STIGQter STIGQter: STIG Summary: Symantec Endpoint Protection 12.1 Local Client Antivirus STIG Version: 1 Release: 4 Benchmark Date: 24 Jul 2015: The Symantec Endpoint Protection client weekly scheduled scan actions for handling File Reputation lookup detections must be set to Quarantine Risk as first action.

DISA Rule

SV-55509r2_rule

Vulnerability Number

V-42781

Group Title

DTASEP047

Rule Version

DTASEP047

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Scan for Threats -> Double-click the applied policy -> Under Scan Options -> Select Insight Lookup -> Under Specify actions for reputation detection -> Set first action to "Quarantine Risk".

Check Contents

GUI check: Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Scan for Threats -> Double-click the applied policy -> Under Scan Options -> Select Insight Lookup -> Under Specify actions for reputation detection -> Ensure first action is set to "Quarantine Risk".

Criteria: If First action is not set to "Quarantine Risk", this is a finding.

On the machine use the Windows Registry Editor to navigate to the following key:
32 bit:
HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\LocalScans\{scan ID}\Malware\TCID-18
64 bit:
HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\LocalScans\{scan ID}\Malware\TCID-18

Criteria: If the value of FirstAction is not 1, this is a finding.

Vulnerability Number

V-42781

Documentable

False

Rule Version

DTASEP047

Severity Override Guidance

GUI check: Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Scan for Threats -> Double-click the applied policy -> Under Scan Options -> Select Insight Lookup -> Under Specify actions for reputation detection -> Ensure first action is set to "Quarantine Risk".

Criteria: If First action is not set to "Quarantine Risk", this is a finding.

On the machine use the Windows Registry Editor to navigate to the following key:
32 bit:
HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\LocalScans\{scan ID}\Malware\TCID-18
64 bit:
HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\LocalScans\{scan ID}\Malware\TCID-18

Criteria: If the value of FirstAction is not 1, this is a finding.

Check Content Reference

M

Target Key

625

Comments