STIGQter STIGQter: STIG Summary: Symantec Endpoint Protection 12.1 Managed Client Antivirus

Version: 1

Release: 4 Benchmark Date: 24 Jul 2015

CheckedNameTitle
SV-55337r1_ruleThe Symantec Endpoint Protection clients antivirus signature file age must be no older than 7 days.
SV-55338r1_ruleThe Symantec Endpoint Protection client User-defined Exceptions option must not be configured to exclude any files from scanning unless exclusions have been documented with, and approved by, the IAO/IAM.
SV-55339r1_ruleThe Symantec Endpoint Protection client Global Settings for Log Retention must be enabled and configured to retain logs for 30 days.
SV-55340r1_ruleThe Symantec Endpoint Protection client must be scheduled to auto update.
SV-55341r1_ruleThe Symantec Endpoint Protection client Tamper Protection must be configured to block attempts to tamper with or shut down the client.
SV-55342r1_ruleThe Symantec Endpoint Protection client must have the Symantec Client State Plug-in for ePO deployed.
SV-55343r1_ruleThe Symantec Endpoint Protection client must be verified as uploading SEP client detail to ePO.
SV-55344r1_ruleThe Symantec Endpoint Protection client File Reputation Data Submission must be disabled from automatically forwarding selected anonymous security information to Symantec.
SV-55345r2_ruleThe Symantec Endpoint Protection client Insight Lookup for threat detection must be enabled.
SV-55356r1_ruleThe Symantec Endpoint Protection client File System Auto-Protect must be enabled.
SV-55358r1_ruleThe Symantec Endpoint Protection client Auto-Protect reload must be configured to stop and reload when the configuration changes.
SV-55360r1_ruleThe Symantec Endpoint Protection client Auto-Protect File Types options must be configured to scan all files.
SV-55361r1_ruleThe Symantec Endpoint Protection Auto-Protect client Detection Options must be configured to display a notification to the user when a risk is detected.
SV-55362r1_ruleThe Symantec Endpoint Protection client Auto-Protect Advanced Options must be configured to scan files when accessed or modified.
SV-55363r1_ruleThe Symantec Endpoint Protection client Auto-Protect Backup Option must be disabled to prevent backing up infected files before attempting to repair them.
SV-55364r1_ruleThe Symantec Endpoint Protection client Auto-Protect Advanced Options Automatic enablement setting must be enabled.
SV-55365r1_ruleThe Symantec Endpoint Protection client Auto-Protect Advanced Options Floppy Settings must be enabled to scan for boot viruses.
SV-55366r1_ruleThe Symantec Endpoint Protection client Auto-Protect Advanced Options Floppy Settings must be configured to check floppies when system shuts down.
SV-55368r1_ruleThe Symantec Endpoint Protection client Auto-Protect option to Scan for Security Risks must be enabled.
SV-55369r1_ruleThe Symantec Endpoint Protection client Auto-Protect option to Delete newly created infected files must be enabled.
SV-55370r1_ruleThe Symantec Endpoint Protection client Auto-Protect Risk Tracer must be enabled.
SV-55371r1_ruleThe Symantec Endpoint Protection client Auto-Protect Risk Tracer must be configured to resolve source IP address.
SV-55372r1_ruleThe Symantec Endpoint Protection client Auto-Protect Risk Tracer must be configured to poll network sessions.
SV-55373r1_ruleThe Symantec Endpoint Protection client Global Settings Bloodhound heuristic technology must be enabled.
SV-55374r1_ruleThe Symantec Endpoint Protection client Global Settings must be configured to use Insight Lookup for File Reputation.
SV-55375r1_ruleThe Symantec Endpoint Protection client Global Settings Heuristics Level must be set to Automatic, at a minimum.
SV-55376r1_ruleThe Symantec Endpoint Protection client Auto-Protect Scan Actions settings must be explicitly configured at the top, Malware, level and not be overridden by sub-levels.
