McAfee VirusScan On-Demand scan must be configured to scan all fixed, or local, disks and running processes.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-6599	DTAM045	SV-55191r4_rule		Medium

Description
Antivirus software is the mostly commonly used technical control for malware threat mitigation. Antivirus software on hosts should be configured to scan all hard drives regularly to identify any file system infections and to scan any removable media, if applicable, before media is inserted into the system. Not scheduling a regular scan of the hard drives of a system and/or not configuring the scan to scan all files and running processes introduces a higher risk of threats going undetected.

Description

Antivirus software is the mostly commonly used technical control for malware threat mitigation. Antivirus software on hosts should be configured to scan all hard drives regularly to identify any file system infections and to scan any removable media, if applicable, before media is inserted into the system. Not scheduling a regular scan of the hard drives of a system and/or not configuring the scan to scan all files and running processes introduces a higher risk of threats going undetected.

STIG	Date
McAfee VirusScan 8.8 Managed Client STIG	2019-09-24

Details

Check Text ( C-48794r5_chk )
From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Tasks on a Single System. From the list of available tasks in the Task Name column, with the assistance of the ePO SA, identify the weekly on demand client scan task. In the same row as the client scan task under review, under the Task Type column, ensure it is an "On Demand scan" and in the Status column, ensure that the status is "Enabled". In the Actions column, select "Edit Assignment". In the Task to Schedule: area, verify the Product is "VirusScan Enterprise 8.8.0" and the Task Type is "On Demand Scan". In the Task name column, select "View Selected Task". Under the Scan Locations tab, locate the "Locations to scan:" label. Ensure the "All fixed drives" or "All local drives" and "Running processes" options are displayed. Criteria: If "All fixed drives" or "All local drives" and "Running processes" are displayed in the configuration for the daily or weekly On Demand Scan, this is not a finding. Locally, on the client machine, use the Windows Explorer to navigate to the following folder: (This folder may be hidden.) %SystemDrive%\ProgramData\McAfee\Common Framework\Task (64-Bit) If folder(s) do not exist, an alternative method of validating is via the following registry key: [HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\McAfee\DesktopProtection\Tasks] and are referenced by a GUID for each task. Multiple .ini files will be stored in this folder, one for each task defined on the ePO server for this client. The name for each task is identified in the first section of the file under the [Task] section on the TaskName= "" line. Additionally, a TaskType= line is provided to describe the type of scan. In this case, TaskType=VSC700_Scan_Task is expected. Information for this check is determined by examining the contents of this file. Criteria: If [ScanItems] szScanItemX=All fixed drives or szScanItemX=All local drives, and [ScanItems] scScanItemX=SpecialMemory are present, this is not a finding. For the values of szScanItemX, the character X represents some integer =>0. Example: szScanItem0=All fixed disks, szScanItem1=SpecialMemory.

Check Text ( C-48794r5_chk )

From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Tasks on a Single System. From the list of available tasks in the Task Name column, with the assistance of the ePO SA, identify the weekly on demand client scan task. In the same row as the client scan task under review, under the Task Type column, ensure it is an "On Demand scan" and in the Status column, ensure that the status is "Enabled". In the Actions column, select "Edit Assignment". In the Task to Schedule: area, verify the Product is "VirusScan Enterprise 8.8.0" and the Task Type is "On Demand Scan". In the Task name column, select "View Selected Task". Under the Scan Locations tab, locate the "Locations to scan:" label. Ensure the "All fixed drives" or "All local drives" and "Running processes" options are displayed.

Criteria: If "All fixed drives" or "All local drives" and "Running processes" are displayed in the configuration for the daily or weekly On Demand Scan, this is not a finding.

Locally, on the client machine, use the Windows Explorer to navigate to the following folder: (This folder may be hidden.)

%SystemDrive%\ProgramData\McAfee\Common Framework\Task (64-Bit)

If folder(s) do not exist, an alternative method of validating is via the following registry key:
[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\McAfee\DesktopProtection\Tasks] and are referenced by a GUID for each task.

Multiple .ini files will be stored in this folder, one for each task defined on the ePO server for this client. The name for each task is identified in the first section of the file under the [Task] section on the TaskName= "" line. Additionally, a TaskType= line is provided to describe the type of scan. In this case, TaskType=VSC700_Scan_Task is expected. Information for this check is determined by examining the contents of this file.

Criteria: If [ScanItems] szScanItemX=All fixed drives or szScanItemX=All local drives, and [ScanItems] scScanItemX=SpecialMemory are present, this is not a finding. For the values of szScanItemX, the character X represents some integer =>0. Example: szScanItem0=All fixed disks, szScanItem1=SpecialMemory.

Fix Text (F-48045r3_fix)
From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Tasks on a Single System. From the list of available tasks in the Task Name column, with the assistance of the ePO SA, identify the weekly on demand client scan task. In the same row as the client scan task under review, under the Task Type column, ensure it is an "On Demand scan" and in the Status column, ensure that the status is "Enabled". In the Task Name column, select the weekly on demand task. Under the Scan Locations tab, locate the "Locations to scan:" label. In the drop-down menus, select "All fixed drives" or "All local drives" and "Running processes". Select Save.

Fix Text (F-48045r3_fix)