The Symantec Endpoint Protection Auto-Protect client Detection Options must be configured to display a notification to the user when a risk is detected.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-42677	DTASEP013	SV-55405r1_rule		Medium

Description
An effective awareness program explains proper rules of behavior for use of an organization's IT systems and information. Accordingly, awareness programs should include guidance to users on malware incident prevention, which can help reduce the frequency and severity of malware incidents. Organizations should also make users aware of policies and procedures that apply to malware incident handling, such as how to identify if a host may be infected, how to report a suspected incident, and what users need to do to assist with incident handling Having the antivirus software alert a users when a risk is detected will ensure the user is aware of the incident and will make it possible to more closely relate the incident to any action(s) being performed by the user at the time of the detection.

Description

An effective awareness program explains proper rules of behavior for use of an organization's IT systems and information. Accordingly, awareness programs should include guidance to users on malware incident prevention, which can help reduce the frequency and severity of malware incidents. Organizations should also make users aware of policies and procedures that apply to malware incident handling, such as how to identify if a host may be infected, how to report a suspected incident, and what users need to do to assist with incident handling Having the antivirus software alert a users when a risk is detected will ensure the user is aware of the incident and will make it possible to more closely relate the incident to any action(s) being performed by the user at the time of the detection.

STIG	Date
Symantec Endpoint Protection 12.1 Local Client Antivirus STIG	2015-06-30

Details

Check Text ( C-48948r1_chk )
GUI check: Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Change settings -> Under Virus and Spyware Protection -> Select Configure Settings -> Under the Auto-Protect tab -> Select Notifications -> Under the Detection options -> Ensure "Display a notification message when a risk is detected" is selected. Criteria: If "Display a notification message when a risk is detected" is not selected, this is a finding. On the machine use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem\RealTimeScan 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem\RealTimeScan Criteria: If the value of MessageBox is not 1, this is a finding.

Check Text ( C-48948r1_chk )

GUI check: Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Change settings -> Under Virus and Spyware Protection -> Select Configure Settings -> Under the Auto-Protect tab -> Select Notifications -> Under the Detection options -> Ensure "Display a notification message when a risk is detected" is selected.

Criteria: If "Display a notification message when a risk is detected" is not selected, this is a finding.

On the machine use the Windows Registry Editor to navigate to the following key:
32 bit:
HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem\RealTimeScan
64 bit:
HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem\RealTimeScan

Criteria: If the value of MessageBox is not 1, this is a finding.

Fix Text (F-48262r1_fix)
Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Change settings -> Under Virus and Spyware Protection -> Select Configure Settings -> Under the Auto-Protect tab -> Select Notifications -> Under the Detection options -> Select "Display a notification message when a risk is detected".

Fix Text (F-48262r1_fix)

Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Change settings -> Under Virus and Spyware Protection -> Select Configure Settings -> Under the Auto-Protect tab -> Select Notifications -> Under the Detection options -> Select "Display a notification message when a risk is detected".