STIGQter STIGQter: STIG Summary: Symantec Endpoint Protection 12.1 Local Client Antivirus STIG

Version: 1

Release: 4 Benchmark Date: 24 Jul 2015

CheckedNameTitle
SV-55393r1_ruleThe Symantec Endpoint Protection clients antivirus signature file age must be no older than 7 days.
SV-55394r1_ruleThe Symantec Endpoint Protection client User-defined Exceptions option must not be configured to exclude any files from scanning unless exclusions have been documented with, and approved by, the IAO/IAM.
SV-55395r1_ruleThe Symantec Endpoint Protection client Global Settings for Log Retention must be enabled and configured to retain logs for 30 days.
SV-55396r1_ruleThe Symantec Endpoint Protection client must be scheduled to auto update.
SV-55397r1_ruleThe Symantec Endpoint Protection client Tamper Protection must be configured to block attempts to tamper with or shut down the client.
SV-55398r1_ruleThe Symantec Endpoint Protection client must have the Symantec Client State Plug-in for ePO deployed.
SV-55399r1_ruleThe Symantec Endpoint Protection client must be verified as uploading SEP client detail to ePO.
SV-55400r1_ruleThe Symantec Endpoint Protection clients File Reputation Data Submission must be disabled from automatically forwarding selected anonymous security information to Symantec.
SV-55401r2_ruleThe Symantec Endpoint Protection client Insight lookup for threat detection must be enabled.
SV-55402r1_ruleThe Symantec Endpoint Protection client File System Auto-Protect must be enabled.
SV-55403r1_ruleThe Symantec Endpoint Protection client Auto-Protect reload must be configured to stop and reload when the configuration changes.
SV-55404r1_ruleThe Symantec Endpoint Protection client Auto-Protect File Types options must be configured to scan all files.
SV-55405r1_ruleThe Symantec Endpoint Protection Auto-Protect client Detection Options must be configured to display a notification to the user when a risk is detected.
SV-55406r1_ruleThe Symantec Endpoint Protection client Auto-Protect Advanced Options must be configured to scan files when accessed or modified.
SV-55407r1_ruleThe Symantec Endpoint Protection client Auto-Protect Backup Option must be disabled to prevent backing up infected files before attempting to repair them.
SV-55408r1_ruleThe Symantec Endpoint Protection client Auto-Protect Advanced Options Automatic enablement setting must be enabled.
SV-55409r1_ruleThe Symantec Endpoint Protection client Auto-Protect Advanced Options Floppy Settings must be enabled to scan for boot viruses.
SV-55410r1_ruleThe Symantec Endpoint Protection client Auto-Protect Advanced Options Floppy Settings must be configured to check floppies when the system shuts down.
SV-55411r1_ruleThe Symantec Endpoint Protection client Auto-Protect option to Scan for Security Risks must be enabled.
SV-55412r1_ruleThe Symantec Endpoint Protection client Auto-Protect option to Delete newly created infected files must be enabled.
SV-55413r1_ruleThe Symantec Endpoint Protection client Auto-Protect Risk Tracer must be enabled.
SV-55414r1_ruleThe Symantec Endpoint Protection client Auto-Protect Risk Tracer must be configured to resolve source IP address.
SV-55415r1_ruleThe Symantec Endpoint Protection client Auto-Protect Risk Tracer must be configured to poll network sessions.
SV-55416r1_ruleThe Symantec Endpoint Protection client Global Settings Bloodhound heuristic technology must be enabled.
SV-55418r1_ruleThe Symantec Endpoint Protection client Global Scan Heuristics Level must be set to Automatic, at a minimum.
SV-55420r1_ruleThe Symantec Endpoint Protection client Auto-Protect Scan Actions settings must be explicitly configured at the top, Malware, level and not be overridden by sub-levels.
SV-55422r1_ruleThe Symantec Endpoint Protection client Auto-Protect Scan Actions for Malware must be configured to Clean Risk as the first action upon detection.
