Free DISA STIG and SRG Library | Vaulted

McAfee MOVE 3.6.1 Multi-Platform OSS STIG

Version 1 Release 5
2016-10-28
U_McAfee_MOVE_Multi-Platform3-6-1_OSS_V1R5_Manual-xccdf.xml
The McAfee MOVE 3.6.1 Multi-Platform OSS STIG is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the NIST 800-53 and related documents. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil.

Vulnerabilities (15)

The McAfee MOVE AV [Multi-Platform] Offload Scan Server must have McAfee VirusScan Enterprise 8.8 (or most current version) installed.

Finding ID
AV-MOVE-OSS-001
Rule ID
SV-55693r2_rule
Severity
Cat I
CCE
(None)
Group Title
AV-MOVE-OSS-001
CCI
CCI-001242
Target Key
(None)
Documentable
No
Discussion

Organizations should deploy anti-virus software on all hosts for which satisfactory anti-virus software is available. Anti-virus software should be installed as soon after OS installation as possible and then updated with the latest signatures and anti-virus software patches (to eliminate any known vulnerabilities in the anti-virus software itself). To support the security of the host, the anti-virus software should be configured and maintained properly so it continues to be effective at detecting and stopping malware. Anti-virus software is most effective when its signatures are fully up-to-date. Accordingly, anti-virus software should be kept current with the latest signature and software updates to improve malware detection.

Fix Text

Access the ePO server. From the System Tree, select the Systems tab, find and click on the asset representing the McAfee MOVE Offload Scan Server to open its properties. Click on Actions, Agent, Modify Tasks on a Single System. Click on Actions, then click New Client Task Assignment. Under Product, select McAfee Agent. Under Task Type, select Product Deployment. Under Task Name, select Create New Task. Next to Task Name, enter "Deploy VSE to MOVE OSS" Next to Target Platforms, ensure only Windows is selected. In the drop-down box for Products and components, select VirusScan Enterprise 8.8.0.x and ensure the drop-down box for Action is set to Install. Click Save. Click Next. For the "Schedule status:", select "Enabled". Configure the schedule variable in accordance with local Change Control policy and click Next. On "Summary" tab, click "Save", and then "Close". Back at the "Systems Information" screen, click on the "Wake Up Agents" button. In the "Wake Up McAfee Agent" screen, for the "Force policy update:" settings, place a check in the "Force complete policy and task update" check box. Click on OK.

Check Content

Access the server designated as the McAfee MOVE Offload Scan Server. In the taskbar, right-click the red McAfee Agent shield and select "About". Under "McAfee Agent", ensure the "Last agent-to-server communication:" is within the time period designated by the "Agent to Server Communication Interval". Ensure the "McAfee VirusScan Enterprise + AntiSpyware Enterprise" is listed as an installed product. Ensure the version number is 8.8.0 or higher. An alternative method for validating--From the ePO server console System Tree, select the Systems tab, find and click on the asset representing the McAfee MOVE Offload Scan Server to open its properties. Under "System Properties" tab, ensure the "Last communication" is within the time period designated by the "Agent-to-Server Communication Interval:" under the "McAfee Agent" tab. Under the System Properties tab, next to the Installed Products field, ensure VirusScan Enterprise 8.8.0.x is listed as an installed product. Ensure the "Product Version" for VirusScan Enterprise is listed as 8.8.0 or higher. If VirusScan Enterprise 8.8.0 or higher is not installed and/or the Last communication to the ePO server is not within the specified Agent-to-Server Communication interval, this is a finding.

The McAfee MOVE AV [Multi-Platform] Offload Scan Server must be managed by the HBSS ePO server.

Finding ID
AV-MOVE-OSS-002
Rule ID
SV-55694r2_rule
Severity
Cat II
CCE
(None)
Group Title
AV-MOVE-OSS-002
CCI
CCI-001242
Target Key
(None)
Documentable
No
Discussion

Organizations should use centrally managed anti-virus software that is controlled and monitored regularly by anti-virus administrators, who are also typically responsible for acquiring, testing, approving, and delivering anti-virus signature and software updates throughout the organization. Users should not be able to disable or delete anti-virus software from their hosts, nor should they be able to alter critical settings. Anti-virus administrators should perform continuous monitoring to confirm that hosts are using current anti-virus software and that the software is configured properly. Implementing all of these recommendations should strongly support an organization in having a strong and consistent anti-virus deployment across the organization.

Fix Text

Access the ePO server. From the System Tree, select the Systems tab, find and click on the asset representing the McAfee MOVE Offload Scan Server to open its properties. If the asset representing the McAfee MOVE Offload Scan Server is not in the ePO server system tree, configure a task to deploy the McAfee Agent to the system designated as the McAfee MOVE Offload Scan Server. Once the system is communicating with the ePO server and is in the ePO server system tree, find and click on the asset representing the McAfee MOVE Offload Scan Server to open its properties. Click on Actions, Agent, Modify Tasks on a Single System. Click on Actions and select New Client Task Assignment. Under Product, select McAfee Agent. Under Task Type, select Product Deployment. Under Task Name, select Create New Task. Next to Task Name, enter "Deploy MOVE to the OSS" Next to Target Platforms, ensure only Windows is selected. In the drop-down box for Products and components, select MOVE AV [Multi-Platform] Offload Scan server 3.6.x and ensure the drop-down box for Action is set to Install. Click Save. Click Next. For the "Schedule status:", select "Enabled". Configure the schedule variable in accordance with local Change Control policy and click Next. On "Summary" tab, click "Save", then "Close". Back at the "System Information" screen, click on the "Wake Up Agents" button. In the "Wake Up McAfee Agent" screen, for the "Force policy update:" settings, place a check in the "Force complete policy and task update" check box. Click on OK.