SV-55377r1_ruleThe Symantec Endpoint Protection client Auto-Protect Scan Actions for Malware must be configured to Clean Risk as the first action upon detection.
SV-55378r1_ruleThe Symantec Endpoint Protection client Auto-Protect Scan Actions for Malware must be configured to Delete Risk if first action fails.
SV-55379r1_ruleThe Symantec Endpoint Protection client Auto-Protect Scan Actions settings must be explicitly configured at the top, Security Risks, level and not be overridden by the Adware sub-level.
SV-55380r1_ruleThe Symantec Endpoint Protection client Auto-Protect Scan Actions settings must be explicitly configured at the top, Security Risks, level and not be overridden by the Dialer sub-level.
SV-55381r1_ruleThe Symantec Endpoint Protection client Auto-Protect Scan Actions settings must be explicitly configured at the top, Security Risks, level and not be overridden by the Hack Tool sub-level.
SV-55382r1_ruleThe Symantec Endpoint Protection client Auto-Protect Scan Actions settings must be explicitly configured at the top, Security Risks, level and not be overridden by the Joke Program sub-level.
SV-55383r1_ruleThe Symantec Endpoint Protection client Auto-Protect Scan Actions settings must be explicitly configured at the top, Security Risks, level and not be overridden by the Misleading Application sub-level.
SV-55384r1_ruleThe Symantec Endpoint Protection client Auto-Protect Scan Actions settings must be explicitly configured at the top, Security Risks, level and not be overridden by the Parental Control sub-level.
SV-55385r1_ruleThe Symantec Endpoint Protection client Auto-Protect Scan Actions settings must be explicitly configured at the top, Security Risks, level and not be overridden by the Remote Access sub-level.
SV-55386r1_ruleThe Symantec Endpoint Protection client Auto-Protect Scan Actions settings must be explicitly configured at the top, Security Risks, level and not be overridden by the Security Assessment Tool sub-level.
SV-55387r1_ruleThe Symantec Endpoint Protection client Auto-Protect Scan Actions settings must be explicitly configured at the top, Security Risks, level and not be overridden by the Security Risk sub-level.
SV-55388r1_ruleThe Symantec Endpoint Protection client Auto-Protect Scan Actions settings must be explicitly configured at the top, Security Risks, level and not be overridden by the Spyware sub-level.
SV-55389r1_ruleThe Symantec Endpoint Protection client Auto-Protect Scan Actions settings must be explicitly configured at the top, Security Risks, level and not be overridden by the Trackware sub-level.
SV-55390r1_ruleThe Symantec Endpoint Protection client Auto-Protect Scan Actions for Security Risks must be configured to Delete Risk as the first action upon detection.
SV-55391r1_ruleThe Symantec Endpoint Protection client Auto-Protect Scan Actions for Security Risks must be configured to Quarantine Risk if first action fails.
SV-55392r1_ruleThe Symantec Endpoint Protection client must be configured with a full scan scheduled to run at least weekly.
SV-55417r1_ruleThe Symantec Endpoint Protection client scheduled weekly scan must be configured to scan memory.
SV-55419r1_ruleThe Symantec Endpoint Protection client weekly scheduled scan must be configured to scan all file types or to scan excluded files option must be documented with, and approved by, IAO/IAM.
SV-55421r1_ruleThe Symantec Endpoint Protection client weekly scheduled scan must be configured to use Insight File Reputation lookup, when scanning, set to a sensitivity level of at least 5 (Typical).
SV-55430r1_ruleThe Symantec Endpoint Protection client weekly scheduled scan actions for handling File Reputation lookup detections must be set to Quarantine Risk as first action.
SV-55431r2_ruleThe Symantec Endpoint Protection client weekly scheduled scan actions for handling File Reputation lookup detections must be set to Leave alone (log only) if first action fails.
SV-55432r2_ruleThe Symantec Endpoint Protection client weekly scheduled scan must be configured to display a message to the user if a virus is detected.
