attempt failed, the system would be immediately out of date.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls></IAControls>DPMS Target McAfee VirusScan Enterprise for Linux (VSEL) 1.9DISA FSODPMS TargetMcAfee VirusScan Enterprise for Linux (VSEL) 1.92580CCI-001240From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page.
Click on Actions | Agent | Modify Tasks on a Single System.
On the Client Tasks page, click on Actions | New Client Task Assignment.
On the Client Task Assignment Builder page, under the "Product" section, select "McAfee Agent".
Under the "Task Type" section, select "Product Update".
Under the "Task Name" section, click on "Create New Task".
Type a unique name for the "Task Name".
For "Package selection:", select the "All packages" radio button. Click Save.
Or, select the "Selected packages" radio button.
For the "Package types:" section, select the "DAT" check box and the "Linux Engine" check box under the "Signatures and engines:" section.
Click Save.
On the Client Task Assignment Builder page, under the "Task Name" section, select the task just created.
Click on "Next" to schedule the task.
For "Schedule status:", select the radio button for "Enabled".
For "Schedule type:", choose "Daily".
Schedule the "Effective period:", "Start time:" and other options according to best practices.
Click Next to view Summary.
Click Save.From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page.
On the System Information page, select the "Products" tab. Under the Product section, select "VirusScan Enterprise for Linux".
Scroll down locate the DAT Date and DAT Version.
Verify the "DAT Date:" is within the last 7 days.
If the "DAT Date:" is not within the last 7 days, this is a finding.DTAVSEL-002 - McAfee VSEL for SVA automatic signature updates<GroupDescription></GroupDescription>DTAVSEL-002The McAfee VirusScan Enterprise for Linux 1.9.0 must be configured to receive automatic signature updates.<VulnDiscussion>Antivirus signature files are updated almost daily by antivirus software vendors. These files are made available to antivirus clients as they are published. Keeping virus signature files as current as possible is vital to the security of any system. The antivirus software product must be configured to receive those updates automatically in order to afford the expected protection.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls></IAControls>DPMS Target McAfee VirusScan Enterprise for Linux (VSEL) 1.9DISA FSODPMS TargetMcAfee VirusScan Enterprise for Linux (VSEL) 1.92580CCI-001242From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page.
Click on Actions | Agent | Modify Tasks on a Single System.
On the Client Tasks page, click on Actions | New Client Task Assignment.
On the Client Task Assignment Builder page, under the "Product" section, select "McAfee Agent".
Under the "Task Type" section, select "Product Update".
Under the "Task Name" section, click on "Create New Task".
Type a unique name for the "Task Name".
For "Package selection:", select the "All packages" radio button. Click Save.
Or, select the "Selected packages" radio button.
For the "Package types:" section, select the "DAT" check box and the "Linux Engine" check box under the "Signatures and engines:" section.
Click Save.
On the Client Task Assignment Builder, under the "Task Name" section, select the task just created.
Click on "Next" to schedule the task.
For "Schedule status:", select the radio button for "Enabled".
For "Schedule type:", choose "Daily".
Schedule the "Effective period:", "Start time:" and other options according to best practices.
Click Next to view Summary.
Click Save.From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page.
Click on Actions | Agent | Modify Tasks on a Single System.
From the list of available tasks in the "Task Name" column, with the assistance of the ePO SA, identify the VirusScan DAT update task.
Verify the "Task Type" is listed as "Product Update".
Verify the "Status" is listed as "Enabled".
Under the "Task Name" column, click on the link for the designated task to review the task properties.
Next to the "Package selection:", verify the "All packages" radio button is selected.
If the "Selected packages" radio button is selected, verify the check box for "DAT" and the check box for "Linux Engine" have been selected for "Signatures and engines:" under the "Package types:" section.
If there is not a task designated as the regularly scheduled DAT Update task, this is a finding.
If there exists a task designated as the regularly scheduled DAT Update task, but neither the "All packages" nor the "DAT" selection under the "Package types: Signatures and engines:" section is selected, this is a finding.
DTAVSEL-003-McAfee VSEL for SVA OAS configuration<GroupDescription></GroupDescription>DTAVSEL-003The McAfee VirusScan Enterprise for Linux 1.9.0 must be configured to enable On-Access scanning.<VulnDiscussion>For antivirus software to be effective, it must be running at all times, beginning from the point of the system's initial startup. Otherwise, the risk is greater for viruses, Trojans, and other malware infecting the system during that startup phase.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls></IAControls>DPMS Target McAfee VirusScan Enterprise for Linux (VSEL) 1.9DISA FSODPMS TargetMcAfee VirusScan Enterprise for Linux (VSEL) 1.92580CCI-001240From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page.
Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select "VirusScan Enterprise for Linux 1.9.0". From the "Policy" column, click on the policy for the "On-Access Scanning Policy".
In the "General" tab, next to the "On-access Scan:", select the check box for "Enable on-access scanning (takes effect when policies are enforced)".
In the "Quarantine Directory:" field, enter "/quarantine" (or another valid location as determined by the organization).
Click Save.From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page.
Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select "VirusScan Enterprise for Linux 1.9.0". From the "Policy" column, click on the policy for the "On-Access Scanning Policy".
In the "General" tab, next to the "On-access Scan:", verify the check box for "Enable on-access scanning (takes effect when policies are enforced)" is selected.
Verify the "Quarantine Directory:" field is populated with "/quarantine" (or another valid location as determined by the organization).
If the checkbox for "Enable on-access scanning (takes effect when policies are enforced)" is not selected, this is a finding.
If the "Quarantine Directory:" field is not populated, this is a finding.
DTAVSEL-004-McAfee VSEL for SVA OAS decompress archives<GroupDescription></GroupDescription>DTAVSEL-004The McAfee VirusScan Enterprise for Linux 1.9.0 On-Access scanner must be configured to decompress archives when scanning.<VulnDiscussion>Malware is often packaged within an archive. In addition, archives may have other archives within. Not scanning archive files introduces the risk of infected files being introduced into the environment.
</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls></IAControls>DPMS Target McAfee VirusScan Enterprise for Linux (VSEL) 1.9DISA FSODPMS TargetMcAfee VirusScan Enterprise for Linux (VSEL) 1.92580CCI-001242From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page.
Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select "VirusScan Enterprise for Linux 1.9.0". From the "Policy" column, click on the policy for the "On-Access Scanning Policy".
In the "Advanced" tab, next to the "Compressed files", select the check box for "Scan inside multiple-file archives (e.g. .ZIP)".
Click Save.
From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page.
Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select "VirusScan Enterprise for Linux 1.9.0". From the "Policy" column, click on the policy for the "On-Access Scanning Policy".
In the "Advanced" tab, next to the "Compressed files", verify the check box for "Scan inside multiple-file archives (e.g. .ZIP)" is selected.
If the check box for "Compressed files: Scan inside multiple-file archives (e.g. .ZIP)" is not selected, this is a finding.
