UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The Symantec Endpoint Protection client weekly scheduled scan must be configured to scan all file types or scan exclude files option must be documented with, and approved by, IAO/IAM.


Overview

Finding ID Version Rule ID IA Controls Severity
V-42779 DTASEP045 SV-55507r1_rule Medium
Description
When scanning for malware, excluding specific file types will increase the risk of a malware-infected file going undetected. By configuring antivirus software to scan all file types, the scanner has a higher success rate at detecting and eradicating malware.
STIG Date
Symantec Endpoint Protection 12.1 Local Client Antivirus STIG 2014-07-03

Details

Check Text ( C-49051r1_chk )
GUI check: Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Scan for Threats -> Double-click the applied policy -> Under Scan Options, File Types -> Ensure "All types", or if "Selected Extensions:" is selected -> Select Extensions -> Ensure any selected extensions are documented with, and approved by, the IAO/IAM, is selected.

Criteria: If "All types", is not selected, or if "Selected Extensions" is selected and the extensions are not documented with, and approved by, the IAO/IAM, this is a finding.

On the machine use the Windows Registry Editor to navigate to the following key:
32 bit:
HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Scheduler\{SID}\Custom Tasks\{Scan ID}
64 bit:
HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Scheduler\{SID}\Custom Tasks\{Scan ID}

Criteria: If the value of FileType is not 1, or if the value of "ExcludeByExtension", "HaveExceptionDirs", "HaveExceptionFiles" are 1, and the IAO/IAM has approved the use of exclusions, this is not a finding.
Fix Text (F-48365r1_fix)
Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Scan for Threats -> Double-click the applied policy -> Under Scan Options, File Types -> Select "All types", or if "Selected Extensions:" is selected -> Select Extensions -> Ensure any selected extensions are documented with, and approved by, the IAO/IAM, is selected.