Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-42531 | DTAM153 | SV-55259r2_rule | Medium |
Description |
---|
When scanning for malware, excluding specific files will increase the risk of a malware-infected file going undetected. By configuring antivirus software without any exclusions, the scanner has a higher success rate at detecting and eradicating malware. |
STIG | Date |
---|---|
McAfee VirusScan 8.8 Managed Client STIG | 2015-06-18 |
Check Text ( C-48849r4_chk ) |
---|
From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Policies on a Single System. From the product pull down list, select VirusScan Enterprise 8.8.0. Select from the Policy column the policy associated with the On-Access Default Processes Policies. Under the Exclusions tab, locate the "What not to scan:" label. Ensure there are no exclusions listed. If exclusions are listed, verify they have been documented and approved by the ISSO/ISSM/DAA. Criteria: If there are no exclusions listed in the "What not to scan:" field, this is a not finding. If there are exclusions listed in the "What not to scan:" field, and the exclusions have been documented with, and approved by, the ISSO/ISSM/DAA, this is not a finding. If there are exclusions listed in the "What not to scan:" field, and the exclusions have not been documented with, and approved by, the ISSO/ISSM/DAA, this is a finding. On the client machine, use the Windows Registry Editor to navigate to the following key: HKLM\Software\McAfee\ (32-bit) HKLM\Software\Wow6432Node\McAfee\ (64-bit) SystemCore\VSCore\On Access Scanner\McShield\Configuration\Default Criteria: If the value NumExcludeItems is 0, this is not a finding. If NumExcludeItems is not 1 or greater, and exclusions have not been documented with and approved by the ISSO/ISSM/DAA, this is a finding. If NumExcludeItems is not 1 or greater, and exclusions have been approved by the ISSO/ISSM/DAA, this is not a finding. |
Fix Text (F-48113r2_fix) |
---|
From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Policies on a Single System. From the product pull down list, select VirusScan Enterprise 8.8.0. Select from the Policy column the policy associated with the On-Access Default Processes Policies. Under the Exclusions tab, locate the "What not to scan:" label. Remove any exclusions listed. |