SV-55475r1_rule
V-42747
DTASEP087
DTASEP087
CAT II
10
From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Email Scans -> Select Microsoft Outlook Auto-Protect -> Select the Actions tab -> Under Actions -> Under Security Risks -> Select Security Assessment Tool -> Ensure "Override actions configured for Security Risks" is NOT selected.
Server check: From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Email Scans -> Select Microsoft Outlook Auto-Protect -> Select the Actions tab -> Under Actions -> Under Security Risks -> Select Security Assessment Tool -> Ensure "Override actions configured for Security Risks" is NOT selected.
Criteria: If "Override actions configured for Security Risks" is selected, this is a finding.
On the client machine use the Windows Registry Editor to navigate to the following key:
32 bit:
HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\MicrosoftExchangeClient\RealTimeScan\Expanded
Criteria: If the value of FirstAction is not 3, this is a finding.
If the value of FirstAction is 3, then check A. A must be compliant for the check to be not a finding.
A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\MicrosoftExchangeClient\RealTimeScan\Expanded\TCID-13 is 0 or the value is not there, this is not a finding.
64 bit:
HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\MicrosoftExchangeClient\RealTimeScan\Expanded
Criteria: If the value of FirstAction is not 3, this is a finding.
If the value of FirstAction is 3, then check A. A must be compliant for the check to be not a finding.
A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\MicrosoftExchangeClient\RealTimeScan\Expanded\TCID-13 is 0 or the value is not there, this is not a finding.
V-42747
False
DTASEP087
Server check: From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Email Scans -> Select Microsoft Outlook Auto-Protect -> Select the Actions tab -> Under Actions -> Under Security Risks -> Select Security Assessment Tool -> Ensure "Override actions configured for Security Risks" is NOT selected.
Criteria: If "Override actions configured for Security Risks" is selected, this is a finding.
On the client machine use the Windows Registry Editor to navigate to the following key:
32 bit:
HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\MicrosoftExchangeClient\RealTimeScan\Expanded
Criteria: If the value of FirstAction is not 3, this is a finding.
If the value of FirstAction is 3, then check A. A must be compliant for the check to be not a finding.
A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\MicrosoftExchangeClient\RealTimeScan\Expanded\TCID-13 is 0 or the value is not there, this is not a finding.
64 bit:
HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\MicrosoftExchangeClient\RealTimeScan\Expanded
Criteria: If the value of FirstAction is not 3, this is a finding.
If the value of FirstAction is 3, then check A. A must be compliant for the check to be not a finding.
A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\MicrosoftExchangeClient\RealTimeScan\Expanded\TCID-13 is 0 or the value is not there, this is not a finding.
M
2566