STIGQter STIGQter: STIG Summary: Symantec Endpoint Protection 12.1 Local Client Antivirus STIG Version: 1 Release: 4 Benchmark Date: 24 Jul 2015: The Symantec Endpoint Protection client weekly scheduled scan actions for handling security risks upon detection must be explicitly configured at the top, Security Risks, level and not be overridden by the Parental Control sub-level.

DISA Rule

SV-55524r2_rule

Vulnerability Number

V-42796

Group Title

DTASEP063

Rule Version

DTASEP063

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Scan for Threats -> Double-click the applied policy -> Select Actions -> Under Security Risk -> Select Parental Control -> Ensure "Override actions configured for Security Risks" is NOT selected.

Check Contents

GUI check: Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Scan for Threats -> Double-click the applied policy -> Select Actions -> Under Security Risk -> Select Parental Control -> Ensure "Override actions configured for Security Risks" is NOT selected.

Criteria: If "Override actions configured for Security Risks" is selected, this is a finding.

On the machine use the Windows Registry Editor to navigate to the following key:
32 bit:
HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\LocalScans\{scan ID}\Expanded

Criteria: If the value of FirstAction is not 3, this is a finding.
If the value of FirstAction is 3, then check A. A must be compliant for the check to be not a finding.
A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\LocalScans\{scan ID}\Expanded\TCID-17 is 0 or the value is not there, this is not a finding.

64 bit:
HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\LocalScans\{scan ID}\Expanded

Criteria: If the value of FirstAction is not 3, this is a finding.
If the value of FirstAction is 3, then check A. A must be compliant for the check to be not a finding.
A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\LocalScans\{scan ID}\Expanded\TCID-17 is 0 or the value is not there, this is not a finding.

Vulnerability Number

V-42796

Documentable

False

Rule Version

DTASEP063

Severity Override Guidance

GUI check: Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Scan for Threats -> Double-click the applied policy -> Select Actions -> Under Security Risk -> Select Parental Control -> Ensure "Override actions configured for Security Risks" is NOT selected.

Criteria: If "Override actions configured for Security Risks" is selected, this is a finding.

On the machine use the Windows Registry Editor to navigate to the following key:
32 bit:
HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\LocalScans\{scan ID}\Expanded

Criteria: If the value of FirstAction is not 3, this is a finding.
If the value of FirstAction is 3, then check A. A must be compliant for the check to be not a finding.
A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\LocalScans\{scan ID}\Expanded\TCID-17 is 0 or the value is not there, this is not a finding.

64 bit:
HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\LocalScans\{scan ID}\Expanded

Criteria: If the value of FirstAction is not 3, this is a finding.
If the value of FirstAction is 3, then check A. A must be compliant for the check to be not a finding.
A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\LocalScans\{scan ID}\Expanded\TCID-17 is 0 or the value is not there, this is not a finding.

Check Content Reference

M

Target Key

625

Comments