Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-14622 | DTAM100 | SV-56410r1_rule | Medium |
Description |
---|
Organizations should use centrally managed antivirus software that is controlled and monitored regularly by antivirus administrators, who are also typically responsible for acquiring, testing, approving, and delivering antivirus signatures and software updates through the organizations. (FISMA SP 800-83) Some processes are known to be higher risk, while others are low risk. By restricting policy configuration to the Default Processes policy, all processes will be interpreted equally when applying the policy settings and will provide the highest level of protection. Best practice dictates configuring Low Risk and/or High Risk policies only when it is necessary to improve system performance, and will focus the scanning where it is most likely to detect malware. There is risk associated with configuring the Low Risk and/or High Risk policies for the purpose of specifically excluding processes from scanning, and should only be done after evaluating other policy settings and determining risk. |
STIG | Date |
---|---|
McAfee VirusScan 8.8 Local Client STIG | 2017-01-04 |
Check Text ( C-49332r1_chk ) |
---|
Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console. On the menu bar, click Task->On-Access Scanner Properties. Select All Processes. Under the Processes tab, ensure the "Configure one scanning policy for all processes" is selected. Criteria: If the "Configure one scanning policy for all processes" option is selected, this is not a finding. If the "Configure one scanning policy for all processes" option is not selected, and the use of Low-Risk Processes/High-Risk processes has been documented with, and approved by, the IAO/IAM, this is not a finding. If the "Configure one scanning policy for all processes" option is not selected, and the use of Low-Risk Processes/High-Risk processes has not been documented/approved by the IAO/IAM, this is a finding. On the client machine, use the Windows Registry Editor to navigate to the following key: HKLM\Software\McAfee\ (32-bit) HKLM\Software\Wow6432Node\McAfee\ (64-bit) SystemCore\VSCore\On Access Scanner\McShield\Configuration Criteria: If the value OnlyUseDefaultConfig is 1, this is not a finding. If the value is 0 and the use of Low-Risk Processes/High-Risk processes has not been documented and approved by the IAO/IAM, this is a finding. |
Fix Text (F-49136r1_fix) |
---|
Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console. On the menu bar, click Task->On-Access Scanner Properties. Select All Processes. Under the Processes tab, select the "Configure one scanning policy for all processes" option. Click OK to Save. |