Check Content

Access the server designated as the McAfee MOVE Offload Scan Server. In the taskbar, right-click the red McAfee Agent shield and select "McAfee Agent Status Monitor". Click the "Collect and Send Props" button. This will perform the ASCI, send PROPS VERSION package to ePO, and close the session. Click the "Enforce Policies" button. In the McAfee Agent Monitor, review the Management status lines and ensure one shows a status of "Enforcing Policies for MOVEOSS_2xxx" (where 2xxx represents the version level). This status line will confirm the system is enforcing policies for the McAfee MOVE AV Offload Scan Server. If either the system does not show "Agent started performing ASCI", followed by a sequence of status lines showing the "Agent is sending PROPS VERSION package to ePO server" and "Agent communication session closed", or does not show a Management status line of "Enforcing Policies for MOVEOSS_2xxx", this is a finding.

The McAfee MOVE AV [Multi-Platform] Offload Scan Server must be configured with a static IP address.

Finding ID
AV-MOVE-OSS-003
Rule ID
SV-55695r1_rule
Severity
Cat II
CCE
(None)
Group Title
AV-MOVE-OSS-003
CCI
CCI-001242
Target Key
(None)
Documentable
No
Discussion

Security management devices must be configured to ensure consistent and uninterrupted connectivity to/from the systems it manages/controls. Otherwise, the security management device will be less than effective.

Fix Text

In accordance with local operational procedures, assign a static IP address to the server designated as the McAfee MOVE AV [Multi-Platform] Offload Scan Server.

Check Content

Access the server designated as the McAfee MOVE Offload Scan Server. Access Network properties. From listed Network adapters, right-click on the active adapter, select Properties. Highlight the "Internet Protocol Version 4 (TCP/IPv4)", click on the Properties button. On the General tab, ensure the "Use the following IP address:" is selected, the IP address:, Subnet mask:, and Default gateway: are all populated. If the IPv4 protocol has not been configured to use a static IP address, Subnet mask, and Default Gateway, this is a finding.

The McAfee MOVE AV [Multi-Platform] Offload Scan Server General policy must be configured to maintain a minimum of 20 log files before removing oldest log file.

Finding ID
AV-MOVE-OSS-005
Rule ID
SV-55697r3_rule
Severity
Cat II
CCE
(None)
Group Title
AV-MOVE-OSS-005
CCI
CCI-001242
Target Key
(None)
Documentable
No
Discussion

Forensic identification is the practice of identifying infected hosts by looking for evidence of recent infections. The evidence may be very recent (only a few minutes old) or not so recent (hours or days old); the older the information is, the less accurate it is likely to be. The most obvious sources of evidence are those that are designed to identify malware activity, such as anti-virus software, content filtering (e.g., anti-spam measures), IPS, and SIEM technologies. The logs of security applications might contain detailed records of suspicious activity, and might also indicate whether a security compromise occurred or was prevented. While logging is imperative to forensic analysis, logs could grow to the point of impacting disk space on the system. In order to avoid the risk of logs growing to the size of impacting the operating system, the log size and number of log files will be restricted, but must also be large enough to retain forensic value.

Fix Text

From the ePO server console System Tree, select the Systems tab, find and click on the asset representing the McAfee MOVE Offload Scan Server to open its properties, select Actions, select Agent, and select Modify Policies on a Single System. From the product drop-down list, select MOVE AV [Multi-Platform] Offload Scan Server. Click on the MOVE AV [Multi-Platform] Offload Scan Server policy to open the properties. On the General tab, enter a value of "20" or more for the "Number of Log Files:". Click Save.

Check Content

From the ePO server console System Tree, select the Systems tab, find and click on the asset representing the McAfee MOVE Offload Scan Server to open its properties, select Actions, select Agent, and select Modify Policies on a Single System. From the product drop-down list, select MOVE AV [Multi-Platform] Offload Scan Server. Click on the MOVE AV [Multi-Platform] Offload Scan Server policy to open the properties. On the General tab, ensure the "Number of Log Files:" is set to 20 or more. If the "Number of Log Files:" is set to less than 20, this is a finding. On the system designated as the McAfee MOVE Offload Scan Server, access a cmd window, running as administrator. Navigate to the path to which the McAfee MOVE AV Server software has been installed (default is C:\Program Files (x86)\McAfee\MOVE AV Server). Execute the following command: mvadm config show <enter> From the displayed configuration, ensure the "LogFileNum" value is set to “20” or more. If the "LogFileNum" is set to less than “20”, this is a finding.

The McAfee MOVE AV [Multi-Platform] Offload Scan Server General policy must be configured to not rotate log files until they reach at least 10MB in size.