DTAVSEL-005-McAfee VSEL for SVA OAS find unknown program viruses<GroupDescription></GroupDescription>DTAVSEL-005The McAfee VirusScan Enterprise for Linux 1.9.0 On-Access scanner must be configured to find unknown program viruses.<VulnDiscussion>Due to the ability of malware to mutate after infection, standard antivirus signatures may not be able to catch new strains or variants of the malware. Typically, these strains and variants will share unique characteristics with others in their virus family. By using a generic signature to detect the shared characteristics, using wildcards where differences lie, the generic signature can detect viruses even if they are padded with extra, meaningless code. This method of detection is Heuristic detection.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls></IAControls>DPMS Target McAfee VirusScan Enterprise for Linux (VSEL) 1.9DISA FSODPMS TargetMcAfee VirusScan Enterprise for Linux (VSEL) 1.92580CCI-001242From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page.
Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select "VirusScan Enterprise for Linux 1.9.0". From the "Policy" column, click on the policy for the "On-Access Scanning Policy".
In the "Advanced" tab, next to "Heuristics:", select the check box for "Find unknown program viruses".
Click Save.From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page.
Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select "VirusScan Enterprise for Linux 1.9.0". From the "Policy" column, click on the policy for the "On-Access Scanning Policy".
In the "Advanced" tab, next to "Heuristics:", verify the check box for "Find unknown program viruses" is selected.
If the check box for "Heuristics: Find unknown program viruses" is not selected, this is a finding.DTAVSEL-006--McAfee VSEL for SVA OAS find unknown macro viruses<GroupDescription></GroupDescription>DTAVSEL-006The McAfee VirusScan Enterprise for Linux 1.9.0 On-Access scanner must be configured to find unknown macro viruses.<VulnDiscussion>Interpreted viruses are executed by an application. Within this subcategory, macro viruses take advantage of the capabilities of applications' macro programming language to infect application documents and document templates, while scripting viruses infect scripts that are understood by scripting languages processed by services on the OS. Many attackers use toolkits containing several different types of utilities and scripts that can be used to probe and attack hosts. Scanning for unknown macro viruses will mitigate zero-day attacks.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls></IAControls>DPMS Target McAfee VirusScan Enterprise for Linux (VSEL) 1.9DISA FSODPMS TargetMcAfee VirusScan Enterprise for Linux (VSEL) 1.92580CCI-001242From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page.
Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select "VirusScan Enterprise for Linux 1.9.0". From the "Policy" column, click on the policy for the "On-Access Scanning Policy".
In the "Advanced" tab, next to "Heuristics:", select the check box for "Find unknown macro viruses".
Click Save.From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page.
Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select "VirusScan Enterprise for Linux 1.9.0". From the "Policy" column, click on the policy for the "On-Access Scanning Policy".
In the "Advanced" tab, next to "Heuristics:", verify the check box for "Find unknown macro viruses" is selected.
If the check box for "Heuristics: Find unknown macro viruses" is not selected, this is a finding.DTAVSEL-007-McAfee VSEL for SVA OAS unwanted programs<GroupDescription></GroupDescription>DTAVSEL-007The McAfee VirusScan Enterprise for Linux 1.9.0 On-Access scanner must be configured to find potentially unwanted programs.<VulnDiscussion>Potentially Unwanted Programs (PUPs) include Spyware, Adware, Remote Administration Tools, Dialers, Password Crackers, Jokes, and Key Loggers. While PUPs do not typically have any infection capability on their own, they rely on malware or other attach mechanisms to be installed onto target hosts, after which they will collect and transfer data from the host to an external host and/or will be used as attach mechanisms. Configuring the antivirus software to attempt to clean the file first will allow for the possibility of a false positive. In most cases, however, the secondary action of delete will be used, mitigating the risk of the PUPs being installed and used maliciously.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls></IAControls>DPMS Target McAfee VirusScan Enterprise for Linux (VSEL) 1.9DISA FSODPMS TargetMcAfee VirusScan Enterprise for Linux (VSEL) 1.92580CCI-001242From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page.
Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select "VirusScan Enterprise for Linux 1.9.0". From the "Policy" column, click on the policy for the "On-Access Scanning Policy".
In the "Advanced" tab, next to "Non-viruses:", select the check box for "Find potentially unwanted programs".
Select the check box for "Find joke programs".
Click Save.From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page.
Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select "VirusScan Enterprise for Linux 1.9.0". From the "Policy" column, click on the policy for the "On-Access Scanning Policy".
In the "Advanced" tab, next to "Non-viruses:", verify the check box for "Find potentially unwanted programs" is selected.
Verify the check box for "Find joke programs" is selected.
If the check box for "Non-viruses: Find potentially unwanted programs" is not selected, this is a finding.
If the check box for "Find joke programs" is not selected, this is a finding.
DTAVSEL-008-McAfee VSEL for SVA OAS scan when writing<GroupDescription></GroupDescription>DTAVSEL-008The McAfee VirusScan Enterprise for Linux 1.9.0 On-Access scanner must be configured to scan files when being written to disk.<VulnDiscussion>Antivirus software is the most commonly used technical control for malware threat mitigation. Real-time scanning of files as they are written to disk is a crucial first line of defense from malware attacks.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls></IAControls>DPMS Target McAfee VirusScan Enterprise for Linux (VSEL) 1.9DISA FSODPMS TargetMcAfee VirusScan Enterprise for Linux (VSEL) 1.92580CCI-001242From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page.
Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select "VirusScan Enterprise for Linux 1.9.0". From the "Policy" column, click on the policy for the "On-Access Scanning Policy".
In the "Detections" tab, next to "Scan files:", select the check box for "When writing to disk".
Click Save.From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page.
Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select "VirusScan Enterprise for Linux 1.9.0". From the "Policy" column, click on the policy for the "On-Access Scanning Policy".
In the "Detections" tab, next to "Scan files:", verify the check box for "When writing to disk" is selected.
If the check box for "Scan files: When writing to disk" is not selected, this is a finding.
DTAVSEL-009-McAfee VSEL for SVA OAS scan when reading from disk<GroupDescription></GroupDescription>DTAVSEL-009The McAfee VirusScan Enterprise for Linux 1.9.0 On-Access scanner must be configured to scan files when being read from disk.<VulnDiscussion>Antivirus software is the most commonly used technical control for malware threat mitigation. Real-time scanning of files as they are read from disk is a crucial first line of defense from malware attacks.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls></IAControls>DPMS Target McAfee VirusScan Enterprise for Linux (VSEL) 1.9DISA FSODPMS TargetMcAfee VirusScan Enterprise for Linux (VSEL) 1.92580CCI-001242From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page.
Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select "VirusScan Enterprise for Linux 1.9.0". From the "Policy" column, click on the policy for the "On-Access Scanning Policy".
In the "Detections" tab, next to "Scan files:", select the check box for "When reading from disk".
Click Save.From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page.
Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select "VirusScan Enterprise for Linux 1.9.0". From the "Policy" column, click on the policy for the "On-Access Scanning Policy".
