The McAfee MOVE AV Options Policy must be configured to automatically delete quarantined data after a time period of no more than 28 days.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-78561 | MV45-OPT-000002 | SV-93267r1_rule | Medium |
| Description |
|---|
| The quarantine on each system represents a potential danger should the files contained within the quarantine be executed inadvertently. Deleting the quarantine contents on a regular basis will alleviate the ability of malware from being executed. An organization's incident response policy should also contain steps in removing quarantined items after their forensic value has been depleted. |
| STIG | Date |
|---|---|
| McAfee MOVE AV Multi-Platform 4.5 Security Technical Implementation Guide | 2017-12-01 |
Details
| Check Text ( C-78131r1_chk ) |
|---|
| Access the McAfee ePO console. Select Menu >> Policy >> Policy Catalog and then select "MOVE AntiVirus 4.5.0" from the Product list. From the Category list, select "Options". Select each configured Options policy. Under "Quarantine Manager", verify the value for "Specify the maximum number of days to keep quarantine data" is set to "28" days or less. If the value for "Specify the maximum number of days to keep quarantine data" is not set to "28" days or less, this is a finding. |
| Fix Text (F-85297r1_fix) |
|---|
| Access the McAfee ePO console. Select Menu >> Policy >> Policy Catalog and then select "MOVE AntiVirus 4.5.0" from the Product list. From the Category list, select "Options". Select each configured Options policy. Under "Quarantine Manager", set the value for "Specify the maximum number of days to keep quarantine data" to "28" days or less. Click "Save". |