Finding ID
AV-MOVE-OSS-006
Rule ID
SV-55700r2_rule
Severity
Cat II
CCE
(None)
Group Title
AV-MOVE-OSS-006
CCI
CCI-001242
Target Key
(None)
Documentable
No
Discussion

Forensic identification is the practice of identifying infected hosts by looking for evidence of recent infections. The evidence may be very recent (only a few minutes old) or not so recent (hours or days old); the older the information is, the less accurate it is likely to be. The most obvious sources of evidence are those that are designed to identify malware activity, such as anti-virus software, content filtering (e.g., anti-spam measures), IPS, and SIEM technologies. The logs of security applications might contain detailed records of suspicious activity, and might also indicate whether a security compromise occurred or was prevented. While logging is imperative to forensic analysis, logs could grow to the point of impacting disk space on the system. In order to avoid the risk of logs growing to the size of impacting the operating system, the log size and number of log files will be restricted, but must also be large enough to retain forensic value.

Fix Text

From the ePO server console System Tree, select the Systems tab, find and click on the asset representing the McAfee MOVE Offload Scan Server to open its properties, select Actions, select Agent, and select Modify Policies on a Single System. From the product drop-down list, select MOVE AV [Multi-Platform] Offload Scan Server 3.6.1. Click on the MOVE AV [Multi-Platform] Offload Scan Server policy to open the properties. On the General tab, set the "Log File Size:" to "10" or more. Click Save.

Check Content

From the ePO server console System Tree, select the Systems tab, find and click on the asset representing the McAfee MOVE Offload Scan Server to open its properties, select Actions, select Agent, and select Modify Policies on a Single System. From the product drop-down list, select MOVE AV [Multi-Platform] Offload Scan Server 3.6.1. Click on the MOVE AV [Multi-Platform] Offload Scan Server policy to open the properties. On the General tab, ensure the "Log File Size:" is set to 10 or more. If the "Log file Size:" is not set to 10 or more, this is a finding. On the system designated as the McAfee MOVE Offload Scan Server, access a cmd window, running as administrator. Navigate to the path to which the McAfee MOVE AV Server software has been installed (default is C:\Program Files (x86)\McAfee\MOVE AV Server). Execute the following command: mvadm config show <enter> From the displayed configuration, ensure the "LogFileSize" value is set to 10 or more. If the "LogFileSize" is not set to 10 or more, this is a finding.

The McAfee MOVE AV [Multi-Platform] Offload Scan Server General policy Scan Settings must be configured to scan inside archive files.

Finding ID
AV-MOVE-OSS-007
Rule ID
SV-55702r3_rule
Severity
Cat II
CCE
(None)
Group Title
AV-MOVE-OSS-007
CCI
CCI-001242
Target Key
(None)
Documentable
No
Discussion

Malware is often packaged within an archive. In addition, archives might have other archives within. Not scanning archive files introduces the risk of infected files being introduced into the environment.

Fix Text

From the ePO server console System Tree, select the Systems tab, find and click on the asset representing the McAfee MOVE Offload Scan Server to open its properties, select Actions, select Agent, and select Modify Policies on a Single System. From the product drop-down list, select MOVE AV [Multi-Platform] Offload Scan Server 3.6.1. Click on the MOVE AV [Multi-Platform] Offload Scan Server policy to open the properties. On the Scan Settings tab, place a check in the "Scan Archive Files: Enable scanning inside of archive files." check box. Click Save.

Check Content

Note: If the regularly scheduled scan includes the scanning of archive files, this requirement can alternatively be not configured and marked as Not Applicable. From the ePO server console System Tree, select the "Systems" tab, find and click on the asset representing the McAfee MOVE Offload Scan Server to open its properties, select "Actions", select "Agent", and select "Modify Policies on a Single System". From the product drop-down list, select "MOVE AV [Multi-Platform] Offload Scan Server 3.6.1". Click on the MOVE AV [Multi-Platform] Offload Scan Server policy to open the properties. On the "Scan Settings" tab, ensure the "Scan Archive Files:” has a check in the "Enable scanning inside of archive files" check box. If the "Enable scanning inside of archive files." check box is not selected, this is a finding. On the system designated as the McAfee MOVE Offload Scan Server, access a cmd window, running as administrator. Navigate to the path to which the McAfee MOVE AV Server software has been installed (default is C:\Program Files (x86)\McAfee\MOVE AV Server). Execute the following command: mvadm config show <enter> From the displayed configuration, ensure the "ScanArchiveFiles" value is set to "1". If the "ScanArchiveFiles" is set to "0", this is a finding.

The McAfee MOVE AV [Multi-Platform] Offload Scan Server General policy Scan Settings must be configured to scan for potentially unwanted programs.

Finding ID
AV-MOVE-OSS-008
Rule ID
SV-55703r2_rule
Severity
Cat II
CCE
(None)
Group Title
AV-MOVE-OSS-008
CCI
CCI-001242
Target Key
(None)
Documentable
No
Discussion

Due to the ability of malware to mutate after infection, standard anti-virus signatures may not be able to catch new strains or variants of the malware. Typically, these strains and variants will share unique characteristics with others in their virus family. By using a generic signature to detect the shared characteristics, using wildcards where differences lie, the generic signature can detect viruses even if they are padded with extra, meaningless code. This method of detection is Heuristic detection.