In the "Detections" tab, next to "Scan files:", verify the check box for "When reading from disk" is selected.
If the check box for "Scan files: When reading from disk" is not selected, this is a finding.DTAVSEL-010-McAfee VSEL for SVA OAS all file types<GroupDescription></GroupDescription>DTAVSEL-010The McAfee VirusScan Enterprise for Linux 1.9.0 On-Access scanner must be configured to scan all file types.<VulnDiscussion>When scanning for malware, excluding specific file types will increase the risk of a malware-infected file going undetected. By configuring antivirus software to scan all file types, the scanner has a higher success rate at detecting and eradicating malware.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls></IAControls>DPMS Target McAfee VirusScan Enterprise for Linux (VSEL) 1.9DISA FSODPMS TargetMcAfee VirusScan Enterprise for Linux (VSEL) 1.92580CCI-001242From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page.
Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select "VirusScan Enterprise for Linux 1.9.0". From the "Policy" column, click on the policy for the "On-Access Scanning Policy".
In the "Detections" tab, next to "What to scan:", select the radio button for "All files".
Click Save.
From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page.
Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select "VirusScan Enterprise for Linux 1.9.0". From the "Policy" column, click on the policy for the "On-Access Scanning Policy".
In the "Detections" tab, next to "What to scan:", verify the radio button for "All files" is selected.
If the radio button for "What to scan: All files" is not selected, this is a finding.
DTAVSEL-011-McAfee VSEL for SVA OAS maximum scan time<GroupDescription></GroupDescription>DTAVSEL-011The McAfee VirusScan Enterprise for Linux 1.9.0 On-Access scanner maximum scan time must not be less than 45 seconds.<VulnDiscussion>When antivirus software is not configured to limit the amount of time spent trying to scan a file, the total effectiveness of the antivirus software, and performance on the system being scanned, will be degraded. By limiting the amount of time the antivirus software uses when scanning a file, the scan will be able to complete in a timely manner. </VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls></IAControls>DPMS Target McAfee VirusScan Enterprise for Linux (VSEL) 1.9DISA FSODPMS TargetMcAfee VirusScan Enterprise for Linux (VSEL) 1.92580CCI-001242From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page.
Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select "VirusScan Enterprise for Linux 1.9.0". From the "Policy" column, click on the policy for the "On-Access Scanning Policy".
In the "General" tab, next to "Maximum Scan Time:", select the check box for "Enforce maximum scanning time for all files". Configure the "Maximum scan time (seconds):" to 45 or more.
Click Save.From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page.
Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select "VirusScan Enterprise for Linux 1.9.0". From the "Policy" column, click on the policy for the "On-Access Scanning Policy".
In the "General" tab, next to "Maximum Scan Time:", verify the check box for "Enforce maximum scanning time for all files" has been selected. Verify the "Maximum scan time (seconds):" is configured to 45 or more.
If the check box for "Maximum Scan Time: Enforce maximum scanning time for all files" is not selected, this is a finding.
If the "Maximum Scan Time (seconds):" is not configured to 45 or more, this is a finding.
If both the "Maximum Scan Time:" setting for "Enforce maximum scanning time for all files" has a check in the check box and the "Maximum Scan Time:" setting for "Maximum scan time (seconds):" is configured to 45 or more, this is not a finding.DTAVSEL-012-McAfee VSEL for SVA OAS file exclusions<GroupDescription></GroupDescription>DTAVSEL-012Any paths and files excluded by the McAfee VirusScan Enterprise for Linux 1.9.0 On-Access scanner must be formally documented with, and approved by, the IAO/IAM.<VulnDiscussion>When scanning for malware, excluding specific files will increase the risk of a malware-infected file going undetected. By configuring antivirus software without any exclusions, the scanner has a higher success rate at detecting and eradicating malware.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls></IAControls>DPMS Target McAfee VirusScan Enterprise for Linux (VSEL) 1.9DISA FSODPMS TargetMcAfee VirusScan Enterprise for Linux (VSEL) 1.92580CCI-001242From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page.
Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select "VirusScan Enterprise for Linux 1.9.0". From the "Policy" column, click on the policy for the "On-Access Scanning Policy".
In the "Detections" tab, next to "What not to scan:", remove all entries in the "Select files and directories to be excluded from virus scanning" field other than the default "/var/log".
Document justification for any required exclusions and obtain approval from the IAO/IAM.
Click Save.From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page.
Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select "VirusScan Enterprise for Linux 1.9.0". From the "Policy" column, click on the policy for the "On-Access Scanning Policy".
In the "Detections" tab, next to "What not to scan:", verify the only entry for the "Select files and directories to be excluded from virus scanning" field is the default "/var/log".
If any entries other than the default "/var/log" are present in the "What not to scan:" setting for the "Select files and directories to be excluded from virus scanning" field, verify the exclusion of those files and directories has been formally documented by the System Administrator and has been approved by the IAO/IAM.
If any entries other than the default "/var/log" are present in the "What not to scan:" setting for the "Select files and directories to be excluded from virus scanning" field, and those files and directories have not been formally documented by the System Administrator and approved by the IAO/IAM, this is a finding.
If any entries other than the default "/var/log" are present in the "What not to scan:" setting for the "Select files and directories to be excluded from virus scanning" field, and those files and directories have been formally documented by the System Administrator and approved by the IAO/IAM, this is not a finding.DTAVSEL-013-McAfee VSEL for SVA OAS first action<GroupDescription></GroupDescription>DTAVSEL-013The McAfee VirusScan Enterprise for Linux 1.9.0 On-Access scanner must be configured to Clean infected files automatically as first action when a virus or Trojan is detected.<VulnDiscussion>Malware may have infected a file that is necessary to the user. By configuring the antivirus software to first attempt cleaning the infected file, availability to the file is not sacrificed. If a cleaning attempt is not successful, however, deleting the file is the only safe option to ensure the malware is not introduced onto the system or network.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls></IAControls>DPMS Target McAfee VirusScan Enterprise for Linux (VSEL) 1.9DISA FSODPMS TargetMcAfee VirusScan Enterprise for Linux (VSEL) 1.92580CCI-001242From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page.
Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select "VirusScan Enterprise for Linux 1.9.0". From the "Policy" column, click on the policy for the "On-Access Scanning Policy".
In the "Actions" tab, next to "When Viruses and Trojans are found:", select the radio button for "Clean infected files automatically".
Click Save.From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page.
Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select "VirusScan Enterprise for Linux 1.9.0". From the "Policy" column, click on the policy for the "On-Access Scanning Policy".
In the "Actions" tab, next to "When Viruses and Trojans are found:", verify the radio button for "Clean infected files automatically" is selected.
If, next to "When Viruses and Trojans are found:", the radio button for "Clean infected files automatically" is not selected, this is a finding.
