The McAfee VirusScan Enterprise Access Protection rules must be used for self-protection of the files and folder of the McAfee Security Virtual Manager (SVM).

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-78523	MV45-GEN-000004	SV-93229r1_rule		High

Description
The VirusScan Enterprise Access Protection rules will defend files, services, and registry keys on the McAfee Security Virtual Manager (SVM).

STIG	Date
McAfee MOVE AV Multi-Platform 4.5 Security Technical Implementation Guide	2018-07-09

Details

Check Text ( C-78085r1_chk )
The McAfee MOVE AV [Multi-Platform] SVM does not have a built-in protection mechanism. In order to protect the McAfee MOVE AV [Multi-Platform] SVM's files, services, and registry keys, the McAfee VirusScan Enterprise Access Protection features are used. From the ePO server console System Tree, select the Systems tab, find and click on the asset representing the McAfee MOVE SVM to open its properties, select "Actions", select "Agent", and select "Modify Policies on a Single System". From the product drop-down list, select "VirusScan Enterprise 8.8.x". Click on the "Access Protection Policies" policy to open the properties. From the "Settings for:" drop-down list, select "Server". In the "Access protection rules:" settings, under "Categories", click to select the "User-defined Rules". Under "Block/Report/Rules", ensure rules are configured for McAfee MOVE SVM protection. If multiple User-defined rules are created, consult with the System Administration to determine the rules for the purpose of this requirement. For the File/Folder Access Protection rule created to protect the MOVE AV Server folder, ensure both the "Block" and "Report" check boxes are selected. Select the rule and click "Edit". Ensure the path to which the McAfee MOVE SVM has been installed (default is C:\Program Files (x86)\McAfee\MOVE AV Server\) is reflected in the "File or folder name to block:" section. Ensure "Write access to files", "New files being created", and "Files being deleted" are selected under the "File actions to prevent:" section. If a File/Folder Blocking rule does not exist to protect the path to which the McAfee MOVE SVM Server has been installed (default is C:\Program Files (x86)\McAfee\MOVE AV Server), this is a finding. On the system designated as the McAfee MOVE SVM Server, access the local McAfee VirusScan Enterprise Console. Under the "Task" column, right-click on "Access Protection", select "Properties". In the "Access protection rules:" settings, under "Categories", click "User-defined Rules". Under "Block/Report/Rules", ensure rules are configured for McAfee MOVE SVM protection. If multiple User-defined rules are created, consult with the System Administration to determine the rules for the purpose of this requirement. For the File/Folder Access Protection rule created to protect the MOVE AV Server folder, ensure both the "Block" and "Report" check boxes are selected. Select the rule, click "Edit". Ensure "mvserver.exe" is reflected under the "Processes to exclude:" section. Ensure the path to which the McAfee MOVE SVM has been installed (default is C:\Program Files (x86)\McAfee\MOVE AV Server\) is reflected in the "File or folder name to block:" section. Ensure "Write access to files", "New files being created", and "Files being deleted" are selected under the "File actions to prevent:" section. If a File/Folder Blocking rule does not exist to protect the path to which the McAfee MOVE SVM Server has been installed (default is C:\Program Files (x86)\McAfee\MOVE AV Server), this is a finding. In the "Access protection rules:" settings, under "Categories", click "User-defined Rules". Under "Block/Report/Rules", ensure rules are configured for registry protection for the following registry paths: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mvserver HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mvserver\Parameters HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mvserver\Parameters\ODS If a registry protection rule does not exist to protect the specified registry paths, this is a finding.

Check Text ( C-78085r1_chk )

The McAfee MOVE AV [Multi-Platform] SVM does not have a built-in protection mechanism. In order to protect the McAfee MOVE AV [Multi-Platform] SVM's files, services, and registry keys, the McAfee VirusScan Enterprise Access Protection features are used.

From the ePO server console System Tree, select the Systems tab, find and click on the asset representing the McAfee MOVE SVM to open its properties, select "Actions", select "Agent", and select "Modify Policies on a Single System".