Fix Text

From the ePO server console System Tree, select the Systems tab, find and click on the asset representing the McAfee MOVE Offload Scan Server to open its properties, select Actions, select Agent, and select Modify Policies on a Single System. From the product drop-down list, select MOVE AV [Multi-Platform] Offload Scan Server 3.6.1. Click on the MOVE AV [Multi-Platform] Offload Scan Server policy to open the properties. On the Scan Settings tab, place a check in the "Scan for Unwanted Programs: Enable scanning for potentially unwanted programs." check box. Click Save.

Check Content

From the ePO server console System Tree, select the Systems tab, find and click on the asset representing the McAfee MOVE Offload Scan Server to open its properties, select Actions, select Agent, and select Modify Policies on a Single System. From the product drop-down list, select MOVE AV [Multi-Platform] Offload Scan Server 3.6.1. Click on the MOVE AV [Multi-Platform] Offload Scan Server policy to open the properties. On the Scan Settings tab, ensure the "Scan for Unwanted Programs:" "Enable scanning for potentially unwanted programs" check box is selected. If the "Enable scanning for potentially unwanted programs." check box is not selected, this is a finding. On the system designated as the McAfee MOVE Offload Scan Server, access a cmd window, running as administrator. Navigate to the path to which the McAfee MOVE AV Server software has been installed (default is C:\Program Files (x86)\McAfee\MOVE AV Server). Execute the following command: mvadm config show <enter> From the displayed configuration, ensure the "ScanPUPS" value is set to 1. If the "ScanPUPS" is set to 0, this is a finding.

The McAfee MOVE AV [Multi-Platform] Offload Scan Server General policy Scan Settings must be configured to scan for MIME-encoded files.

Finding ID
AV-MOVE-OSS-009
Rule ID
SV-55705r2_rule
Severity
Cat II
CCE
(None)
Group Title
AV-MOVE-OSS-009
CCI
CCI-001242
Target Key
(None)
Documentable
No
Discussion

Multipurpose Internet Mail Extensions (MIME) encoded files can be crafted to hide a malicious payload. When the MIME encoded file is presented to software that decodes the MIME encoded files, such as an email client, the malware is released. Scanning these files as part of the regularly scheduled scans tasks will mitigate this risk.

Fix Text

From the ePO server console System Tree, select the Systems tab, find and click on the asset representing the McAfee MOVE Offload Scan Server to open its properties, select Actions, select Agent, and select Modify Policies on a Single System. From the product drop-down list, select MOVE AV [Multi-Platform] Offload Scan Server 3.6.1. Click on the MOVE AV [Multi-Platform] Offload Scan Server policy to open the properties. On the Scan Settings tab, place a check in the "Scan MIME files: Enable scanning for MIME-encoded files." check box. Click Save.

Check Content

From the ePO server console System Tree, select the Systems tab, find and click on the asset representing the McAfee MOVE Offload Scan Server to open its properties, select Actions, select Agent, and select Modify Policies on a Single System. From the product drop-down list, select MOVE AV [Multi-Platform] Offload Scan Server 3.6.1. Click on the MOVE AV [Multi-Platform] Offload Scan Server policy to open the properties. On the Scan Settings tab, ensure the "Scan MIME files:" "Enable scanning for MIME-encoded files." check box is selected. If the "Enable scanning for MIME-encoded files." check box is not selected, this is a finding. On the system designated as the McAfee MOVE Offload Scan Server, access a cmd window, running as administrator. Navigate to the path to which the McAfee MOVE AV Server software has been installed (default is C:\Program Files (x86)\McAfee\MOVE AV Server). Execute the following command: mvadm config show <enter> From the displayed configuration, ensure the "ScanMIMEFiles" value is set to 1. If the "ScanMIMEFiles" is set to 0, this is a finding.

The McAfee MOVE AV [Multi-Platform] Offload Scan Server General policy Scan Settings must be configured to use McAfee Global Threat Intelligence file reputation, with a sensitivity level of Medium or higher.

Finding ID
AV-MOVE-OSS-010
Rule ID
SV-55706r2_rule
Severity
Cat II
CCE
(None)
Group Title
AV-MOVE-OSS-010
CCI
CCI-001242
Target Key
(None)
Documentable
No
Discussion

Anti-virus software vendors use collective intelligence from sensors and cross-vector intelligence from web, email, and network threats to compile scores that reflect the likelihood of whether a file in question is malware. The collective intelligence is constantly being updated, more frequently than the typical daily anti-virus signature files. With File Reputation lookup, a more real-time response to potential malicious code is realized than with the local-running anti-virus software, since by querying the cloud-based database when a file appears to be suspicious, up-to-the-minute intelligence is provided. This type of protection reduces the threat protection time period from days to milliseconds, increases malware detection rates, and reduces downtime and remediation costs associated with malware attacks. Using File Reputation lookup is mandated by US CYBERCOM on DoD systems.

Fix Text

From the ePO server console System Tree, select the Systems tab, find and click on the asset representing the McAfee MOVE Offload Scan Server to open its properties, select Actions, select Agent, and select Modify Policies on a Single System. From the product drop-down list, select MOVE AV [Multi-Platform] Offload Scan Server 3.6.1. Click on the MOVE AV [Multi-Platform] Offload Scan Server policy to open the properties. On the Scan Settings Tab, click on the dropdown selection for the "McAfee Global Threat Intelligence file reputation:" setting and set the Sensitivity Level to Medium, or higher. Click Save.