DTAVSEL-014-McAfee VSEL for SVA OAS second action<GroupDescription></GroupDescription>DTAVSEL-014The McAfee VirusScan Enterprise for Linux 1.9.0 On-Access scanner must be configured to Move infected files to the quarantine directory if first action fails when a virus or Trojan is detected.<VulnDiscussion>Malware may have infected a file that is necessary to the user. By configuring the antivirus software to first attempt cleaning the infected file, availability to the file is not sacrificed. If a cleaning attempt is not successful, however, deleting the file is the only safe option to ensure the malware is not introduced onto the system or network.
</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls></IAControls>DPMS Target McAfee VirusScan Enterprise for Linux (VSEL) 1.9DISA FSODPMS TargetMcAfee VirusScan Enterprise for Linux (VSEL) 1.92580CCI-001242From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page.
Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select "VirusScan Enterprise for Linux 1.9.0". From the "Policy" column, click on the policy for the "On-Access Scanning Policy".
In the "Actions" tab, next to "If the above action fails:", select the radio button for "Move infected files to the quarantine directory".
Click Save.From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page.
Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select "VirusScan Enterprise for Linux 1.9.0". From the "Policy" column, click on the policy for the "On-Access Scanning Policy".
In the "Actions" tab, next to "If the above action fails:", verify the "Move infected files to the quarantine directory" radio button is selected.
If, next to "If the above action fails:", the radio button for "Move infected files to the quarantine directory" is not selected, this is a finding.
DTAVSEL-015-McAfee VSEL for SVA OAS PUPS first action<GroupDescription></GroupDescription>DTAVSEL-015The McAfee VirusScan Enterprise for Linux 1.9.0 On-Access scanner must be configured to Clean infected files automatically as first action when programs and jokes are found.<VulnDiscussion>Potentially Unwanted Programs (PUPs) include Spyware, Adware, Remote Administration Tools, Dialers, Password Crackers, Jokes, and Key Loggers. While PUPs do not typically have any infection capability on their own, they rely on malware or other attach mechanisms to be installed onto target hosts, after which they will collect and transfer data from the host to an external host and/or will be used as attach mechanisms. Configuring the antivirus software to attempt to clean the file first will allow for the possibility of a false positive. In most cases, however, the secondary action of delete will be used, mitigating the risk of the PUPs being installed and used maliciously.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls></IAControls>DPMS Target McAfee VirusScan Enterprise for Linux (VSEL) 1.9DISA FSODPMS TargetMcAfee VirusScan Enterprise for Linux (VSEL) 1.92580CCI-001242From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page.
Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select "VirusScan Enterprise for Linux 1.9.0". From the "Policy" column, click on the policy for the "On-Access Scanning Policy".
In the "Actions" tab, next to "When Programs & Jokes are found:", select the radio button for "Clean infected files automatically".
Click Save.From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page.
Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select "VirusScan Enterprise for Linux 1.9.0". From the "Policy" column, click on the policy for the "On-Access Scanning Policy".
In the "Actions" tab, next to "When Programs & Jokes are found:", verify the radio button for "Clean infected files automatically" is selected.
If, next to "When Programs & Jokes are found:", the radio button for "Clean infected files automatically" is not selected, this is a finding.DTAVSEL-016-McAfee VSEL for SVA OAS second action for PUPS<GroupDescription></GroupDescription>DTAVSEL-016The McAfee VirusScan Enterprise for Linux 1.9.0 On-Access scanner must be configured to Move infected files to the quarantine directory if first action fails when programs and jokes are found.<VulnDiscussion>Potentially Unwanted Programs (PUPs) include Spyware, Adware, Remote Administration Tools, Dialers, Password Crackers, Jokes, and Key Loggers. While PUPs do not typically have any infection capability on their own, they rely on malware or other attach mechanisms to be installed onto target hosts, after which they will collect and transfer data from the host to an external host and/or will be used as attach mechanisms. Configuring the antivirus software to attempt to clean the file first will allow for the possibility of a false positive. In most cases, however, the secondary action of delete will be used, mitigating the risk of the PUPs being installed and used maliciously.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls></IAControls>DPMS Target McAfee VirusScan Enterprise for Linux (VSEL) 1.9DISA FSODPMS TargetMcAfee VirusScan Enterprise for Linux (VSEL) 1.92580CCI-001242From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page.
Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select "VirusScan Enterprise for Linux 1.9.0". From the "Policy" column, click on the policy for the "On-Access Scanning Policy".
In the "Actions" tab, under the "When Programs & Jokes are found:", next to "If the above action fails:", select the radio button for "Move infected files to the quarantine directory".
Click Save.From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page.
Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select "VirusScan Enterprise for Linux 1.9.0". From the "Policy" column, click on the policy for the "On-Access Scanning Policy".
In the "Actions" tab, under the "When Programs & Jokes are found:", next to "If the above action fails:", verify the "Move infected files to the quarantine directory" radio button is selected.
If, next to "When Programs & Jokes are found: If the above action fails:", the radio button for "Move infected files to the quarantine directory" is not selected, this is a finding.
DTAVSEL-017-McAfee VSEL for SVA OAS scan failure action<GroupDescription></GroupDescription>DTAVSEL-017The McAfee VirusScan Enterprise for Linux 1.9.0 On-Access scanner must be configured to deny access to the file if scanning fails.<VulnDiscussion>Antivirus software is the most commonly used technical control for malware threat mitigation. Real-time scanning of files as they are read from disk is a crucial first line of defense from malware attacks.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls></IAControls>DPMS Target McAfee VirusScan Enterprise for Linux (VSEL) 1.9DISA FSODPMS TargetMcAfee VirusScan Enterprise for Linux (VSEL) 1.92580CCI-001242From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page.
Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select "VirusScan Enterprise for Linux 1.9.0". From the "Policy" column, click on the policy for the "On-Access Scanning Policy".
In the "Actions" tab, select the "If scanning fails:" "Deny access to the file" radio button is selected.
Click Save.From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page.
Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select "VirusScan Enterprise for Linux 1.9.0". From the "Policy" column, click on the policy for the "On-Access Scanning Policy".
In the "Actions" tab, verify the "If scanning fails:" "Deny access to the file" radio button is selected.
If the "If scanning fails: Deny access to the file" radio button is not selected, this is a finding.DTAVSEL-018-McAfee VSEL for SVA OAS deny access on scan failure<GroupDescription></GroupDescription>DTAVSEL-018The McAfee VirusScan Enterprise for Linux 1.9.0 On-Access scanner must be configured to allow access to files if scanning times out.<VulnDiscussion>Antivirus software is the most commonly used technical control for malware threat mitigation. Real-time scanning of files as they are read from disk is a crucial first line of defense from malware attacks.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls></IAControls>DPMS Target McAfee VirusScan Enterprise for Linux (VSEL) 1.9DISA FSODPMS TargetMcAfee VirusScan Enterprise for Linux (VSEL) 1.92580CCI-001242From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page.
Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select "VirusScan Enterprise for Linux 1.9.0". From the "Policy" column, click on the policy for the "On-Access Scanning Policy".
In the "Actions" tab, select the "If scanning times out: Allow access to the file" radio button.
Click Save.From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page.
Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select "VirusScan Enterprise for Linux 1.9.0". From the "Policy" column, click on the policy for the "On-Access Scanning Policy".
In the "Actions" tab, verify the "If scanning times out: Allow access to the file" radio button is selected.
If the "If scanning times out: Allow access to the file" radio button is not selected, this is a finding.
DTAVSEL-100-McAfee VSEL for SVA ODS scheduled scan frequency<GroupDescription></GroupDescription>DTAVSEL-100The McAfee VirusScan Enterprise for Linux 1.9.0 must be configured to run a scheduled On Demand scan at least once a week.<VulnDiscussion>Antivirus software is the most commonly used technical control for malware threat mitigation. Real-time scanning of files as they are read from disk is a crucial first line of defense from malware attacks but to ensure all files are frequently scanned, a regularly scheduled full scan will ensure malware missed by the real-time scanning will be detected and mitigated.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls></IAControls>DPMS Target McAfee VirusScan Enterprise for Linux (VSEL) 1.9DISA FSODPMS TargetMcAfee VirusScan Enterprise for Linux (VSEL) 1.92580CCI-001242From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page.
Create a New Client Task to run a regularly schedule On Demand scan at least weekly.
Click Save.From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page.
Click on Actions | Agent | Modify Tasks on a Single System.
From the list of available tasks in the "Task Name" column, with the assistance of the ePO SA, identify the weekly On Demand scan client task.
If a weekly On Demand scan client task does not exist, this is a finding.
For the designated weekly On Demand scan client task, verify the "Task Type" is listed as "On Demand Scan".
Verify the "Status" is listed as "Enabled".
Under the "Task Name" column, click on the link for the designated task to review the task properties.
Verify the task is scheduled to run at least weekly.
If the task is not scheduled to run at least weekly, this is a finding.DTAVSEL-102-McAfee VSEL for SVA ODS scan for unknown program viruses<GroupDescription></GroupDescription>DTAVSEL-102The McAfee VirusScan Enterprise for Linux 1.9.0 On Demand scanner must be configured to find unknown program viruses.<VulnDiscussion>Due to the ability of malware to mutate after infection, standard antivirus signatures may not be able to catch new strains or variants of the malware. Typically, these strains and variants will share unique characteristics with others in their virus family. By using a generic signature to detect the shared characteristics, using wildcards where differences lie, the generic signature can detect viruses even if they are padded with extra, meaningless code. This method of detection is Heuristic detection.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls></IAControls>DPMS Target McAfee VirusScan Enterprise for Linux (VSEL) 1.9DISA FSODPMS TargetMcAfee VirusScan Enterprise for Linux (VSEL) 1.92580CCI-001242From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page.
If a task does not exist for the regularly scheduled weekly scan, create a New Client Task to run an On Demand scan at least weekly.
Click on Actions | Agent | Modify Tasks on a Single System.
From the list of available tasks in the "Task Name" column, with the assistance of the ePO SA, identify the weekly On Demand scan client task.
For the designated weekly On Demand scan client task, verify the "Task Type" is listed as "On Demand Scan".
Under the "Task Name" column, click on the link for the designated task to review the task properties.
In the "Advanced" tab, next to the Heuristics, select the check box for "Find unknown program viruses".
Click Save.From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page.
Click on Actions | Agent | Modify Tasks on a Single System.
From the list of available tasks in the "Task Name" column, with the assistance of the ePO SA, identify the weekly On Demand scan client task.
If a weekly On Demand scan client task does not exist, this is a finding.
For the designated weekly On Demand scan client task, verify the "Task Type" is listed as "On Demand Scan".
Verify the "Status" is listed as "Enabled".
Under the "Task Name" column, click on the link for the designated task to review the task properties.
In the "Advanced" tab, next to the Heuristics, verify the check box for "Find unknown program viruses" has been selected.
If the task designated as the regularly scheduled On Demand Scan, next to the Heuristics, the check box for "Find unknown program viruses" has not been selected, this is a finding.
DTAVSEL-103-McAfee VSEL for SVA ODS scan for unknown macro viruses<GroupDescription></GroupDescription>DTAVSEL-103The McAfee VirusScan Enterprise for Linux 1.9.0 On Demand scanner must be configured to find unknown macro viruses.<VulnDiscussion>Interpreted viruses are executed by an application. Within this subcategory, macro viruses take advantage of the capabilities of applications' macro programming language to infect application documents and document templates, while scripting viruses infect scripts that are understood by scripting languages processed by services on the OS. Many attackers use toolkits containing several different types of utilities and scripts that can be used to probe and attack hosts. Scanning for unknown macro viruses will mitigate zero-day attacks.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls></IAControls>DPMS Target McAfee VirusScan Enterprise for Linux (VSEL) 1.9DISA FSODPMS TargetMcAfee VirusScan Enterprise for Linux (VSEL) 1.92580CCI-001242From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page.
If a task does not exist for the regularly scheduled weekly scan, create a New Client Task to run an On Demand scan at least weekly.
Click on Actions | Agent | Modify Tasks on a Single System.
From the list of available tasks in the "Task Name" column, with the assistance of the ePO SA, identify the weekly On Demand scan client task.
For the designated weekly On Demand scan client task, verify the "Task Type" is listed as "On Demand Scan".
Under the "Task Name" column, click on the link for the designated task to review the task properties.
In the "Advanced" tab, next to "Heuristics:", select the check box for "Find unknown macro viruses".
Click Save.From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page.
Click on Actions | Agent | Modify Tasks on a Single System.
From the list of available tasks in the "Task Name" column, with the assistance of the ePO SA, identify the weekly On Demand scan client task.
If a weekly On Demand scan client task does not exist, this is a finding.
For the designated weekly On Demand scan client task, verify the "Task Type" is listed as "On Demand Scan".
Verify the "Status" is listed as "Enabled".
Under the "Task Name" column, click on the link for the designated task to review the task properties.
In the "Advanced" tab, next to "Heuristics:", verify the check box for "Find unknown macro viruses" is selected.
If the check box for "Heuristics: Find unknown macro program viruses" is not selected, this is a finding.DTAVSEL-104-McAfee VSEL for SVA ODS scan for PUPs<GroupDescription></GroupDescription>DTAVSEL-104The McAfee VirusScan Enterprise for Linux 1.9.0 On Demand scanner must be configured to find potentially unwanted programs.<VulnDiscussion>Potentially Unwanted Programs (PUPs) include Spyware, Adware, Remote Administration Tools, Dialers, Password Crackers, Jokes, and Key Loggers. While PUPs do not typically have any infection capability on their own, they rely on malware or other attach mechanisms to be installed onto target hosts, after which they will collect and transfer data from the host to an external host and/or will be used as attach mechanisms. Configuring the antivirus software to attempt to clean the file first will allow for the possibility of a false positive. In most cases, however, the secondary action of delete will be used, mitigating the risk of the PUPs being installed and used maliciously.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls></IAControls>DPMS Target McAfee VirusScan Enterprise for Linux (VSEL) 1.9DISA FSODPMS TargetMcAfee VirusScan Enterprise for Linux (VSEL) 1.92580CCI-001242From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page.
