The Symantec Endpoint Protection client Tamper Protection must be configured to block attempts to tamper with or shut down the client.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-42613	DTASEP005	SV-55341r1_rule		Medium

Description
For antivirus software to be effective, it must be running at all times, beginning from the point of the system's initial startup. Otherwise, the risk is greater for viruses, Trojans and other malware infecting the system during that startup phase.

STIG	Date
Symantec Endpoint Protection 12.1 Managed Client Antivirus	2015-07-08

Details

Check Text ( C-48894r1_chk )
Server check: From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Clients -> Under Clients -> Select the client to be checked -> Under the Policies tab, Settings -> Select General Settings -> Under the Tamper Protection tab -> Ensure "Protect Symantec security software from being tampered with or shut down" is selected. Criteria: If "Protect Symantec security software from being tampered with or shut down" is not selected, this is a finding. Client check: Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Change settings -> Under Client Management -> Select Configure Settings -> Under the Tamper Protection tab -> Ensure "Protect Symantec security software from being tampered with or shut down" is selected. Criteria: If "Protect Symantec security software from being tampered with or shut down" is not selected, this is a finding.

Check Text ( C-48894r1_chk )

Server check: From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Clients -> Under Clients -> Select the client to be checked -> Under the Policies tab, Settings -> Select General Settings -> Under the Tamper Protection tab -> Ensure "Protect Symantec security software from being tampered with or shut down" is selected.

Criteria: If "Protect Symantec security software from being tampered with or shut down" is not selected, this is a finding.

Client check: Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Change settings -> Under Client Management -> Select Configure Settings -> Under the Tamper Protection tab -> Ensure "Protect Symantec security software from being tampered with or shut down" is selected.

Criteria: If "Protect Symantec security software from being tampered with or shut down" is not selected, this is a finding.

Fix Text (F-48195r1_fix)
From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Clients -> Under Clients -> Select the client to be checked -> Under the Policies tab, Settings -> Select General Settings -> Under the Tamper Protection tab -> Select "Protect Symantec security software from being tampered with or shut down".