STIGQter: STIG Summary: McAfee VirusScan 8.8 Managed Client STIG Version: 5 Release: 21 Benchmark Date: 25 Oct 2019:

McAfee VirusScan On-Access Default Processes Policies must be configured to not exclude any files from being scanned unless exclusions have been documented with, and approved by, the ISSO/ISSM/DAA.

DISA Rule

SV-55259r5_rule

Vulnerability Number

V-42531

Group Title

DTAM153--McAfee VirusScan on-access file exclusions

Rule Version

DTAM153

Severity

CAT II

CCI(s)

• CCI-001242 - The organization configures malicious code protection mechanisms to perform real-time scans of files from external sources at endpoints as the files are downloaded, opened, or executed in accordance with organizational security policy.

Weight

10

Fix Recommendation

From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Policies on a Single System. From the product pull down list, select VirusScan Enterprise 8.8.0. Select from the Policy column the policy associated with the On-Access Default Processes Policies. Under the Exclusions tab, locate the "What not to scan:" label. Remove any exclusions listed.

Check Contents

Note: Exclusions must be documented and approved by the ISSO, ISSM, and/or AO.
If the site has both an ISSO and an ISSM, the exclusions must be documented by the ISSO and approved by the ISSM or as determined by internal approval structure in the organization.
If only an ISSO or ISSM is at site, they will be responsible for both documenting and approving.
If neither an ISSO nor ISSM is at the site, the approval falls to the AO.

From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Policies on a Single System.
From the product pull down list, select VirusScan Enterprise 8.8.0. Select from the Policy column the policy associated with the On-Access Default Processes Policies.
Under the Exclusions tab, locate the "What not to scan:" label. Ensure there are no exclusions listed.
If exclusions are listed, verify they have been documented and approved by the ISSO/ISSM/AO.

Criteria: If there are no exclusions listed in the "What not to scan:" field, this is a not finding.
If there are exclusions listed in the "What not to scan:" field, and the exclusions have been documented with, and approved by, the ISSO/ISSM/AO, this is not a finding.
If there are exclusions listed in the "What not to scan:" field, and the exclusions have not been documented with, and approved by, the ISSO/ISSM/AO, this is a finding.

On the client machine, use the Windows Registry Editor to navigate to the following key:
HKLM\Software\McAfee\ (32-bit)
HKLM\Software\Wow6432Node\McAfee\ (64-bit)
SystemCore\VSCore\On Access Scanner\McShield\Configuration\Default

Criteria: If the value NumExcludeItems is 0, this is not a finding.
If NumExcludeItems is not 1 or greater, and exclusions have not been documented with and approved by the ISSO/ISSM/AO, this is a finding.
If NumExcludeItems is 1 or greater, and exclusions have been approved by the ISSO/ISSM/AO, this is not a finding.

Vulnerability Number

V-42531

Documentable

False

Rule Version

DTAM153

Severity Override Guidance

Note: Exclusions must be documented and approved by the ISSO, ISSM, and/or AO.
If the site has both an ISSO and an ISSM, the exclusions must be documented by the ISSO and approved by the ISSM or as determined by internal approval structure in the organization.
If only an ISSO or ISSM is at site, they will be responsible for both documenting and approving.
If neither an ISSO nor ISSM is at the site, the approval falls to the AO.

From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Policies on a Single System.
From the product pull down list, select VirusScan Enterprise 8.8.0. Select from the Policy column the policy associated with the On-Access Default Processes Policies.
Under the Exclusions tab, locate the "What not to scan:" label. Ensure there are no exclusions listed.
If exclusions are listed, verify they have been documented and approved by the ISSO/ISSM/AO.

Criteria: If there are no exclusions listed in the "What not to scan:" field, this is a not finding.
If there are exclusions listed in the "What not to scan:" field, and the exclusions have been documented with, and approved by, the ISSO/ISSM/AO, this is not a finding.
If there are exclusions listed in the "What not to scan:" field, and the exclusions have not been documented with, and approved by, the ISSO/ISSM/AO, this is a finding.

On the client machine, use the Windows Registry Editor to navigate to the following key:
HKLM\Software\McAfee\ (32-bit)
HKLM\Software\Wow6432Node\McAfee\ (64-bit)
SystemCore\VSCore\On Access Scanner\McShield\Configuration\Default

Criteria: If the value NumExcludeItems is 0, this is not a finding.
If NumExcludeItems is not 1 or greater, and exclusions have not been documented with and approved by the ISSO/ISSM/AO, this is a finding.
If NumExcludeItems is 1 or greater, and exclusions have been approved by the ISSO/ISSM/AO, this is not a finding.

Check Content Reference

M

Target Key

2266

Comments