STIGQter: STIG Summary: McAfee VirusScan 8.8 Managed Client STIG Version: 5 Release: 21 Benchmark Date: 25 Oct 2019:

McAfee VirusScan On Delivery Email Scan Policies, When a threat is found, must be configured to clean attachments as the first action and delete attachments if the first action fails.

DISA Rule

SV-55180r2_rule

Vulnerability Number

V-42493

Group Title

DTAM162-McAfee VirusScan Email on-delivery threat second action

Rule Version

DTAM162

Severity

CAT II

CCI(s)

• CCI-001243 - The organization configures malicious code protection mechanisms to perform organization-defined action(s) in response to malicious code detection.

Weight

10

Fix Recommendation

From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Policies on a Single System. From the product pull down list, select VirusScan Enterprise 8.8.0. Select from the Policy column the policy associated with the On Delivery Email Scan Policies. Under the Actions tab, locate the "When a threat is found:" label. For the "If the first action fails, then perform this action:" pull down menu, select "Delete attachments". Select Save.

Check Contents

Note: If an email client is not running on this system, this check can be marked as Not Applicable.

From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Policies on a Single System. From the product pull down list, select VirusScan Enterprise 8.8.0. Select from the Policy column the policy associated with the On Delivery Email Scan Policies. Under the Actions tab, locate the "When a threat is found:" label. Ensure that for the "If the first action fails, then perform this action:" pull down menu, "Delete attachments" is selected.

Criteria: If "Delete attachments" is selected for "If the first action fails, then perform this action:", this is not a finding.

On the client machine, use the Windows Registry Editor to navigate to the following key:
HKLM\Software\McAfee\ (32-bit)
HKLM\Software\Wow6432Node\McAfee\ (64-bit)
SystemCore\VSCore\Email Scanner\Outlook\OnDelivery\ActionOptions

Criteria: If the value for uSecAction is not 4, this is a finding.

Vulnerability Number

V-42493

Documentable

False

Rule Version

DTAM162

Severity Override Guidance

Note: If an email client is not running on this system, this check can be marked as Not Applicable.

From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Policies on a Single System. From the product pull down list, select VirusScan Enterprise 8.8.0. Select from the Policy column the policy associated with the On Delivery Email Scan Policies. Under the Actions tab, locate the "When a threat is found:" label. Ensure that for the "If the first action fails, then perform this action:" pull down menu, "Delete attachments" is selected.

Criteria: If "Delete attachments" is selected for "If the first action fails, then perform this action:", this is not a finding.

On the client machine, use the Windows Registry Editor to navigate to the following key:
HKLM\Software\McAfee\ (32-bit)
HKLM\Software\Wow6432Node\McAfee\ (64-bit)
SystemCore\VSCore\Email Scanner\Outlook\OnDelivery\ActionOptions

Criteria: If the value for uSecAction is not 4, this is a finding.

Check Content Reference

M

Target Key

2266

Comments