SV-55423r1_ruleThe Symantec Endpoint Protection client Auto-Protect Scan Actions for Malware must be configured to Delete Risk if first action fails.
SV-55424r1_ruleThe Symantec Endpoint Protection client Auto-Protect Scan Actions settings must be explicitly configured at the top, Security Risks, level and not be overridden by the Adware sub-level.
SV-55425r1_ruleThe Symantec Endpoint Protection client Auto-Protect Scan Actions settings must be explicitly configured at the top, Security Risks, level and not be overridden by the Dialer sub-level.
SV-55426r1_ruleThe Symantec Endpoint Protection client Auto-Protect Scan Actions settings must be explicitly configured at the top, Security Risks, level and not be overridden by the Hack Tool sub-level.
SV-55427r1_ruleThe Symantec Endpoint Protection client Auto-Protect Scan Actions settings must be explicitly configured at the top, Security Risks, level and not be overridden by the Joke Program sub-level.
SV-55428r1_ruleThe Symantec Endpoint Protection client Auto-Protect Scan Actions settings must be explicitly configured at the top, Security Risks, level and not be overridden by the Misleading Application sub-level.
SV-55429r1_ruleThe Symantec Endpoint Protection client Auto-Protect Scan Actions settings must be explicitly configured at the top, Security Risks, level and not be overridden by the Parental Control sub-level.
SV-55465r1_ruleThe Symantec Endpoint Protection client Auto-Protect Scan Actions settings must be explicitly configured at the top, Security Risks, level and not be overridden by the Remote Access sub-level.
SV-55466r1_ruleThe Symantec Endpoint Protection client Auto-Protect Scan Actions settings must be explicitly configured at the top, Security Risks, level and not be overridden by the Security Assessment Tool sub-level.
SV-55467r1_ruleThe Symantec Endpoint Protection client Auto-Protect Scan Actions settings must be explicitly configured at the top, Security Risks, level and not be overridden by the Security Risk sub-level.
SV-55468r1_ruleThe Symantec Endpoint Protection client Auto-Protect Scan Actions settings must be explicitly configured at the top, Security Risks, level and not be overridden by the Spyware sub-level.
SV-55469r1_ruleThe Symantec Endpoint Protection client Auto-Protect Scan Actions settings must be explicitly configured at the top, Security Risks, level and not be overridden by the Trackware sub-level.
SV-55503r1_ruleThe Symantec Endpoint Protection client Auto-Protect Scan Actions for Security Risks must be configured to Delete Risk as the first action upon detection.
SV-55504r1_ruleThe Symantec Endpoint Protection client Auto-Protect Scan Actions for Security Risks must be configured to Quarantine Risk if first action fails.
SV-55505r2_ruleThe Symantec Endpoint Protection client must be configured with a full scan scheduled to run at least weekly.
SV-55506r2_ruleThe Symantec Endpoint Protection client scheduled weekly scan must be configured to scan memory.
SV-55507r2_ruleThe Symantec Endpoint Protection client weekly scheduled scan must be configured to scan all file types or scan exclude files option must be documented with, and approved by, IAO/IAM.
SV-55508r1_ruleThe Symantec Endpoint Protection client weekly scheduled scan must be configured to use Insight File Reputation lookup, when scanning, set to a sensitivity level of at least 5 (Typical).
SV-55509r2_ruleThe Symantec Endpoint Protection client weekly scheduled scan actions for handling File Reputation lookup detections must be set to Quarantine Risk as first action.
SV-55510r2_ruleThe Symantec Endpoint Protection client weekly scheduled scan actions for handling File Reputation lookup detections must be set to Leave alone (log only) if first action fails.
SV-55511r2_ruleThe Symantec Endpoint Protection client weekly scheduled scan must be configured to display a message to the user if a virus is detected.
SV-55512r2_ruleThe Symantec Endpoint Protection client weekly scheduled scan must be configured to scan compressed files.