Check Content

NOTE: For systems on the SIPRNet, this check is Not Applicable. From the ePO server console System Tree, select the Systems tab, find and click on the asset representing the McAfee MOVE Offload Scan Server to open its properties, select Actions, select Agent, and select Modify Policies on a Single System. From the product drop-down list, select MOVE AV [Multi-Platform] Offload Scan Server 3.6.1. Click on the MOVE AV [Multi-Platform] Offload Scan Server policy to open the properties. On the Scan Settings Tab, ensure the "McAfee Global Threat Intelligence file reputation:" setting is set to a Sensitivity Level of Medium, or higher. If the "McAfee Global Threat Intelligence file reputation:" setting is not set to a Sensitivity Level of Medium, or higher, this is a finding. On the system designated as the McAfee MOVE Offload Scan Server, access a cmd window, running as administrator. Navigate to the path to which the McAfee MOVE AV Server software has been installed (default is C:\Program Files (x86)\McAfee\MOVE AV Server). Execute the following command: mvadm config show <enter> From the displayed configuration, ensure the "GTILevel" value is set to 3 or more. If the "GTILevel" is set to less than 3, this is a finding.

The McAfee MOVE AV [Multi-Platform] Offload Scan Server General policy alerts must be configured to report all events to the Windows Event Log.

Finding ID
AV-MOVE-OSS-011
Rule ID
SV-55707r2_rule
Severity
Cat II
CCE
(None)
Group Title
AV-MOVE-OSS-011
CCI
CCI-001489
Target Key
(None)
Documentable
No
Discussion

Forensic identification is the practice of identifying infected hosts by looking for evidence of recent infections. The evidence may be very recent (only a few minutes old) or not so recent (hours or days old); the older the information is, the less accurate it is likely to be. The most obvious sources of evidence are those that are designed to identify malware activity, such as anti-virus software, content filtering (e.g., anti-spam measures), IPS, and SIEM technologies. The logs of security applications might contain detailed records of suspicious activity, and might also indicate whether a security compromise occurred or was prevented.

Fix Text

From the ePO server console System Tree, select the Systems tab, find and click on the asset representing the McAfee MOVE Offload Scan Server to open its properties, select Actions, select Agent, and select Modify Policies on a Single System. From the product drop-down list, select MOVE AV [Multi-Platform] Offload Scan Server 3.6.1. Click on the MOVE AV [Multi-Platform] Offload Scan Server policy to open the properties. "Select the "Events" tab, under the "General Settings" label, place a check in the "Offload Scan Server events reported to the Windows Event Log" and the "Offload Scan Server events are sent to ePolicy Orchestrator" check boxes. Click Save.

Check Content

From the ePO server console System Tree, select the Systems tab, find and click on the asset representing the McAfee MOVE Offload Scan Server to open its properties, select Actions, select Agent, and select Modify Policies on a Single System. From the product drop-down list, select MOVE AV [Multi-Platform] Offload Scan Server 3.6.1. Click on the MOVE AV [Multi-Platform] Offload Scan Server policy to open the properties. Select the "Events" tab, under the "General Settings" label, ensure the "Offload Scan Server events reported to the Windows Event Log" check box is selected. If the "Offload Scan Server events reported to the Windows Event Log." check box is not selected, this is a finding. On the system designated as the McAfee MOVE Offload Scan Server, access a cmd window, running as administrator. Navigate to the path to which the McAfee MOVE AV Server software has been installed (default is C:\Program Files (x86)\McAfee\MOVE AV Server). Execute the following command: mvadm config show <enter> From the displayed configuration, ensure the "EventSink" value is set to 6 (Events reported to both the Windows Event Log and the ePO Server). If the "EventSink" is set to 6, this is not a finding.

The McAfee MOVE AV [Multi-Platform] Offload Scan Server General policy alerts must be configured to send all events to the HBSS ePO server.

Finding ID
AV-MOVE-OSS-012
Rule ID
SV-55708r2_rule
Severity
Cat II
CCE
(None)
Group Title
AV-MOVE-OSS-012
CCI
CCI-001489
Target Key
(None)
Documentable
No
Discussion

Organizations should strive to detect and validate malware incidents rapidly to minimize the number of infected hosts and the amount of damage the organization sustains. Recommended actions include analyzing any suspected malware incident and validating that malware is the cause. This includes identifying characteristics of the malware activity by examining detection sources, such as anti-virus software, intrusion prevention systems, and security information and event management (SIEM) technologies and identifying which hosts are infected by the malware, so the hosts can undergo the appropriate containment, eradication, and recovery actions. By sending all events to a central location, the events can be correlated to determine extent of infection.

Fix Text

From the ePO server console System Tree, select the Systems tab, find and click on the asset representing the McAfee MOVE Offload Scan Server to open its properties, select Actions, select Agent, and select Modify Policies on a Single System. From the product drop-down list, select MOVE AV [Multi-Platform] Offload Scan Server 3.6.1. Click on the MOVE AV [Multi-Platform] Offload Scan Server policy to open the properties. "Select the "Events" tab, under the "General Settings" label, place a check in the "Offload Scan Server events are sent to ePolicy Orchestrator" and the "Offload Scan Server events are sent to Windows Event Log" check boxes. Click Save.