From the product drop-down list, select "VirusScan Enterprise 8.8.x". Click on the "Access Protection Policies" policy to open the properties. From the "Settings for:" drop-down list, select "Server".

In the "Access protection rules:" settings, under "Categories", click to select the "User-defined Rules".

Under "Block/Report/Rules", ensure rules are configured for McAfee MOVE SVM protection.

If multiple User-defined rules are created, consult with the System Administration to determine the rules for the purpose of this requirement.

For the File/Folder Access Protection rule created to protect the MOVE AV Server folder, ensure both the "Block" and "Report" check boxes are selected.

Select the rule and click "Edit".

Ensure the path to which the McAfee MOVE SVM has been installed (default is C:\Program Files (x86)\McAfee\MOVE AV Server\**) is reflected in the "File or folder name to block:" section.

Ensure "Write access to files", "New files being created", and "Files being deleted" are selected under the "File actions to prevent:" section.

If a File/Folder Blocking rule does not exist to protect the path to which the McAfee MOVE SVM Server has been installed (default is C:\Program Files (x86)\McAfee\MOVE AV Server), this is a finding.

On the system designated as the McAfee MOVE SVM Server, access the local McAfee VirusScan Enterprise Console.

Under the "Task" column, right-click on "Access Protection", select "Properties".

In the "Access protection rules:" settings, under "Categories", click "User-defined Rules".

Under "Block/Report/Rules", ensure rules are configured for McAfee MOVE SVM protection.

If multiple User-defined rules are created, consult with the System Administration to determine the rules for the purpose of this requirement.

For the File/Folder Access Protection rule created to protect the MOVE AV Server folder, ensure both the "Block" and "Report" check boxes are selected.

Select the rule, click "Edit".

Ensure "mvserver.exe" is reflected under the "Processes to exclude:" section.

Ensure the path to which the McAfee MOVE SVM has been installed (default is C:\Program Files (x86)\McAfee\MOVE AV Server\**) is reflected in the "File or folder name to block:" section.

Ensure "Write access to files", "New files being created", and "Files being deleted" are selected under the "File actions to prevent:" section.

If a File/Folder Blocking rule does not exist to protect the path to which the McAfee MOVE SVM Server has been installed (default is C:\Program Files (x86)\McAfee\MOVE AV Server), this is a finding.

In the "Access protection rules:" settings, under "Categories", click "User-defined Rules".

Under "Block/Report/Rules", ensure rules are configured for registry protection for the following registry paths:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mvserver
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mvserver\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mvserver\Parameters\ODS

If a registry protection rule does not exist to protect the specified registry paths, this is a finding.

Fix Text (F-85257r1_fix)
The McAfee MOVE AV [Multi-Platform] SVM does not have a built-in protection mechanism. In order to protect the McAfee MOVE AV [Multi-Platform] SVM's files, services, and registry keys, the McAfee VirusScan Enterprise Access Protection features are used. From the ePO server console System Tree, select the "Systems" tab, find and click on the asset representing the McAfee MOVE SVM to open its properties, select "Actions", select "Agent", and select "Modify Policies on a Single System". From the product drop-down list, select "VirusScan Enterprise 8.8.x". Click "Access Protection Policies" policy to open the properties. From the "Settings for:" drop-down list, select "Server". In the "Access protection rules:" settings, under "Categories", click "User-defined Rules", click "New". Choose "File/Folder Blocking Rule" to create the rule identified as the File protection rule. Specify an appropriate Rule name: (i.e., McAfee MOVE SVM File and Folder Protection). Enter the path to which the McAfee MOVE SVM has been installed (default is C:\Program Files (x86)\McAfee\MOVE AV Server\**) in the "File or folder name to block:" section. Select the "Write access to files", "New files being created", and "Files being deleted" under the "File actions to prevent:" section. Click "OK". After the rule is created, select the "Block" and "Report" check boxes. Click "Save". Configure an additional rule for the registry protection of the following registry paths: Under "Block/Report/Rules", ensure rules are configured for registry protection for the following registry paths: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mvserver HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mvserver\Parameters HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mvserver\Parameters\ODS

Fix Text (F-85257r1_fix)