The Symantec Endpoint Protection client must be verified as uploading SEP client detail to ePO.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-42615	DTASEP007	SV-55343r1_rule		Medium

Description
All systems at DoD sites are managed by the site's HBSS ePO server for host based security. When sites choose to deploy Symantec AntiVirus products to their managed systems, these systems appear to HBSS as not protected for antivirus. When the HBSS ePO server uploads asset postures to US CYBERCOM, the systems will reflect as not having antivirus installed. In order that the Symantec status be reported in the asset's posture within HBSS, the Symantec Client Status plug-in needs to be deployed to the Symantec-install system from the HBSS ePO server and verified to be reporting its Symantec status back to the ePO server.

Description

All systems at DoD sites are managed by the site's HBSS ePO server for host based security. When sites choose to deploy Symantec AntiVirus products to their managed systems, these systems appear to HBSS as not protected for antivirus. When the HBSS ePO server uploads asset postures to US CYBERCOM, the systems will reflect as not having antivirus installed. In order that the Symantec status be reported in the asset's posture within HBSS, the Symantec Client Status plug-in needs to be deployed to the Symantec-install system from the HBSS ePO server and verified to be reporting its Symantec status back to the ePO server.

STIG	Date
Symantec Endpoint Protection 12.1 Managed Client Antivirus	2015-07-08

Details

Check Text ( C-48896r1_chk )
On the system to which the Symantec Endpoint Protection has been installed, open a Windows Explorer window and navigate to C:\ProgramData\McAfee\Common Framework (on 64-bit systems) or C:\Documents and Settings\All Users\Application Data\McAfee\Common Framework (on 32-bit systems). Find and open with Internet Explorer the file named LastPropsSentToServer.xml. Verify the following information in the file: should be recent (current day) SoftwareID="S_SEPEVT1100" Setting name="ProductName">Symantec Endpoint Protection Setting name="szProductVer">12.1.1101.401 If the LastPropsSentToServer.xml does not reflect a current date and/or does not include a section for SoftwareID="S_SEPEVT1100", this is a finding.

Check Text ( C-48896r1_chk )

On the system to which the Symantec Endpoint Protection has been installed, open a Windows Explorer window and navigate to C:\ProgramData\McAfee\Common Framework (on 64-bit systems) or C:\Documents and Settings\All Users\Application Data\McAfee\Common Framework (on 32-bit systems).

Find and open with Internet Explorer the file named LastPropsSentToServer.xml.

Verify the following information in the file:

should be recent (current day)

SoftwareID="S_SEPEVT1100"
Setting name="ProductName">Symantec Endpoint Protection
Setting name="szProductVer">12.1.1101.401

If the LastPropsSentToServer.xml does not reflect a current date and/or does not include a section for SoftwareID="S_SEPEVT1100", this is a finding.

Fix Text (F-48197r1_fix)
The fix will require assistance of the HBSS administrator. The HBSS administrator should verify the McAfee Agent is successfully communicating to the ePO server. The HBSS administrator should redeploy the Symantec Client State Plugin and verify it uploads the Symantec client state correctly to the ePO server.