SV-55433r1_ruleThe Symantec Endpoint Protection client weekly scheduled scan must be configured to scan compressed files.
SV-55434r1_ruleThe Symantec Endpoint Protection client weekly scheduled scan must be configured to prevent users from stopping a scheduled scan.
SV-55435r1_ruleThe Symantec Endpoint Protection client weekly scheduled scan must be configured for scanning load points.
SV-68099r1_ruleThe Symantec Endpoint Protection client weekly scheduled scan must be configured for scanning well-known viruses and security risks.
SV-55437r1_ruleThe Symantec Endpoint Protection client weekly scheduled scan actions for handling malware upon detection must be explicitly configured at the top, Malware, level and not be overridden by sub-levels.
SV-55438r1_ruleThe Symantec Endpoint Protection client weekly scheduled scan actions for when malware has been detected must be configured to Clean Risk as first action.
SV-55439r2_ruleThe Symantec Endpoint Protection client weekly scheduled scan actions for when malware has been detected must be configured to Delete Risk if first action fails.
SV-55440r2_ruleThe Symantec Endpoint Protection client weekly scheduled scan actions for handling security risks upon detection must be explicitly configured at the top, Security Risks, level and not be overridden by the Adware sub-level.
SV-68101r1_ruleThe Symantec Endpoint Protection client weekly scheduled scan actions for handling security risks upon detection must be explicitly configured at the top, Security Risks, level and not be overridden by the Dialer sub-level.
SV-55442r2_ruleThe Symantec Endpoint Protection client weekly scheduled scan actions for handling security risks upon detection must be explicitly configured at the top, Security Risks, level and not be overridden by the Hack Tool sub-level.
SV-55443r1_ruleThe Symantec Endpoint Protection client weekly scheduled scan actions for handling security risks upon detection must be explicitly configured at the top, Security Risks, level and not be overridden by the Joke Program sub-level.
SV-55444r1_ruleThe Symantec Endpoint Protection client weekly scheduled scan actions for handling security risks upon detection must be explicitly configured at the top, Security Risks, level and not be overridden by the Misleading Application sub-level.
SV-68103r1_ruleThe Symantec Endpoint Protection client weekly scheduled scan actions for handling security risks upon detection must be explicitly configured at the top, Security Risks, level and not be overridden by the Parental Control sub-level.
SV-68105r1_ruleThe Symantec Endpoint Protection client weekly scheduled scan actions for handling security risks upon detection must be explicitly configured at the top, Security Risks, level and not be overridden by the Remote Access sub-level.
SV-55447r2_ruleThe Symantec Endpoint Protection client weekly scheduled scan actions for handling security risks upon detection must be explicitly configured at the top, Security Risks, level and not be overridden by the Security Assessment Tool sub-level.
SV-55448r2_ruleThe Symantec Endpoint Protection client weekly scheduled scan actions for handling security risks upon detection must be explicitly configured at the top, Security Risks, level and not be overridden by the Security Risk sub-level.
SV-55449r2_ruleThe Symantec Endpoint Protection client weekly scheduled scan actions for handling security risks upon detection must be explicitly configured at the top, Security Risks, level and not be overridden by the Spyware sub-level.
SV-55450r2_ruleThe Symantec Endpoint Protection client weekly scheduled scan actions for handling security risks upon detection must be explicitly configured at the top, Security Risks, level and not be overridden by the Trackware sub-level.
SV-68107r1_ruleThe Symantec Endpoint Protection client weekly scheduled scan actions for when a security risk has been detected must be configured to Delete Risk as first action.
SV-55452r2_ruleThe Symantec Endpoint Protection client weekly scheduled scan actions for when a security risk has been detected must be configured to Quarantine Risk if first action fails.
SV-55453r1_ruleThe Symantec Endpoint Protection client Outlook Auto-Protect client must be enabled.
