The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Access scanner must be configured to Clean as first action when a virus or Trojan is detected.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-63095	DTAVSEL-013	SV-77585r2_rule		Medium

Description
Malware may have infected a file that is necessary to the user. By configuring the anti-virus software to first attempt cleaning the infected file, availability to the file is not sacrificed. If a cleaning attempt is not successful, however, deleting the file is the only safe option to ensure the malware is not introduced onto the system or network.

STIG	Date
McAfee VSEL 1.9/2.0 Local Client Security Technical Implementation Guide	2019-09-25

Details

Check Text ( C-63847r4_chk )
From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account. In the VSEL WEB Monitor, under "Configure", select "On-Access Settings". Under "Anti-virus Actions", verify "Clean" is selected from the first drop-down list for "Actions for viruses and Trojans". If "Clean" is not selected from the first drop-down list for "Actions for viruses and Trojans", this is a finding. To validate without the Web interface, access the Linux system being reviewed, either at the console or by a SSH connection. At the command line, navigate to /var/opt/NAI/LinuxShield/etc. Enter the command: grep ‘nailsd.profile.OAS.action.App.primary’ nailsd.cfg If the response given for "nailsd.profile.OAS.action.App.primary" is not "Clean", this is a finding.

Check Text ( C-63847r4_chk )

From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account.

In the VSEL WEB Monitor, under "Configure", select "On-Access Settings".
Under "Anti-virus Actions", verify "Clean" is selected from the first drop-down list for "Actions for viruses and Trojans".

If "Clean" is not selected from the first drop-down list for "Actions for viruses and Trojans", this is a finding.

To validate without the Web interface, access the Linux system being reviewed, either at the console or by a SSH connection.
At the command line, navigate to /var/opt/NAI/LinuxShield/etc.
Enter the command: grep ‘nailsd.profile.OAS.action.App.primary’ nailsd.cfg

If the response given for "nailsd.profile.OAS.action.App.primary" is not "Clean", this is a finding.

Fix Text (F-69013r1_fix)
From a desktop browser window, connect to the McAfee VirusScan Enterprise for Linux (VSEL) Monitor (WEB interface) of the Linux system being reviewed and logon with the nails user account. In the VSEL WEB Monitor, under "Configure", select "On-Access Settings". Under "Anti-virus Actions", select "Clean" from the first drop-down list for "Actions for viruses and Trojans". Click "Apply".