The Symantec Endpoint Protection client must have the Symantec Client State Plug-in for ePO deployed.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-42670	DTASEP006	SV-55398r1_rule		High

Description
All systems at DoD sites are managed by the site's HBSS ePO server for host based security. When sites choose to deploy Symantec AntiVirus products to their managed systems, these systems appear to HBSS as not protected for antivirus. When the HBSS ePO server uploads asset postures to US CYBERCOM, the systems will reflect as not having antivirus installed. In order that the Symantec status in the asset's posture within HBSS is reported, the Symantec Client Status plug-in needs to be deployed to the Symantec-install system from the HBSS ePO server and verified to be reporting its Symantec status back to the ePO server.

Description

All systems at DoD sites are managed by the site's HBSS ePO server for host based security. When sites choose to deploy Symantec AntiVirus products to their managed systems, these systems appear to HBSS as not protected for antivirus. When the HBSS ePO server uploads asset postures to US CYBERCOM, the systems will reflect as not having antivirus installed. In order that the Symantec status in the asset's posture within HBSS is reported, the Symantec Client Status plug-in needs to be deployed to the Symantec-install system from the HBSS ePO server and verified to be reporting its Symantec status back to the ePO server.

STIG	Date
Symantec Endpoint Protection 12.1 Local Client Antivirus STIG	2015-06-30

Details

Check Text ( C-48941r1_chk )
Note: This check is N/A for Stand alone systems which are NOT connected to HBSS. On the system to which the Symantec Endpoint Protection has been installed, find the McAfee Agent icon (red shield with white M) in the taskbar. Right-click the icon and choose "About". The dialog box which opens will reflect all installed products being managed by the McAfee agent, as deployed from the McAfee HBSS ePO server. Verify "Symantec Plugin" is listed as an installed product. If the McAfee Agent "About" properties do not include the Symantec Plugin as an installed product, this is a finding. On the machine use the Windows Registry Editor to navigate to the following key: 32 bit and 64 bit: HKLM\SOFTWARE\Network Associates\ePolicy Orchestrator\Application Plugins If the subkey "S_SYMC_1000" does not exist, this is a finding.

Check Text ( C-48941r1_chk )

Note: This check is N/A for Stand alone systems which are NOT connected to HBSS.

On the system to which the Symantec Endpoint Protection has been installed, find the McAfee Agent icon (red shield with white M) in the taskbar. Right-click the icon and choose "About". The dialog box which opens will reflect all installed products being managed by the McAfee agent, as deployed from the McAfee HBSS ePO server.

Verify "Symantec Plugin" is listed as an installed product.

If the McAfee Agent "About" properties do not include the Symantec Plugin as an installed product, this is a finding.

On the machine use the Windows Registry Editor to navigate to the following key:
32 bit and 64 bit:
HKLM\SOFTWARE\Network Associates\ePolicy Orchestrator\Application Plugins

If the subkey "S_SYMC_1000" does not exist, this is a finding.

Fix Text (F-48255r1_fix)
The fix will require the assistance of the HBSS administrator. The HBSS administrator should deploy the Symantec Client State Plugin from the HBSS ePO server and verify the system accurately reflects its installation.