Check Content

From the ePO server console System Tree, select the Systems tab, find and click on the asset representing the McAfee MOVE Offload Scan Server to open its properties, select Actions, select Agent, and select Modify Policies on a Single System. From the product drop-down list, select MOVE AV [Multi-Platform] Offload Scan Server 3.6.1. Click on the MOVE AV [Multi-Platform] Offload Scan Server policy to open the properties. Select the "Events" tab, under the "General Settings" label, ensure the "Offload Scan Server events are sent to ePolicy Orchestrator" check box is selected. If the "Offload Scan Server events are sent to ePolicy Orchestrator." check box is not selected, this is a finding On the system designated as the McAfee MOVE Offload Scan Server, access a cmd window, running as administrator. Navigate to the path to which the McAfee MOVE AV Server software has been installed (default is C:\Program Files (x86)\McAfee\MOVE AV Server). Execute the following command: mvadm config show <enter> From the displayed configuration, ensure the "EventSink" value is set to 6 (Events reported to both the Windows Event Log and the ePO Server). If the "EventSink" is set to 6, this is not a finding.

The McAfee MOVE AV [Multi-Platform] Offload Scan Server General policy On-Demand Scan must be configured with On-Demand scanning enabled.

Finding ID
AV-MOVE-OSS-013
Rule ID
SV-55710r2_rule
Severity
Cat II
CCE
(None)
Group Title
AV-MOVE-OSS-013
CCI
CCI-001241
Target Key
(None)
Documentable
No
Discussion

Anti-virus software is the most commonly used technical control for malware threat mitigation. Anti-virus software on hosts should be configured to scan all hard drives and folders regularly to identify any file system infections and to scan any removable media, if applicable, before media is inserted into the system. Not scheduling a regular scan of the hard drives of a system and/or not configuring the scan to scan all files and running processes introduces a higher risk of threats going undetected.

Fix Text

From the ePO server console System Tree, select the Systems tab, find and click on the asset representing the McAfee MOVE Offload Scan Server to open its properties, select Actions, select Agent, and select Modify Policies on a Single System. From the product drop-down list, select MOVE AV [Multi-Platform] Offload Scan Server 3.6.1. Click on the MOVE AV [Multi-Platform] Offload Scan Server policy to open the properties. On the On-Demand Scan tab, place a check in the "On-Demand Scanning: Enabled" check box. Click Save.

Check Content

From the ePO server console System Tree, select the Systems tab, find and click on the asset representing the McAfee MOVE Offload Scan Server to open its properties, select Actions, select Agent, and select Modify Policies on a Single System. From the product drop-down list, select MOVE AV [Multi-Platform] Offload Scan Server 3.6.1. Click on the MOVE AV [Multi-Platform] Offload Scan Server policy to open the properties. On the On-Demand Scan tab, ensure the "On-Demand Scanning:" setting has a check in the "Enabled" check box. If the "On-Demand Scanning:" setting does not have a check in the "Enabled" check box, this is a finding.

The McAfee MOVE AV [Multi-Platform] Offload Scan Server General policy On-Demand Scan Client Scan interval must be set to no more than every seven days.

Finding ID
AV-MOVE-OSS-014
Rule ID
SV-55711r2_rule
Severity
Cat II
CCE
(None)
Group Title
AV-MOVE-OSS-014
CCI
CCI-001241
Target Key
(None)
Documentable
No
Discussion

Anti-virus software is the mostly commonly used technical control for malware threat mitigation. Anti-virus software on hosts should be configured to scan all hard drives and folders regularly to identify any file system infections and to scan any removable media, if applicable, before media is inserted into the system. Not scheduling a regular scan of the hard drives of a system and/or not configuring the scan to scan all files and running processes introduces a higher risk of threats going undetected.

Fix Text

From the ePO server console System Tree, select the Systems tab, find and click on the asset representing the McAfee MOVE Offload Scan Server to open its properties, select Actions, select Agent, and select Modify Policies on a Single System. From the product drop-down list, select MOVE AV [Multi-Platform] Offload Scan Server 3.6.1. Click on the MOVE AV [Multi-Platform] Offload Scan Server policy to open the properties. On the On-Demand Scan tab, enter a value in the "On-Demand Client Scan interval (days):" setting representing a frequency of every seven days, or less. Click on Save.

Check Content

From the ePO server console System Tree, select the Systems tab, find and click on the asset representing the McAfee MOVE Offload Scan Server to open its properties, select Actions, select Agent, and select Modify Policies on a Single System. From the product drop-down list, select MOVE AV [Multi-Platform] Offload Scan Server 3.6.1. Click on the MOVE AV [Multi-Platform] Offload Scan Server policy to open the properties. On the On-Demand Scan tab, ensure the "On-Demand Client Scan interval (days):" setting is configured for 7 or less. If the "On-Demand Client Scan interval (days):" setting is not configured to 7 or less, this is a finding.

The McAfee VirusScan Enterprise Access Protection rules must be used for self-protection of the files and folder of Offload Scan Server configuration.

Finding ID
AV-MOVE-OSS-015
Rule ID
SV-55712r2_rule
Severity
Cat I
CCE
(None)
Group Title
AV-MOVE-OSS-015
CCI
CCI-001242
Target Key
(None)
Documentable
No
Discussion

The VirusScan Enterprise Access Protection rules will defend files, services, and registry keys on the Offload Scan Server.