If a task does not exist for the regularly scheduled weekly scan, create a New Client Task to run an On Demand scan at least weekly.
Click on Actions | Agent | Modify Tasks on a Single System.
From the list of available tasks in the "Task Name" column, with the assistance of the ePO SA, identify the weekly On Demand scan client task.
For the designated weekly On Demand scan client task, verify the "Task Type" is listed as "On Demand Scan".
Under the "Task Name" column, click on the link for the designated task to review the task properties.
In the "Advanced" tab, next to "Non-viruses:", select the check box for "Find potentially unwanted programs".
Select the check box for "Find joke programs".
Click Save.From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page.
Click on Actions | Agent | Modify Tasks on a Single System.
From the list of available tasks in the "Task Name" column, with the assistance of the ePO SA, identify the weekly On Demand scan client task.
If a weekly On Demand scan client task does not exist, this is a finding.
For the designated weekly On Demand scan client task, verify the "Task Type" is listed as "On Demand Scan".
Verify the "Status" is listed as "Enabled".
Under the "Task Name" column, click on the link for the designated task to review the task properties.
In the "Advanced" tab, next to "Non-viruses:", verify the check box for "Find potentially unwanted programs" is selected.
Select the check box for "Find joke programs".
If the check box for "Non-viruses: Find potentially unwanted programs" is not selected, this is a finding.
If the check box for "Find joke programs" is not selected, this is a finding.
DTAVSEL-105-McAfee VSEL for SVA ODS scan all file types<GroupDescription></GroupDescription>DTAVSEL-105The McAfee VirusScan Enterprise for Linux 1.9.0 On Demand scanner must be configured to scan all file types.<VulnDiscussion>When scanning for malware, excluding specific file types will increase the risk of a malware-infected file going undetected. By configuring antivirus software to scan all file types, the scanner has a higher success rate at detecting and eradicating malware.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls></IAControls>DPMS Target McAfee VirusScan Enterprise for Linux (VSEL) 1.9DISA FSODPMS TargetMcAfee VirusScan Enterprise for Linux (VSEL) 1.92580CCI-001242From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page.
If a task does not exist for the regularly scheduled weekly scan, create a New Client Task to run an On Demand scan at least weekly.
Click on Actions | Agent | Modify Tasks on a Single System.
From the list of available tasks in the "Task Name" column, with the assistance of the ePO SA, identify the weekly On Demand scan client task.
For the designated weekly On Demand scan client task, verify the "Task Type" is listed as "On Demand Scan".
Under the "Task Name" column, click on the link for the designated task to review the task properties.
In the "Detection" tab, next to "What to scan:", select the radio button for "All files".
Click Save.From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page.
Click on Actions | Agent | Modify Tasks on a Single System.
From the list of available tasks in the "Task Name" column, with the assistance of the ePO SA, identify the weekly On Demand scan client task.
If a weekly On Demand scan client task does not exist, this is a finding.
For the designated weekly On Demand scan client task, verify the "Task Type" is listed as "On Demand Scan".
Verify the "Status" is listed as "Enabled".
Under the "Task Name" column, click on the link for the designated task to review the task properties.
In the "Detection" tab, next to "What to scan:", verify the radio button for "All files" is selected.
If the radio button for "What to scan: All files" is not selected, this is a finding.DTAVSEL-106-McAfee MOVE VSEL for SVA ODS scan first action<GroupDescription></GroupDescription>DTAVSEL-106The McAfee VirusScan Enterprise for Linux 1.9.0 On Demand scanner must be configured to Clean infected files automatically as first action for when Viruses and Trojans are found.<VulnDiscussion>Malware may have infected a file that is necessary to the user. By configuring the antivirus software to first attempt cleaning the infected file, availability to the file is not sacrificed. If a cleaning attempt is not successful, however, deleting the file is the only safe option to ensure the malware is not introduced onto the system or network.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls></IAControls>DPMS Target McAfee VirusScan Enterprise for Linux (VSEL) 1.9DISA FSODPMS TargetMcAfee VirusScan Enterprise for Linux (VSEL) 1.92580CCI-001242From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page.
If a task does not exist for the regularly scheduled weekly scan, create a New Client Task to run an On Demand scan at least weekly.
Click on Actions | Agent | Modify Tasks on a Single System.
From the list of available tasks in the "Task Name" column, with the assistance of the ePO SA, identify the weekly On Demand scan client task.
For the designated weekly On Demand scan client task, verify the "Task Type" is listed as "On Demand Scan".
Under the "Task Name" column, click on the link for the designated task to review the task properties.
In the "Actions" tab, next to "When Viruses and Trojans are found:", select the radio button for "Clean infected files automatically".
Click Save.From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page.
Click on Actions | Agent | Modify Tasks on a Single System.
From the list of available tasks in the "Task Name" column, with the assistance of the ePO SA, identify the weekly On Demand scan client task.
If a weekly On Demand scan client task does not exist, this is a finding.
For the designated weekly On Demand scan client task, verify the "Task Type" is listed as "On Demand Scan".
Verify the "Status" is listed as "Enabled".
Under the "Task Name" column, click on the link for the designated task to review the task properties.
In the "Actions" tab, next to "When Viruses and Trojans are found:", verify the radio button for "Clean infected files automatically" is selected.
If the radio button for "When Viruses and Trojans are found: Clean infected files automatically" is not selected, this is a finding.
DTAVSEL-107-McAfee MOVE VSEL for SVA ODS scan second action<GroupDescription></GroupDescription>DTAVSEL-107The McAfee VirusScan Enterprise for Linux 1.9.0 On Demand scanner must be configured to Move infected files to the quarantine directory if first action fails for when Viruses and Trojans are found.<VulnDiscussion>Malware may have infected a file that is necessary to the user. By configuring the antivirus software to first attempt cleaning the infected file, availability to the file is not sacrificed. If a cleaning attempt is not successful, however, deleting the file is the only safe option to ensure the malware is not introduced onto the system or network.
</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls></IAControls>DPMS Target McAfee VirusScan Enterprise for Linux (VSEL) 1.9DISA FSODPMS TargetMcAfee VirusScan Enterprise for Linux (VSEL) 1.92580CCI-001242From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page.
If a task does not exist for the regularly scheduled weekly scan, create a New Client Task to run an On Demand scan at least weekly.
Click on Actions | Agent | Modify Tasks on a Single System.
From the list of available tasks in the "Task Name" column, with the assistance of the ePO SA, identify the weekly On Demand scan client task.
For the designated weekly On Demand scan client task, verify the "Task Type" is listed as "On Demand Scan".
Under the "Task Name" column, click on the link for the designated task to review the task properties.
In the "Actions" tab, next to "If the above action fails:", select the radio button for "Move infected files to the quarantine directory".
Populate the "Quarantine Directory:" field with "/quarantine" (or another valid location as determined by the organization).
