McAfee VirusScan Access Protection Rules Anti-spyware Maximum Protection must be set to block and report when block execution of all programs from temp folder.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-59365	DTAM170	SV-73795r3_rule		Medium

Description
This rule will block any executable from running from the Temp directory; however, this rule is much more restrictive in that it stops nearly all processes from launching in the Temp folder. This provides the most protection, but also has a higher chance of blocking a legitimate application from being installed. Intention: Most viruses need to be run once by a person before infecting a computer. This can be done in many ways, such as opening an executable attachment in an email, downloading a program from the Internet, etc. For example, <http://vil.nai.com/vil/content/v_101034.htm>. An executable needs to exist on the disk before Windows can run it. A common way for applications to achieve this is to save the file in the user’s or system’s Temp directory and then run it. One purpose of this rule is to enforce advice that is frequently given to people: “don’t open attachments from email.” The other purpose of this rule is to close security holes introduced by application bugs. Older versions of Outlook and Internet Explorer are notorious for automatically executing code without the user needing to do anything but preview an email or view a website. Risks: All applications that are protected by these rules offer alternatives to running executables, such as saving them somewhere else on the disk and running from there. So the downside of the rules is that users may need to learn a few extra steps before doing things they can do more quickly now. Note: Enabling this rule may prevent some applications from functioning outright.

Description

This rule will block any executable from running from the Temp directory; however, this rule is much more restrictive in that it stops nearly all processes from launching in the Temp folder. This provides the most protection, but also has a higher chance of blocking a legitimate application from being installed. Intention: Most viruses need to be run once by a person before infecting a computer. This can be done in many ways, such as opening an executable attachment in an email, downloading a program from the Internet, etc. For example, <http://vil.nai.com/vil/content/v_101034.htm>. An executable needs to exist on the disk before Windows can run it. A common way for applications to achieve this is to save the file in the user’s or system’s Temp directory and then run it. One purpose of this rule is to enforce advice that is frequently given to people: “don’t open attachments from email.” The other purpose of this rule is to close security holes introduced by application bugs. Older versions of Outlook and Internet Explorer are notorious for automatically executing code without the user needing to do anything but preview an email or view a website. Risks: All applications that are protected by these rules offer alternatives to running executables, such as saving them somewhere else on the disk and running from there. So the downside of the rules is that users may need to learn a few extra steps before doing things they can do more quickly now. Note: Enabling this rule may prevent some applications from functioning outright.

STIG	Date
McAfee VirusScan 8.8 Local Client STIG	2018-07-09

Details

Check Text ( C-60141r4_chk )
Note: If the HIPS signatures 7010, 7011, 7020 and 7035 are enabled to provide this same protection, this check is Not Applicable. Access the local VirusScan console by clicking Start >> All Programs >> McAfee >> VirusScan Console. Under the Task column, select Access Protection, right-click, and select Properties. Under the Access Protection tab, locate the "Access protection rules:" label. In the "Categories" box, select "Anti-Spyware Maximum Protection". Ensure the "Prevent all programs from running files from the Temp folder" (Block and Report) option is selected. Criteria: If the "Prevent all programs from running files from the Temp folder" (Block and Report) option is selected, this is not a finding.

Check Text ( C-60141r4_chk )

Note: If the HIPS signatures 7010, 7011, 7020 and 7035 are enabled to provide this same protection, this check is Not Applicable.

Access the local VirusScan console by clicking Start >> All Programs >> McAfee >> VirusScan Console.
Under the Task column, select Access Protection, right-click, and select Properties.

Under the Access Protection tab, locate the "Access protection rules:" label. In the "Categories" box, select "Anti-Spyware Maximum Protection". Ensure the "Prevent all programs from running files from the Temp folder" (Block and Report) option is selected.

Criteria: If the "Prevent all programs from running files from the Temp folder" (Block and Report) option is selected, this is not a finding.

Fix Text (F-64761r2_fix)
Access the local VirusScan console by clicking Start >> All Programs >> McAfee >> VirusScan Console. Under the Task column, select Access Protection, right-click, and select Properties. Under the Access Protection tab, locate the "Access protection rules:" label. In the "Categories" box, select "Anti-Spyware Maximum Protection". Select the "Prevent all programs from running files from the Temp folder"(Block and Report) option. Click OK to save.

Fix Text (F-64761r2_fix)

Access the local VirusScan console by clicking Start >> All Programs >> McAfee >> VirusScan Console.
Under the Task column, select Access Protection, right-click, and select Properties.

Under the Access Protection tab, locate the "Access protection rules:" label. In the "Categories" box, select "Anti-Spyware Maximum Protection". Select the "Prevent all programs from running files from the Temp folder"(Block and Report) option.

Click OK to save.