Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-42789 | DTASEP056 | SV-55517r1_rule | Medium |
Description |
---|
Malware may have infected a file that is necessary to the user. By configuring the antivirus software to first attempt cleaning the infected file, availability to the file is not sacrificed. If a cleaning attempt is not successful, however, deleting the file is the only safe option to ensure the malware does is not introduced onto the system or network. |
STIG | Date |
---|---|
Symantec Endpoint Protection 12.1 Local Client Antivirus STIG | 2014-07-03 |
Check Text ( C-49061r1_chk ) |
---|
GUI check: Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Scan for Threats -> Double-click the applied policy -> Select Actions -> Select Malware -> Ensure first action is set to "Clean risk". Criteria: If first action is not set to "Clean risk", this is a finding. On the machine use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Scheduler\{SID}\Custom Tasks\{Scan ID}\Malware 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Scheduler\{SID}\Custom Tasks\{Scan ID}\Malware Criteria: If the value of "FirstAction" is not 5, this is a finding. |
Fix Text (F-48375r1_fix) |
---|
Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Scan for Threats -> Double-click the applied policy -> Select Actions -> Select Malware -> Set first action to "Clean risk". |