STIGQter STIGQter: STIG Summary: Symantec Endpoint Protection 12.1 Managed Client Antivirus Version: 1 Release: 4 Benchmark Date: 24 Jul 2015: The Symantec Endpoint Protection client Auto-Protect Scan Actions settings must be explicitly configured at the top, Security Risks, level and not be overridden by the Spyware sub-level.

DISA Rule

SV-55388r1_rule

Vulnerability Number

V-42660

Group Title

DTASEP039

Rule Version

DTASEP039

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Protection Technology -> Select Auto-Protect -> Select the Actions tab -> Under Actions -> Under Security Risks -> Select Spyware -> Ensure "Override actions configured for Security Risks" is NOT selected.

Check Contents

Server check: From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Protection Technology -> Select Auto-Protect -> Select the Actions tab -> Under Actions -> Under Security Risks -> Select Spyware -> Ensure "Override actions configured for Security Risks" is NOT selected.

Criteria: If "Override actions configured for Security Risks" is selected, this is a finding.

On the client machine use the Windows Registry Editor to navigate to the following key:
32 bit:
HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem\RealTimeScan\Expanded

Criteria: If the value of FirstAction is not 3, this is a finding.
If the value of FirstAction is 3, then check A. A must be compliant for the check to be not a finding.
A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem\RealTimeScan\Expanded\TCID-6 is 0 or the value is not there, this is not a finding.

64 bit:
HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem\RealTimeScan\Expanded

Criteria: If the value of FirstAction is not 3, this is a finding.
If the value of FirstAction is 3, then check A. A must be compliant for the check to be not a finding.
A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem\RealTimeScan\Expanded\TCID-6 is 0 or the value is not there, this is not a finding.

Vulnerability Number

V-42660

Documentable

False

Rule Version

DTASEP039

Severity Override Guidance

Server check: From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Protection Technology -> Select Auto-Protect -> Select the Actions tab -> Under Actions -> Under Security Risks -> Select Spyware -> Ensure "Override actions configured for Security Risks" is NOT selected.

Criteria: If "Override actions configured for Security Risks" is selected, this is a finding.

On the client machine use the Windows Registry Editor to navigate to the following key:
32 bit:
HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem\RealTimeScan\Expanded

Criteria: If the value of FirstAction is not 3, this is a finding.
If the value of FirstAction is 3, then check A. A must be compliant for the check to be not a finding.
A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem\RealTimeScan\Expanded\TCID-6 is 0 or the value is not there, this is not a finding.

64 bit:
HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem\RealTimeScan\Expanded

Criteria: If the value of FirstAction is not 3, this is a finding.
If the value of FirstAction is 3, then check A. A must be compliant for the check to be not a finding.
A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem\RealTimeScan\Expanded\TCID-6 is 0 or the value is not there, this is not a finding.

Check Content Reference

M

Target Key

2566

Comments