Click Save.From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page.
Click on Actions | Agent | Modify Tasks on a Single System.
From the list of available tasks in the "Task Name" column, with the assistance of the ePO SA, identify the weekly On Demand scan client task.
If a weekly On Demand scan client task does not exist, this is a finding.
For the designated weekly On Demand scan client task, verify the "Task Type" is listed as "On Demand Scan".
Verify the "Status" is listed as "Enabled".
Under the "Task Name" column, click on the link for the designated task to review the task properties.
In the "Actions" tab, next to "If the above action fails:", verify the radio button for "Move infected files to the quarantine directory" is selected.
Verify the "Quarantine Directory:" field is populated with "/quarantine" (or another valid location as determined by the organization).
If the radio button for "If the above action fails: Move infected files to the quarantine directory" is not selected, this is a finding.
If the "Quarantine Directory:" field is not populated, this is a finding.
DTAVSEL-108-McAfee MOVE VSEL for SVA ODS file exclusions<GroupDescription></GroupDescription>DTAVSEL-108Any paths and files excluded by the McAfee VirusScan Enterprise for Linux 1.9.0 On Demand scanner must be documented with, and approved by, the IAO/IAM.<VulnDiscussion>When scanning for malware, excluding specific files will increase the risk of a malware-infected file going undetected. By configuring antivirus software without any exclusions, the scanner has a higher success rate at detecting and eradicating malware.
</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls></IAControls>DPMS Target McAfee VirusScan Enterprise for Linux (VSEL) 1.9DISA FSODPMS TargetMcAfee VirusScan Enterprise for Linux (VSEL) 1.92580CCI-001242From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page.
If a task does not exist for the regularly scheduled weekly scan, create a New Client Task to run an On Demand scan at least weekly.
Click on Actions | Agent | Modify Tasks on a Single System.
From the list of available tasks in the "Task Name" column, with the assistance of the ePO SA, identify the weekly On Demand scan client task.
For the designated weekly On Demand scan client task, verify the "Task Type" is listed as "On Demand Scan".
Under the "Task Name" column, click on the link for the designated task to review the task properties.
In the "Detection" tab, next to "What not to scan:", remove any entries from the "What not to scan:" section for which there has not been IAO/IAM approval.
Click Save.From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page.
Click on Actions | Agent | Modify Tasks on a Single System.
From the list of available tasks in the "Task Name" column, with the assistance of the ePO SA, identify the weekly On Demand scan client task.
If a weekly On Demand scan client task does not exist, this is a finding.
For the designated weekly On Demand scan client task, verify the "Task Type" is listed as "On Demand Scan".
Verify the "Status" is listed as "Enabled".
Under the "Task Name" column, click on the link for the designated task to review the task properties.
In the "Detection" tab, next to "What not to scan:", verify no entries exist.
If any entries exist, verify the exclusion of those files and directories has been documented by the System Administrator and approved by the IAO/IAM.
If any entries are present in the "What not to scan:" setting for the "Select files and directories to be excluded from virus scanning" field, and those files and directories have not been documented by the System Administrator and approved by the IAO/IAM, this is a finding.
If any entries are present in the "What not to scan:" setting for the "Select files and directories to be excluded from virus scanning" field, and those files and directories have been documented by the System Administrator and approved by the IAO/IAM, this is not a finding.DTAVSEL-110-McAfee MOVE VSEL for SVA ODS PUPS first action<GroupDescription></GroupDescription>DTAVSEL-110The McAfee VirusScan Enterprise for Linux 1.9.0 On Demand scanner must be configured to Clean infected files automatically as first action when programs and jokes are found.<VulnDiscussion>Potentially Unwanted Programs (PUPs) include Spyware, Adware, Remote Administration Tools, Dialers, Password Crackers, Jokes, and Key Loggers. While PUPs do not typically have any infection capability on their own, they rely on malware or other attach mechanisms to be installed onto target hosts, after which they will collect and transfer data from the host to an external host and/or will be used as attach mechanisms. Configuring the antivirus software to attempt to clean the file first will allow for the possibility of a false positive. In most cases, however, the secondary action of delete will be used, mitigating the risk of the PUPs being installed and used maliciously.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls></IAControls>DPMS Target McAfee VirusScan Enterprise for Linux (VSEL) 1.9DISA FSODPMS TargetMcAfee VirusScan Enterprise for Linux (VSEL) 1.92580CCI-001242From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page.
Click on Actions | Agent | Modify Tasks on a Single System.
From the list of available tasks in the "Task Name" column, with the assistance of the ePO SA, identify the weekly On Demand scan client task.
For the designated weekly On Demand scan client task, verify the "Task Type" is listed as "On Demand Scan".
Under the "Task Name" column, click on the link for the designated task to review the task properties.
In the "Actions" tab, next to "When Programs & Jokes are found:", select the radio button for "Clean infected files automatically".
Click Save.From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page.
Click on Actions | Agent | Modify Tasks on a Single System.
From the list of available tasks in the "Task Name" column, with the assistance of the ePO SA, identify the weekly On Demand scan client task.
If a weekly On Demand scan client task does not exist, this is a finding.
For the designated weekly On Demand scan client task, verify the "Task Type" is listed as "On Demand Scan".
Verify the "Status" is listed as "Enabled".
Under the "Task Name" column, click on the link for the designated task to review the task properties.
In the "Actions" tab, next to "When Programs & Jokes are found:", verify the radio button for "Clean infected files automatically" is selected.
If the radio button for "When Programs & Jokes are found: Clean infected files automatically" is not selected, this is a finding.DTAVSEL-111-McAfee MOVE VSEL for SVA ODS scan PUPS second action<GroupDescription></GroupDescription>DTAVSEL-111The McAfee VirusScan Enterprise for Linux 1.9.0 On Demand scanner must be configured to Move infected files to the quarantine directory if first action fails when programs and jokes are found.<VulnDiscussion>Potentially Unwanted Programs (PUPs) include Spyware, Adware, Remote Administration Tools, Dialers, Password Crackers, Jokes, and Key Loggers. While PUPs do not typically have any infection capability on their own, they rely on malware or other attach mechanisms to be installed onto target hosts, after which they will collect and transfer data from the host to an external host and/or will be used as attach mechanisms. Configuring the antivirus software to attempt to clean the file first will allow for the possibility of a false positive. In most cases, however, the secondary action of delete will be used, mitigating the risk of the PUPs being installed and used maliciously.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls></IAControls>DPMS Target McAfee VirusScan Enterprise for Linux (VSEL) 1.9DISA FSODPMS TargetMcAfee VirusScan Enterprise for Linux (VSEL) 1.92580CCI-001242From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page.
Click on Actions | Agent | Modify Tasks on a Single System.
From the list of available tasks in the "Task Name" column, with the assistance of the ePO SA, identify the weekly On Demand scan client task.
For the designated weekly On Demand scan client task, verify the "Task Type" is listed as "On Demand Scan".