SV-55513r1_ruleThe Symantec Endpoint Protection client weekly scheduled scan backup option must be disabled to prevent backing up infected files before attempting to repair them.
SV-55514r2_ruleThe Symantec Endpoint Protection client weekly scheduled scan must be configured for scanning load points.
SV-55515r2_ruleThe Symantec Endpoint Protection client weekly scheduled scan must be configured for scanning well-known viruses and security risks.
SV-55516r2_ruleThe Symantec Endpoint Protection client weekly scheduled scan actions for handling malware upon detection must be explicitly configured at the top, Malware, level and not be overridden by sub-levels.
SV-55517r2_ruleThe Symantec Endpoint Protection client weekly scheduled scan actions for when malware has been detected must be configured to Clean Risk as first action.
SV-55518r2_ruleThe Symantec Endpoint Protection client weekly scheduled scan actions for when malware has been detected must be configured to Delete Risk if first action fails.
SV-55519r2_ruleThe Symantec Endpoint Protection client weekly scheduled scan actions for handling security risks upon detection must be explicitly configured at the top, Security Risks, level and not be overridden by the Adware sub-level.
SV-55520r2_ruleThe Symantec Endpoint Protection client weekly scheduled scan actions for handling security risks upon detection must be explicitly configured at the top, Security Risks, level and not be overridden by the Dialer sub-level.
SV-55521r2_ruleThe Symantec Endpoint Protection client weekly scheduled scan actions for handling security risks upon detection must be explicitly configured at the top, Security Risks, level and not be overridden by the Hack Tool sub-level.
SV-55522r2_ruleThe Symantec Endpoint Protection client weekly scheduled scan actions for handling security risks upon detection must be explicitly configured at the top, Security Risks, level and not be overridden by the Joke Program sub-level.
SV-55523r2_ruleThe Symantec Endpoint Protection client weekly scheduled scan actions for handling security risks upon detection must be explicitly configured at the top, Security Risks, level and not be overridden by the Misleading Application sub-level.
SV-55524r2_ruleThe Symantec Endpoint Protection client weekly scheduled scan actions for handling security risks upon detection must be explicitly configured at the top, Security Risks, level and not be overridden by the Parental Control sub-level.
SV-55525r2_ruleThe Symantec Endpoint Protection client weekly scheduled scan actions for handling security risks upon detection must be explicitly configured at the top, Security Risks, level and not be overridden by the Remote Access sub-level.
SV-55526r2_ruleThe Symantec Endpoint Protection client weekly scheduled scan actions for handling security risks upon detection must be explicitly configured at the top, Security Risks, level and not be overridden by the Security Assessment Tool sub-level.
SV-55527r2_ruleThe Symantec Endpoint Protection client weekly scheduled scan actions for handling security risks upon detection must be explicitly configured at the top, Security Risks, level and not be overridden by the Security Risk sub-level.
SV-55528r2_ruleThe Symantec Endpoint Protection client weekly scheduled scan actions for handling security risks upon detection must be explicitly configured at the top, Security Risks, level and not be overridden by the Spyware sub-level.
SV-55529r2_ruleThe Symantec Endpoint Protection client weekly scheduled scan actions for handling security risks upon detection must be explicitly configured at the top, Security Risks, level and not be overridden by the Trackware sub-level.
SV-55530r2_ruleThe Symantec Endpoint Protection client weekly scheduled scan actions for when a Security Risk has been detected must be configured to Delete risk as first action.
SV-55531r2_ruleThe Symantec Endpoint Protection client weekly scheduled scan actions for when a Security Risk has been detected must be configured to Quarantine risk if first action fails.
SV-55532r1_ruleThe Symantec Endpoint Protection client Outlook Auto-Protect client must be enabled.
SV-55533r1_ruleThe Symantec Endpoint Protection client Outlook Auto-Protect client must be configured to scan all file types.
