STIGQter STIGQter: STIG Summary: Symantec Endpoint Protection 12.1 Local Client Antivirus STIG Version: 1 Release: 4 Benchmark Date: 24 Jul 2015: The Symantec Endpoint Protection client Outlook Auto-Protect actions for when malware has been detected must be configured to Delete Risk if first action fails.

DISA Rule

SV-55540r1_rule

Vulnerability Number

V-42812

Group Title

DTASEP079

Rule Version

DTASEP079

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Change settings -> Under Virus and Spyware Protection -> Select Configure Settings -> Under the Outlook Auto-Protect tab -> Select the Actions tab -> Select Malware -> Set if first action fails to "Delete Risk".

Check Contents

GUI check: Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Change settings -> Under Virus and Spyware Protection -> Select Configure Settings -> Under the Outlook Auto-Protect tab -> Select the Actions tab -> Select Malware -> Ensure If first action fails is set to "Delete Risk".

Criteria: If first action fails is not set to "Delete Risk", this is a finding.

On the machine use the Windows Registry Editor to navigate to the following key:
32 bit:
HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\MicrosoftExchangeClient\RealTimeScan\Malware
64 bit:
HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\MicrosoftExchangeClient\RealTimeScan\Malware

Criteria: If the value of "SecondAction" is 3, this is not a finding.

Vulnerability Number

V-42812

Documentable

False

Rule Version

DTASEP079

Severity Override Guidance

GUI check: Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Change settings -> Under Virus and Spyware Protection -> Select Configure Settings -> Under the Outlook Auto-Protect tab -> Select the Actions tab -> Select Malware -> Ensure If first action fails is set to "Delete Risk".

Criteria: If first action fails is not set to "Delete Risk", this is a finding.

On the machine use the Windows Registry Editor to navigate to the following key:
32 bit:
HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\MicrosoftExchangeClient\RealTimeScan\Malware
64 bit:
HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\MicrosoftExchangeClient\RealTimeScan\Malware

Criteria: If the value of "SecondAction" is 3, this is not a finding.

Check Content Reference

M

Target Key

625

Comments