The Symantec Endpoint Protection client must be configured with a full scan scheduled to run at least weekly.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-42664	DTASEP043	SV-55392r1_rule		Medium

Description
Antivirus software is the most commonly used technical control for malware threat mitigation. Antivirus software on hosts should be configured to scan all hard drives regularly to identify any file system infections. Not scheduling a regular scan of the hard drives of a system and/or not configuring the scan to scan all files introduces a higher risk of threats going undetected.

STIG	Date
Symantec Endpoint Protection 12.1 Managed Client Antivirus	2014-10-01

Details

Check Text ( C-48934r1_chk )
Server check: From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Scheduled Scans -> Select Administrator-Defined Scans -> Ensure there is at least one full scan enabled that is Weekly or Daily. Criteria: If there is no full scan enabled that is Weekly or Daily, this is a finding. On the client machine use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Scheduler\{SID}\Custom Tasks\{scan ID}\Schedule 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Scheduler\{SID}\Custom Tasks\{scan ID}\Schedule Criteria: If the value of SelectedScanType is not 2, the value of Type is not 1 or 2, and the value of Enabled is not 1, this is a finding.

Check Text ( C-48934r1_chk )

Server check: From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Scheduled Scans -> Select Administrator-Defined Scans -> Ensure there is at least one full scan enabled that is Weekly or Daily.

Criteria: If there is no full scan enabled that is Weekly or Daily, this is a finding.

On the client machine use the Windows Registry Editor to navigate to the following key:
32 bit:
HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Scheduler\{SID}\Custom Tasks\{scan ID}\Schedule
64 bit:
HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Scheduler\{SID}\Custom Tasks\{scan ID}\Schedule

Criteria: If the value of SelectedScanType is not 2, the value of Type is not 1 or 2, and the value of Enabled is not 1, this is a finding.

Fix Text (F-48248r1_fix)
From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Scheduled Scans -> Select Administrator-Defined Scans -> Create at least one enabled full daily or weekly scan.