Path Exclusions configured in the McAfee MOVE AV On Demand Scan policy must be formally documented by the System Administrator and approved by the ISSO/ISSM.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-78555	MV45-ODS-000007	SV-93261r1_rule		Medium

Description
When scanning for malware, excluding specific file types will increase the risk of a malware-infected file going undetected. By configuring anti-virus software to scan all file types, the scanner has a higher success rate at detecting and eradicating malware. Excluding files, paths, and processes from being scanned expands the potential for malware to be allowed onto the information system. While it is recognized that some file types might need to be excluded for operational reasons and/or because there is protection afforded to those files through a different mechanism, allowing those exclusions should always be vetted, documented, and approved before applying.

Description

When scanning for malware, excluding specific file types will increase the risk of a malware-infected file going undetected. By configuring anti-virus software to scan all file types, the scanner has a higher success rate at detecting and eradicating malware. Excluding files, paths, and processes from being scanned expands the potential for malware to be allowed onto the information system. While it is recognized that some file types might need to be excluded for operational reasons and/or because there is protection afforded to those files through a different mechanism, allowing those exclusions should always be vetted, documented, and approved before applying.

STIG	Date
McAfee MOVE AV Multi-Platform 4.5 Security Technical Implementation Guide	2017-12-01

Details

Check Text ( C-78125r1_chk )
Access the McAfee ePO console. Select Menu >> Policy >> Policy Catalog and then select "MOVE AntiVirus 4.5.0" from the Product list. From the Category list, select "On Demand Scan". Select each configured On Demand Scan policy. Click "Show Advanced". Under "Exclusions", verify the "Path Exclusions" include only the following paths: \McAfee\Common Framework\ \Program Files\McAfee\Agent\ *.log If any Path Exclusions are included other than those specified above, and the exclusions have not been formally documented by the System Administrator and approved by the ISSO/ISSM, this is a finding.

Check Text ( C-78125r1_chk )

Access the McAfee ePO console.

Select Menu >> Policy >> Policy Catalog and then select "MOVE AntiVirus 4.5.0" from the Product list.

From the Category list, select "On Demand Scan".

Select each configured On Demand Scan policy.

Click "Show Advanced".

Under "Exclusions", verify the "Path Exclusions" include only the following paths:

**\McAfee\Common Framework\
**\Program Files\McAfee\Agent\
*.log

If any Path Exclusions are included other than those specified above, and the exclusions have not been formally documented by the System Administrator and approved by the ISSO/ISSM, this is a finding.

Fix Text (F-85291r1_fix)
Access the McAfee ePO console. Select Menu >> Policy >> Policy Catalog and then select "MOVE AntiVirus 4.5.0" from the Product list. From the Category list, select "On Demand Scan". Select each configured On Demand Scan policy. Click "Show Advanced". Under "Exclusions", remove any Path Exclusions, other than the following paths, that have not been formally documented by the System Administrator and approved by the ISSO/ISSM: \McAfee\Common Framework\ \Program Files\McAfee\Agent\ *.log Click "Save".

Fix Text (F-85291r1_fix)

Access the McAfee ePO console.

Select Menu >> Policy >> Policy Catalog and then select "MOVE AntiVirus 4.5.0" from the Product list.

From the Category list, select "On Demand Scan".

Select each configured On Demand Scan policy.

Click "Show Advanced".

Under "Exclusions", remove any Path Exclusions, other than the following paths, that have not been formally documented by the System Administrator and approved by the ISSO/ISSM:

**\McAfee\Common Framework\
**\Program Files\McAfee\Agent\
*.log

Click "Save".