SV-55534r1_ruleThe Symantec Endpoint Protection client Outlook Auto-Protect must be configured to scan inside zipped files.
SV-55535r1_ruleThe Symantec Endpoint Protection client Outlook Auto-Protect must be configured to insert a warning into email messages when a message part has been deleted, cleaned, or quarantined.
SV-55536r1_ruleThe Symantec Endpoint Protection client Outlook Auto-Protect must be configured to not send a notification to the sender of an email in which a threat was detected.
SV-55537r1_ruleThe Symantec Endpoint Protection client Outlook Auto-Protect must be configured to send a notification email to the IAO, IAM, and/or ePO administrator when a threatened email message is detected.
SV-55538r1_ruleThe Symantec Endpoint Protection client Outlook Auto-Protect actions must be explicitly configured at the top, Malware, level and not be overridden by sub-levels.
SV-55539r1_ruleThe Symantec Endpoint Protection client Outlook Auto-Protect actions for when malware has been detected must be configured to Clean Risk as first action.
SV-55540r1_ruleThe Symantec Endpoint Protection client Outlook Auto-Protect actions for when malware has been detected must be configured to Delete Risk if first action fails.
SV-55541r1_ruleThe Symantec Endpoint Protection client Outlook Auto-Protect actions must be explicitly configured at the top, Security Risks, level and not be overridden by the Adware sub-level.
SV-55542r1_ruleThe Symantec Endpoint Protection client Outlook Auto-Protect actions must be explicitly configured at the top, Security Risks, level and not be overridden by the Dialer sub-level.
SV-55543r1_ruleThe Symantec Endpoint Protection client Outlook Auto-Protect actions must be explicitly configured at the top, Security Risks, level and not be overridden by the Hack Tool sub-level.
SV-55544r1_ruleThe Symantec Endpoint Protection client Outlook Auto-Protect actions must be explicitly configured at the top, Security Risks, level and not be overridden by the Joke Program sub-level.
SV-55545r1_ruleThe Symantec Endpoint Protection client Outlook Auto-Protect actions must be explicitly configured at the top, Security Risks, level and not be overridden by the Misleading Application sub-level.
SV-55546r1_ruleThe Symantec Endpoint Protection client Outlook Auto-Protect actions must be explicitly configured at the top, Security Risks, level and not be overridden by the Parental Control sub-level.
SV-55547r1_ruleThe Symantec Endpoint Protection client Outlook Auto-Protect actions must be explicitly configured at the top, Security Risks, level and not be overridden by the Remote Access sub-level.
SV-55548r1_ruleThe Symantec Endpoint Protection client Outlook Auto-Protect actions must be explicitly configured at the top, Security Risks, level and not be overridden by the Security Assessment Tool sub-level.
SV-55549r1_ruleThe Symantec Endpoint Protection client Outlook Auto-Protect actions must be explicitly configured at the top, Security Risks, level and not be overridden by the Security Risk sub-level.
SV-55550r1_ruleThe Symantec Endpoint Protection client Outlook Auto-Protect actions must be explicitly configured at the top, Security Risks, level and not be overridden by the Spyware sub-levels.
SV-55551r1_ruleThe Symantec Endpoint Protection client Outlook Auto-Protect actions must be explicitly configured at the top, Security Risks, level and not be overridden by the Trackware sub-level.
SV-55552r1_ruleThe Symantec Endpoint Protection client Outlook Auto-Protect actions for when a Security Risk has been detected must be configured to Delete Risk as first action.
SV-55553r1_ruleThe Symantec Endpoint Protection client Outlook Auto-Protect actions for when a Security Risk has been detected must be configured to Quarantine Risk if first action fails.
SV-55554r2_ruleThe Symantec Endpoint Protection Internet Email Auto-Protect must be enabled.
SV-55555r1_ruleThe Symantec Endpoint Protection Internet email Auto-Protect client must be configured to scan all file types.