SV-55454r1_ruleThe Symantec Endpoint Protection client weekly scheduled scan backup option must be disabled to prevent backing up infected files before attempting to repair them.
SV-55455r1_ruleThe Symantec Endpoint Protection client Outlook Auto-Protect client must be configured to scan all file types.
SV-55456r1_ruleThe Symantec Endpoint Protection client Outlook Auto-Protect must be configured to scan inside zipped files.
SV-55457r1_ruleThe Symantec Endpoint Protection client Outlook Auto-Protect must be configured to insert a warning into email messages when a message part has been deleted, cleaned, or quarantined.
SV-55458r1_ruleThe Symantec Endpoint Protection client Outlook Auto-Protect must be configured to not send a notification to the sender of an email in which a threat was detected.
SV-55459r1_ruleThe Symantec Endpoint Protection client Outlook Auto-Protect must be configured to send a notification email to the IAO, IAM, and/or ePO administrator when a threatened email message is detected.
SV-55460r1_ruleThe Symantec Endpoint Protection client Outlook Auto-Protect actions must be explicitly configured at the top, Malware, level and not be overridden by sub-levels.
SV-55461r1_ruleThe Symantec Endpoint Protection client Outlook Auto-Protect actions for when Malware has been detected must be configured to Clean Risk as first action.
SV-55462r1_ruleThe Symantec Endpoint Protection client Outlook Auto-Protect actions for when Malware has been detected must be configured to Delete Risk if first action fails.
SV-55463r1_ruleThe Symantec Endpoint Protection client Outlook Auto-Protect actions must be explicitly configured at the top, Security Risks, level and not be overridden by the Adware sub-level.
SV-55464r1_ruleThe Symantec Endpoint Protection client Outlook Auto-Protect actions must be explicitly configured at the top, Security Risks, level and not be overridden by the Dialer sub-level.
SV-55470r1_ruleThe Symantec Endpoint Protection client Outlook Auto-Protect actions must be explicitly configured at the top, Security Risks, level and not be overridden by the Hack Tool sub-level.
SV-55471r1_ruleThe Symantec Endpoint Protection client Outlook Auto-Protect actions must be explicitly configured at the top, Security Risks, level and not be overridden by the Joke Program sub-level.
SV-55472r1_ruleThe Symantec Endpoint Protection client Outlook Auto-Protect actions must be explicitly configured at the top, Security Risks, level and not be overridden by the Misleading Application sub-level.
SV-55473r1_ruleThe Symantec Endpoint Protection client Outlook Auto-Protect actions must be explicitly configured at the top, Security Risks, level and not be overridden by the Parental Control sub-level.
SV-55474r1_ruleThe Symantec Endpoint Protection client Outlook Auto-Protect actions must be explicitly configured at the top, Security Risks, level and not be overridden by the Remote Access sub-level.
SV-55475r1_ruleThe Symantec Endpoint Protection client Outlook Auto-Protect actions must be explicitly configured at the top, Security Risks, level and not be overridden by the Security Assessment Tool sub-level.
SV-55476r1_ruleThe Symantec Endpoint Protection client Outlook Auto-Protect actions must be explicitly configured at the top, Security Risks, level and not be overridden by the Security Risk sub-level.
SV-55477r1_ruleThe Symantec Endpoint Protection client Outlook Auto-Protect actions must be explicitly configured at the top, Security Risks, level and not be overridden by the Spyware sub-level.
SV-55478r1_ruleThe Symantec Endpoint Protection client Outlook Auto-Protect actions must be explicitly configured at the top, Security Risks, level and not be overridden by the Trackware sub-level.
SV-55479r1_ruleThe Symantec Endpoint Protection client Outlook Auto-Protect actions for when a security risk has been detected must be configured to Delete Risk as first action.
SV-55480r1_ruleThe Symantec Endpoint Protection client Outlook Auto-Protect actions for when a Security Risk has been detected must be configured to Quarantine Risk if first action fails.
