STIGQter: STIG Summary: Symantec Endpoint Protection 12.1 Managed Client Antivirus Version: 1 Release: 4 Benchmark Date: 24 Jul 2015: The Symantec Endpoint Protection client weekly scheduled scan backup option must be disabled to prevent backing up infected files before attempting to repair them.

DISA Rule

SV-55454r1_rule

Vulnerability Number

V-42726

Group Title

DTASEP051

Rule Version

DTASEP051

Severity

CAT II

CCI(s)

• CCI-001241 - The organization configures malicious code protection mechanisms to perform periodic scans of the information system on an organization-defined frequency.

Weight

10

Fix Recommendation

From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Scheduled Scans -> Select Administrator-Defined Scans -> Double-click the Weekly Scan -> Under the Actions tab, Remediation -> Ensure "Back up files before attempting to repair them" is NOT selected.

Check Contents

Server check: From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Scheduled Scans -> Select Administrator-Defined Scans -> Double-click the Weekly Scan -> Under the Actions tab, Remediation -> Ensure "Back up files before attempting to repair them" is NOT selected.

Criteria: If "Back up files before attempting to repair them" is selected, this is a finding.

On the client machine, use the Windows Registry Editor to navigate to the following key:
32 bit:
HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Scheduler\{SID}\Custom Tasks\{Scan ID}
64 bit:
HKLM\SOFTWARE\Wow632Node\Symantec\Symantec Endpoint Protection\AV\Scheduler\{SID}\Custom Tasks\{Scan ID}

Criteria: If the value of BackupToQuarantine is not 0, this is a finding.

Vulnerability Number

V-42726

Documentable

False

Rule Version

DTASEP051

Severity Override Guidance

Server check: From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Scheduled Scans -> Select Administrator-Defined Scans -> Double-click the Weekly Scan -> Under the Actions tab, Remediation -> Ensure "Back up files before attempting to repair them" is NOT selected.

Criteria: If "Back up files before attempting to repair them" is selected, this is a finding.

On the client machine, use the Windows Registry Editor to navigate to the following key:
32 bit:
HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Scheduler\{SID}\Custom Tasks\{Scan ID}
64 bit:
HKLM\SOFTWARE\Wow632Node\Symantec\Symantec Endpoint Protection\AV\Scheduler\{SID}\Custom Tasks\{Scan ID}

Criteria: If the value of BackupToQuarantine is not 0, this is a finding.

Check Content Reference

M

Target Key

2566

Comments