SV-55556r1_ruleThe Symantec Endpoint Protection client Internet Email Auto-Protect must be configured to scan inside zipped files.
SV-55557r1_ruleThe Symantec Endpoint Protection client Internet Email Auto-Protect for notification must be configured to insert a warning into email messages when a message part has been deleted, cleaned, or quarantined.
SV-55558r1_ruleThe Symantec Endpoint Protection client Internet Email Auto-Protect must be configured to not send a notification to the sender of an email in which a threat was detected.
SV-55559r1_ruleThe Symantec Endpoint Protection client Internet Email Auto-Protect must be configured to send a notification email to the IAO, IAM, and/or ePO administrator when a threatened email message is detected.
SV-55560r1_ruleThe Symantec Endpoint Protection client Internet Email Auto-Protect must be configured to send a notification email to the IAO, IAM, and/or ePO administrator when a threatened email message is detected.
SV-55561r1_ruleThe Symantec Endpoint Protection client Internet Email Auto-Protect actions must be explicitly configured at the top, Malware, level and not be overridden by sub-levels.
SV-55562r1_ruleThe Symantec Endpoint Protection client Internet Email Auto-Protect actions for when malware has been detected must be configured to Clean Risk as first action.
SV-55563r1_ruleThe Symantec Endpoint Protection client Internet Email Auto-Protect actions for when malware has been detected must be configured to Delete Risk if first action fails.
SV-55564r1_ruleThe Symantec Endpoint Protection client Internet Email Auto-Protect actions must be explicitly configured at the top, Security Risks, level and not be overridden by the Adware sub-level.
SV-55565r1_ruleThe Symantec Endpoint Protection client Internet Email Auto-Protect actions must be explicitly configured at the top, Security Risks, level and not be overridden by the Dialer sub-level.
SV-55566r1_ruleThe Symantec Endpoint Protection client Internet Email Auto-Protect actions must be explicitly configured at the top, Security Risks, level and not be overridden by the Hack Tool sub-level.
SV-55567r1_ruleThe Symantec Endpoint Protection client Internet Email Auto-Protect actions must be explicitly configured at the top, Security Risks, level and not be overridden by the Joke Program sub-level.
SV-55568r1_ruleThe Symantec Endpoint Protection client Internet Email Auto-Protect actions must be explicitly configured at the top, Security Risks, level and not be overridden by the Misleading Application sub-level.
SV-55569r1_ruleThe Symantec Endpoint Protection client Internet Email Auto-Protect actions must be explicitly configured at the top, Security Risks, level and not be overridden by the Parental Control sub-level.
SV-55570r1_ruleThe Symantec Endpoint Protection client Internet Email Auto-Protect actions must be explicitly configured at the top, Security Risks, level and not be overridden by the Remote Access sub-level.
SV-55571r1_ruleThe Symantec Endpoint Protection client Internet Email Auto-Protect actions must be explicitly configured at the top, Security Risks, level and not be overridden by the Security Assessment Tool sub-level.
SV-55572r1_ruleThe Symantec Endpoint Protection client Internet Email Auto-Protect actions must be explicitly configured at the top, Security Risks, level and not be overridden by the Security Risk sub-level.
SV-55573r1_ruleThe Symantec Endpoint Protection client Internet Email Auto-Protect actions must be explicitly configured at the top, Security Risks, level and not be overridden by the Spyware sub-level.
SV-55574r1_ruleThe Symantec Endpoint Protection client Internet Email Auto-Protect actions must be explicitly configured at the top, Security Risks, level and not be overridden by the Trackware sub-level.
SV-55575r1_ruleThe Symantec Endpoint Protection client Internet Email Auto-Protect actions for when a Security Risk has been detected must be configured to Delete Risk as first action.
SV-55576r1_ruleThe Symantec Endpoint Protection client Internet Email Auto-Protect actions for when a Security Risk has been detected must be configured to Quarantine risk if first action fails.