SV-55481r2_ruleThe Symantec Endpoint Protection Internet Email Auto-Protect must be enabled.
SV-55482r1_ruleThe Symantec Endpoint Protection Internet email Auto-Protect client must be configured to scan all file types.
SV-55483r1_ruleThe Symantec Endpoint Protection client Internet Email Auto-Protect must be configured to scan inside zipped files.
SV-55484r1_ruleThe Symantec Endpoint Protection client Internet Email Auto-Protect for notification must be configured to insert a warning into email messages when a message part has been deleted, cleaned, or quarantined.
SV-55485r1_ruleThe Symantec Endpoint Protection client Internet Email Auto-Protect must be configured to not send a notification to the sender of an email in which a threat was detected.
SV-55486r1_ruleThe Symantec Endpoint Protection client Internet Email Auto-Protect must be configured to send a notification email to the IAO, IAM, and/or ePO administrator when a threatened email message is detected.
SV-55487r1_ruleThe Symantec Endpoint Protection client Internet Email Auto-Protect actions must be explicitly configured at the top, Malware, level and not be overridden by sub-levels.
SV-55488r1_ruleThe Symantec Endpoint Protection client Internet Email Auto-Protect actions for when malware has been detected must be configured to Clean Risk as first action.
SV-55489r1_ruleThe Symantec Endpoint Protection client Internet Email Auto-Protect actions for when malware has been detected must be configured to Delete Risk if first action fails.
SV-55490r1_ruleThe Symantec Endpoint Protection client Internet Email Auto-Protect actions must be explicitly configured at the top, Security Risks, level and not be overridden by the Adware sub-level.
SV-55491r1_ruleThe Symantec Endpoint Protection client Internet Email Auto-Protect actions must be explicitly configured at the top, Security Risks, level and not be overridden by the Dialer sub-level.
SV-55492r1_ruleThe Symantec Endpoint Protection client Internet Email Auto-Protect actions must be explicitly configured at the top, Security Risks, level and not be overridden by the Hack Tool sub-level.
SV-55493r1_ruleThe Symantec Endpoint Protection client Internet Email Auto-Protect actions must be explicitly configured at the top, Security Risks, level and not be overridden by the Joke Program sub-level.
SV-55494r1_ruleThe Symantec Endpoint Protection client Internet Email Auto-Protect actions must be explicitly configured at the top, Security Risks, level and not be overridden by the Misleading Application sub-level.
SV-55495r1_ruleThe Symantec Endpoint Protection client Internet Email Auto-Protect actions must be explicitly configured at the top, Security Risks, level and not be overridden by the Parental Control sub-level.
SV-55496r1_ruleThe Symantec Endpoint Protection client Internet Email Auto-Protect actions must be explicitly configured at the top, Security Risks, level and not be overridden by the Remote Access sub-level.
SV-55497r1_ruleThe Symantec Endpoint Protection client Internet Email Auto-Protect actions must be explicitly configured at the top, Security Risks, level and not be overridden by the Security Assessment Tool sub-level.
SV-55498r1_ruleThe Symantec Endpoint Protection client Internet Email Auto-Protect actions must be explicitly configured at the top, Security Risks, level and not be overridden by the Security Risk sub-level.
SV-55499r1_ruleThe Symantec Endpoint Protection client Internet Email Auto-Protect actions must be explicitly configured at the top, Security Risks, level and not be overridden by the Spyware sub-level.
SV-55500r1_ruleThe Symantec Endpoint Protection client Internet Email Auto-Protect actions must be explicitly configured at the top, Security Risks, level and not be overridden by the Trackware sub-level.
SV-55501r1_ruleThe Symantec Endpoint Protection client Internet Email Auto-Protect actions for when a security risk has been detected must be configured to Delete Risk as first action.
SV-55502r1_ruleThe Symantec Endpoint Protection client Internet Email Auto-Protect actions for when a security risk has been detected must be configured to Quarantine risk if first action fails.