Fix Text

The McAfee MOVE AV [Multi-Platform] Offload Scan Server does not have a built-in protection mechanism. In order to protect the McAfee MOVE AV [Multi-Platform] Offload Scan Server's files, services, and registry keys, the McAfee VirusScan Enterprise Access Protection features are used. From the ePO server console System Tree, select the Systems tab, find and click on the asset representing the McAfee MOVE Offload Scan Server to open its properties, select Actions, select Agent, and select Modify Policies on a Single System. From the product drop-down list, select VirusScan Enterprise 8.8.x. Click on the Access Protection Policies policy to open the properties. From the Settings for: drop-down list, select Server. In the "Access protection rules:" settings, under "Categories", click to select the "User-defined Rules" and click on "New". Choose "File/Folder Blocking Rule" to create the rule identified as the File protection rule. Specify an appropriate Rule name: (i.e., McAfee MOVE OSS File and Folder Protection). Enter "mvserver.exe" and "naPrdMgr.exe" under the "Processes to exclude:" section. Enter the path to which the McAfee MOVE OSS has been installed (default is C:\Program Files (x86)\McAfee\MOVE AV Server\**) in the "File or folder name to block:" section. Select the "Write access to files", "New files being created", and "Files being deleted" under the "File actions to prevent:" section. Click OK. After rule is created, select the "Block" and "Report" check boxes. Click Save.

Check Content

The McAfee MOVE AV [Multi-Platform] Offload Scan Server does not have a built-in protection mechanism. In order to protect the McAfee MOVE AV [Multi-Platform] Offload Scan Server's files, services, and registry keys, the McAfee VirusScan Enterprise Access Protection features are used. From the ePO server console System Tree, select the Systems tab, find and click on the asset representing the McAfee MOVE Offload Scan Server to open its properties, select Actions, select Agent, and select Modify Policies on a Single System. From the product drop-down list, select VirusScan Enterprise 8.8.x. Click on the Access Protection Policies policy to open the properties. From the Settings for: drop-down list, select Server. In the "Access protection rules:" settings, under "Categories", click to select the "User-defined Rules". Under "Block/Report/Rules", ensure rules are configured for McAfee MOVE OSS protection. If multiple User-defined rules are created, consult with the System Administration to determine the rules for the purpose of this requirement. For the File/Folder Access Protection Rule created to protect the MOVE AV Server folder, ensure both the Block and Report check boxes are selected. Select the rule, and click on Edit. Ensure "mvserver.exe" and "naPrdMgr.exe" are reflected under the "Processes to exclude:" section. Ensure the path to which the McAfee MOVE Offload Scan Server has been installed (default is C:\Program Files (x86)\McAfee\MOVE AV Server\**) is reflected in the "File or folder name to block:" section. Ensure "Write access to files", "New files being created", and "Files being deleted" are selected under the "File actions to prevent:" section. If a File/Folder Blocking Rule does not exist to protect the path to which the McAfee MOVE OSS Server has been installed (default is C:\Program Files (x86)\McAfee\MOVE AV Server), this is a finding. On the system designated as the McAfee MOVE OSS Server, access the local McAfee VirusScan Enterprise Console. Under the Task column, select "Access Protection", right click and select "Properties". In the "Access protection rules:" settings, under "Categories", click to select the "User-defined Rules". Under "Block/Report/Rules", ensure rules are configured for McAfee MOVE OSS protection. If multiple User-defined rules are created, consult with the System Administration to determine the rules for the purpose of this requirement. For the File/Folder Access Protection Rule created to protect the MOVE AV Server folder, ensure both the Block and Report check boxes are selected. Select the rule, and click Edit. Ensure "mvserver.exe" is reflected under the "Processes to exclude:" section. Ensure the path to which the McAfee MOVE Offload Scan Server has been installed (default is C:\Program Files (x86)\McAfee\MOVE AV Server\**) is reflected in the "File or folder name to block:" section. Ensure "Write access to files", "New files being created", and "Files being deleted" are selected under the "File actions to prevent:" section. If a File/Folder Blocking Rule does not exist to protect the path to which the McAfee MOVE OSS Server has been installed (default is C:\Program Files (x86)\McAfee\MOVE AV Server), this is a finding.

The McAfee VirusScan Enterprise Access Protection rules must be used for self-protection of the registry keys of Offload Scan Server configuration.

Finding ID
AV-MOVE-OSS-016
Rule ID
SV-55715r3_rule
Severity
Cat I
CCE
(None)
Group Title
AV-MOVE-OSS-016
CCI
CCI-001242
Target Key
(None)
Documentable
No
Discussion

The VirusScan Enterprise Access Protection rules will defend files, services, and registry keys on the Offload Scan Server.

