McAfee VirusScan On-Access Default Processes Policies must be configured to not exclude any files from being scanned unless exclusions have been documented with, and approved by, the ISSO/ISSM/DAA.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-42531	DTAM153	SV-55259r5_rule		Medium

Description
When scanning for malware, excluding specific files will increase the risk of a malware-infected file going undetected. By configuring antivirus software without any exclusions, the scanner has a higher success rate at detecting and eradicating malware.

STIG	Date
McAfee VirusScan 8.8 Managed Client STIG	2019-09-24

Details

Check Text ( C-48849r7_chk )
Note: Exclusions must be documented and approved by the ISSO, ISSM, and/or AO. If the site has both an ISSO and an ISSM, the exclusions must be documented by the ISSO and approved by the ISSM or as determined by internal approval structure in the organization. If only an ISSO or ISSM is at site, they will be responsible for both documenting and approving. If neither an ISSO nor ISSM is at the site, the approval falls to the AO. From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Policies on a Single System. From the product pull down list, select VirusScan Enterprise 8.8.0. Select from the Policy column the policy associated with the On-Access Default Processes Policies. Under the Exclusions tab, locate the "What not to scan:" label. Ensure there are no exclusions listed. If exclusions are listed, verify they have been documented and approved by the ISSO/ISSM/AO. Criteria: If there are no exclusions listed in the "What not to scan:" field, this is a not finding. If there are exclusions listed in the "What not to scan:" field, and the exclusions have been documented with, and approved by, the ISSO/ISSM/AO, this is not a finding. If there are exclusions listed in the "What not to scan:" field, and the exclusions have not been documented with, and approved by, the ISSO/ISSM/AO, this is a finding. On the client machine, use the Windows Registry Editor to navigate to the following key: HKLM\Software\McAfee\ (32-bit) HKLM\Software\Wow6432Node\McAfee\ (64-bit) SystemCore\VSCore\On Access Scanner\McShield\Configuration\Default Criteria: If the value NumExcludeItems is 0, this is not a finding. If NumExcludeItems is not 1 or greater, and exclusions have not been documented with and approved by the ISSO/ISSM/AO, this is a finding. If NumExcludeItems is 1 or greater, and exclusions have been approved by the ISSO/ISSM/AO, this is not a finding.

Check Text ( C-48849r7_chk )

Note: Exclusions must be documented and approved by the ISSO, ISSM, and/or AO.
If the site has both an ISSO and an ISSM, the exclusions must be documented by the ISSO and approved by the ISSM or as determined by internal approval structure in the organization.
If only an ISSO or ISSM is at site, they will be responsible for both documenting and approving.
If neither an ISSO nor ISSM is at the site, the approval falls to the AO.

From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Policies on a Single System.
From the product pull down list, select VirusScan Enterprise 8.8.0. Select from the Policy column the policy associated with the On-Access Default Processes Policies.
Under the Exclusions tab, locate the "What not to scan:" label. Ensure there are no exclusions listed.
If exclusions are listed, verify they have been documented and approved by the ISSO/ISSM/AO.

Criteria: If there are no exclusions listed in the "What not to scan:" field, this is a not finding.
If there are exclusions listed in the "What not to scan:" field, and the exclusions have been documented with, and approved by, the ISSO/ISSM/AO, this is not a finding.
If there are exclusions listed in the "What not to scan:" field, and the exclusions have not been documented with, and approved by, the ISSO/ISSM/AO, this is a finding.

On the client machine, use the Windows Registry Editor to navigate to the following key:
HKLM\Software\McAfee\ (32-bit)
HKLM\Software\Wow6432Node\McAfee\ (64-bit)
SystemCore\VSCore\On Access Scanner\McShield\Configuration\Default

Criteria: If the value NumExcludeItems is 0, this is not a finding.
If NumExcludeItems is not 1 or greater, and exclusions have not been documented with and approved by the ISSO/ISSM/AO, this is a finding.
If NumExcludeItems is 1 or greater, and exclusions have been approved by the ISSO/ISSM/AO, this is not a finding.

Fix Text (F-48113r2_fix)
From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Policies on a Single System. From the product pull down list, select VirusScan Enterprise 8.8.0. Select from the Policy column the policy associated with the On-Access Default Processes Policies. Under the Exclusions tab, locate the "What not to scan:" label. Remove any exclusions listed.

Fix Text (F-48113r2_fix)

From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Policies on a Single System. From the product pull down list, select VirusScan Enterprise 8.8.0. Select from the Policy column the policy associated with the On-Access Default Processes Policies. Under the Exclusions tab, locate the "What not to scan:" label. Remove any exclusions listed.