Under the "Task Name" column, click on the link for the designated task to review the task properties.
In the "Actions" tab, next to "When Programs & Jokes are found: If the above action fails:", select the radio button for "Move infected files to the quarantine directory" is selected.
Populate the "Quarantine Directory:" field with "/quarantine" (or another valid location as determined by the organization).
Click Save.From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page.
Click on Actions | Agent | Modify Tasks on a Single System.
From the list of available tasks in the "Task Name" column, with the assistance of the ePO SA, identify the weekly On Demand scan client task.
If a weekly On Demand scan client task does not exist, this is a finding.
For the designated weekly On Demand scan client task, verify the "Task Type" is listed as "On Demand Scan".
Verify the "Status" is listed as "Enabled".
Under the "Task Name" column, click on the link for the designated task to review the task properties.
In the "Actions" tab, next to "When Programs & Jokes are found: If the above action fails:", verify the radio button for "Move infected files to the quarantine directory" is selected.
Verify the "Quarantine Directory:" field is populated with "/quarantine" (or another valid location as determined by the organization).
If the radio button for "When Programs & Jokes are found: If the above action fails: Move infected files to the quarantine directory" is not selected, this is a finding.
If the "Quarantine Directory:" field is not populated with "/quarantine" (or another valid location as determined by the organization), this is a finding.DTAVSEL-113-McAfee MOVE VSEL for SVA ODS scan local drives<GroupDescription></GroupDescription>DTAVSEL-113The McAfee VirusScan Enterprise for Linux 1.9.0 On Demand scanner must be configured to include all local drives and their sub-directories.<VulnDiscussion>When scanning for malware, excluding specific file types will increase the risk of a malware-infected file going undetected. By configuring antivirus software to scan all file types, the scanner has a higher success rate at detecting and eradicating malware.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls></IAControls>DPMS Target McAfee VirusScan Enterprise for Linux (VSEL) 1.9DISA FSODPMS TargetMcAfee VirusScan Enterprise for Linux (VSEL) 1.92580CCI-001242From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page.
Click on Actions | Agent | Modify Tasks on a Single System.
From the list of available tasks in the "Task Name" column, with the assistance of the ePO SA, identify the weekly On Demand scan client task.
For the designated weekly On Demand scan client task, verify the "Task Type" is listed as "On Demand Scan".
Under the "Task Name" column, click on the link for the designated task to review the task properties.
In the "Where" tab, populate the "Specify where scanning will take place" field with all local drives.
Next to "Scan options", select the checkbox for "Include sub-directories".
Click Save.From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page.
Click on Actions | Agent | Modify Tasks on a Single System.
From the list of available tasks in the "Task Name" column, with the assistance of the ePO SA, identify the weekly On Demand scan client task.
If a weekly On Demand scan client task does not exist, this is a finding.
For the designated weekly On Demand scan client task, verify the "Task Type" is listed as "On Demand Scan".
Verify the "Status" is listed as "Enabled".
Under the "Task Name" column, click on the link for the designated task to review the task properties.
In the "Where" tab, verify the "Specify where scanning will take place" field is populated with all local drives.
Next to "Scan options", verify the checkbox for "Include sub-directories" is selected.
If the "Specify where scanning will take place" field is not populated with all local drives, this is a finding.
If the "Include sub-directories" is not selected, this is a finding.
DTAVSEL-101-McAfee MOVE VSEL for SVA ODS decompress archive files<GroupDescription></GroupDescription>DTAVSEL-101The McAfee VirusScan Enterprise for Linux 1.9.0 On Demand scanner must be configured to decompress archives when scanning.<VulnDiscussion>Malware is often packaged within an archive. In addition, archives might have other archives within. Not scanning archive files introduces the risk of infected files being introduced into the environment.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls></IAControls>DPMS Target McAfee VirusScan Enterprise for Linux (VSEL) 1.9DISA FSODPMS TargetMcAfee VirusScan Enterprise for Linux (VSEL) 1.92580CCI-001242From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page.
If a task does not exist for the regularly scheduled weekly scan, create a New Client Task to run an On Demand scan at least weekly.
Click on Actions | Agent | Modify Tasks on a Single System.
From the list of available tasks in the "Task Name" column, with the assistance of the ePO SA, identify the weekly On Demand scan client task.
Under the "Task Name" column, click on the link for the designated task to review the task properties.
In the "Advanced" tab, next to the Compressed files, select the check box for "Scan inside multiple-file archives (e.g. .ZIP)".
Click Save.From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page.
Click on Actions | Agent | Modify Tasks on a Single System.
From the list of available tasks in the "Task Name" column, with the assistance of the ePO SA, identify the weekly On Demand scan client task.
If a weekly On Demand scan client task does not exist, this is a finding.
For the designated weekly On Demand scan client task, verify the "Task Type" is listed as "On Demand Scan".
Verify the "Status" is listed as "Enabled".
Under the "Task Name" column, click on the link for the designated task to review the task properties.
In the "Advanced" tab, next to the Compressed files, verify the check box for "Scan inside multiple-file archives (e.g. .ZIP)" has been selected.
If the task designated as the regularly scheduled On Demand Scan, next to the Compressed files, the check box for "Scan inside multiple-file archives (e.g. .ZIP)" is not selected, this is a finding.DTAVSEL-112-McAfee MOVE VSEL for SVA ODS decode MIME encoded files<GroupDescription></GroupDescription>DTAVSEL-112The McAfee VirusScan Enterprise for Linux 1.9.0 On Demand scanner must be configured to decode MIME encoded files.<VulnDiscussion>Malware is often packaged within an archive. In addition, archives might have other archives within. Not scanning archive files introduces the risk of infected files being introduced into the environment.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls></IAControls>DPMS Target McAfee VirusScan Enterprise for Linux (VSEL) 1.9DISA FSODPMS TargetMcAfee VirusScan Enterprise for Linux (VSEL) 1.92580CCI-001242From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page.
Click on Actions | Agent | Modify Tasks on a Single System.
From the list of available tasks in the "Task Name" column, with the assistance of the ePO SA, identify the weekly On Demand scan client task.
Under the "Task Name" column, click on the link for the designated task to review the task properties.
In the "Advanced" tab, next to the Compressed files, select the check box for "Decode MIME encoded files:".
Click Save.From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page.
Click on Actions | Agent | Modify Tasks on a Single System.
From the list of available tasks in the "Task Name" column, with the assistance of the ePO SA, identify the weekly On Demand scan client task.
If a weekly On Demand scan client task does not exist, this is a finding.
For the designated weekly On Demand scan client task, verify the "Task Type" is listed as "On Demand Scan".
Verify the "Status" is listed as "Enabled".
Under the "Task Name" column, click on the link for the designated task to review the task properties.
In the "Advanced" tab, next to the Compressed files, verify the check box for "Decode MIME encoded files:" has been selected.
If the task designated as the regularly scheduled On Demand Scan, next to the Compressed files, the check box for "Decode MIME encoded files:" is not selected, this is a finding.