STIGQter STIGQter: STIG Summary: Symantec Endpoint Protection 12.1 Managed Client Antivirus Version: 1 Release: 4 Benchmark Date: 24 Jul 2015: The Symantec Endpoint Protection client Outlook Auto-Protect actions for when a Security Risk has been detected must be configured to Quarantine Risk if first action fails.

DISA Rule

SV-55480r1_rule

Vulnerability Number

V-42752

Group Title

DTASEP092

Rule Version

DTASEP092

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Email Scans -> Select Microsoft Outlook Auto-Protect -> Select the Actions tab -> Under Actions -> Select Security Risks -> Observe the First action and the If first action fails boxes -> Set If first action fails to "Quarantine Risk".

Check Contents

Server check: From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Email Scans -> Select Microsoft Outlook Auto-Protect -> Select the Actions tab -> Under Actions -> Select Security Risks -> Observe the First action and the If first action fails boxes -> Ensure If first action fails is set to "Quarantine Risk".

Criteria: If first action fails is not set to "Quarantine Risk", this is a finding.

On the client machine, use the Windows Registry Editor to navigate to the following key:
32 bit:
HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\MicrosoftExchangeClient\RealTimeScan\Expanded
64 bit:
HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\MicrosoftExchangeClient\RealTimeScan\Expanded

Criteria: If the value of "SecondAction" is not 1, this is a finding.

Vulnerability Number

V-42752

Documentable

False

Rule Version

DTASEP092

Severity Override Guidance

Server check: From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Email Scans -> Select Microsoft Outlook Auto-Protect -> Select the Actions tab -> Under Actions -> Select Security Risks -> Observe the First action and the If first action fails boxes -> Ensure If first action fails is set to "Quarantine Risk".

Criteria: If first action fails is not set to "Quarantine Risk", this is a finding.

On the client machine, use the Windows Registry Editor to navigate to the following key:
32 bit:
HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\MicrosoftExchangeClient\RealTimeScan\Expanded
64 bit:
HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\MicrosoftExchangeClient\RealTimeScan\Expanded

Criteria: If the value of "SecondAction" is not 1, this is a finding.

Check Content Reference

M

Target Key

2566

Comments