Fix Text

The McAfee MOVE AV [Multi-Platform] Offload Scan Server does not have a built-in protection mechanism. In order to protect the McAfee MOVE AV [Multi-Platform] Offload Scan Server's files, services, and registry keys, the McAfee VirusScan Enterprise Access Protection features are used. From the ePO server console System Tree, select the Systems tab, find and click on the asset representing the McAfee MOVE Offload Scan Server to open its properties, select Actions, select Agent, and select Modify Policies on a Single System. From the product drop-down list, select VirusScan Enterprise 8.8.x. Click on the Access Protection Policies policy to open the properties. In the "Access protection rules:" settings, under "Categories", click to select the "User-defined Rules" and click on "New". Click New to create each of the following three "Registry Blocking Rules:", naming each rule according to the protection they afford. "HKCCS/services/mvserver" identified as the "Registry Key or value to protect:", with "Write to key or value", "Create key or value", and "Delete key or value" selected under the "Registry actions to block:" section. Under the "Processes to exclude:", "mvserver.exe" should be reflected. "HKCCS/services/mvserver/Parameters" identified as the "Registry Key or value to protect:", with "Write to key or value", "Create key or value", and "Delete key or value" selected under the "Registry actions to block:" section. Under the "Processes to exclude:", "mvserver.exe" should be reflected. "HKCCS/services/mvserver/Parameters/ODS" identified as the "Registry Key or value to protect:", with "Write to key or value", "Create key or value", and "Delete key or value" selected under the "Registry actions to block:" section. Under the "Processes to exclude:", "mvserver.exe" should be reflected. After each of the above rules are created, select both the "Block" and "Report" check boxes. Click Save.

Check Content

The McAfee MOVE AV [Multi-Platform] Offload Scan Server does not have a built-in protection mechanism. In order to protect the McAfee MOVE AV [Multi-Platform] Offload Scan Server's files, services, and registry keys, the McAfee VirusScan Enterprise Access Protection features are used. From the ePO server console System Tree, select the Systems tab, find and click on the asset representing the McAfee MOVE Offload Scan Server to open its properties, select Actions, select Agent, and select Modify Policies on a Single System. From the product drop-down list, select VirusScan Enterprise 8.8.x. Click on the Access Protection Policies policy to open the properties. In the "Access protection rules:" settings, under "Categories", click to select the "User-defined Rules". Under "Block/Report/Rules", ensure three rules are configured for McAfee MOVE OSS registry key protection. If multiple User-defined rules are created, consult with the System Administration to determine the rules for the purpose of this requirement. For each of the Access Protection Rules created to protect the McAfee MOVE OSS registry keys, ensure both the "Block" and "Report" check boxes are selected. There should be three individual Registry Blocking Rules, one for each of the following criteria: Ensure a Registry Access Protection Rule exists that has "HKCCS\services\mvserver" identified as the "Registry Key or value to protect:", with "Write to key or value", "Create key or value", and "Delete key or value" selected under the "Registry actions to block:" section. Under the "Processes to exclude:", "mvserver.exe" should be reflected. Ensure a Registry Access Protection Rule exists that has "HKCCS\services\mvserver\Parameters" identified as the "Registry Key or value to protect:", with "Write to key or value", "Create key or value", and "Delete key or value" selected under the "Registry actions to block:" section. Under the "Processes to exclude:", "mvserver.exe" and "naPrdMgr.exe" should be reflected. Ensure a Registry Access Protection Rule exists that has "HKCCS\services\mvserver\Parameters\ODS" identified as the "Registry Key or value to protect:", with "Write to key or value", "Create key or value", and "Delete key or value" selected under the "Registry actions to block:" section. Under the "Processes to exclude:", "mvserver.exe" should be reflected. If three Registry Blocking Rules do not exist to protect each of the "HKCCS\services\mvserver", "HKCCS\services\mvserver\Parameters", and "HKCCS\services\mvserver\Parameters\ODS" registry keys and values, this is a finding. On the system designated as the McAfee MOVE OSS Server, access the local McAfee VirusScan Enterprise Console. Under the Task column, select "Access Protection", right click and select "Properties". In the "Access protection rules:" settings, under "Categories", click to select the "User-defined Rules". Under "Block/Report/Rules", ensure three rules are configured for McAfee MOVE OSS registry key protection. If multiple User-defined rules are created, consult with the System Administration to determine the rules for the purpose of this requirement. For each of the Access Protection Rules created to protect the McAfee MOVE OSS registry keys, ensure both the "Block" and "Report" check boxes are selected. There should be three individual Registry Blocking Rules, one for each of the following criteria: Ensure a Registry Access Protection Rule exists that has "HKCCS\services\mvserver" identified as the "Registry Key or value to protect:", with "Write to key or value", "Create key or value", and "Delete key or value" selected under the "Registry actions to block:" section. Under the "Processes to exclude:", "mvserver.exe" should be reflected. Ensure a Registry Access Protection Rule exists that has "HKCCS\services\mvserver\Parameters" identified as the "Registry Key or value to protect:", with "Write to key or value", "Create key or value", and "Delete key or value" selected under the "Registry actions to block:" section. Under the "Processes to exclude:", "mvserver.exe" should be reflected. Ensure a Registry Access Protection Rule exists that has "HKCCS\services\mvserver\Parameters\ODS" identified as the "Registry Key or value to protect:", with "Write to key or value", "Create key or value", and "Delete key or value" selected under the "Registry actions to block:" section. Under the "Processes to exclude:", "mvserver.exe" should be reflected. If three Registry Blocking Rules do not exist to protect each of the "HKCCS\services\mvserver", "HKCCS\services\mvserver\Parameters", and "HKCCS\services\mvserver\Parameters\ODS" registry keys and values, this is a finding.