Free DISA STIG and SRG Library | Vaulted

McAfee MOVE Agentless 3.0 VSEL 1.9 for SVA STIG

Version 1 Release 3
2015-10-23
U_McAfee_MOVE3_0_Agentless_VSEL_for_SVA_V1R3_Manual-xccdf.xml
The McAfee MOVE 3.0 Agentless VSEL for SVA STIG The McAfee MOVE 2.6 Multi-Platform Client STIG is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the NIST 800-53 and related documents. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil.

Vulnerabilities (32)

The McAfee VirusScan Enterprise for Linux 1.9.0 Web UI must be disabled.

Finding ID
DTAVSEL-109
Rule ID
SV-56764r1_rule
Severity
Cat II
CCE
(None)
Group Title
DTAVSEL-109-McAfee VSEL for SVA Web User Interface status
CCI
CCI-001242
Target Key
(None)
Documentable
No
Discussion

If the Web UI was left enabled, the system to which the VSEL has been installed would be vulnerable for Web attacks. Disabling the Web UI will prevent the system from listening on HTTP.

Fix Text

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select "VirusScan Enterprise for Linux 1.9.0". From the "Policy" column, click on the policy for the "General Policies". In the "Advanced" tab, select the check box for "Disable client Web UI:". Click Save.

Check Content

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select "VirusScan Enterprise for Linux 1.9.0". From the "Policy" column, click on the policy for the "General Policies". In the "Advanced" tab, verify the check box for "Disable client Web UI:" is selected. If the check box for "Disable client Web UI:" is not selected, this is a finding.

Responsibility

System Administrator

The antivirus signature file age must not exceed 7 days.

Finding ID
DTAVSEL-001
Rule ID
SV-61873r1_rule
Severity
Cat I
CCE
(None)
Group Title
DTAVSEL-001 McAfee MOVE Agentless antivirus signature age
CCI
CCI-001240
Target Key
(None)
Documentable
No
Discussion

Antivirus signature files are updated almost daily by antivirus software vendors. These files are made available to antivirus clients as they are published. Keeping virus signature files as current as possible is vital to the security of any system. By configuring a system to attempt an antivirus update on a daily basis, the system is ensured of maintaining an antivirus signature age of 7 days or less. If the update attempt were to be configured for only once a week, and that attempt failed, the system would be immediately out of date.

Fix Text

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on Actions | Agent | Modify Tasks on a Single System. On the Client Tasks page, click on Actions | New Client Task Assignment. On the Client Task Assignment Builder page, under the "Product" section, select "McAfee Agent". Under the "Task Type" section, select "Product Update". Under the "Task Name" section, click on "Create New Task". Type a unique name for the "Task Name". For "Package selection:", select the "All packages" radio button. Click Save. Or, select the "Selected packages" radio button. For the "Package types:" section, select the "DAT" check box and the "Linux Engine" check box under the "Signatures and engines:" section. Click Save. On the Client Task Assignment Builder page, under the "Task Name" section, select the task just created. Click on "Next" to schedule the task. For "Schedule status:", select the radio button for "Enabled". For "Schedule type:", choose "Daily". Schedule the "Effective period:", "Start time:" and other options according to best practices. Click Next to view Summary. Click Save.

Check Content

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. On the System Information page, select the "Products" tab. Under the Product section, select "VirusScan Enterprise for Linux". Scroll down locate the DAT Date and DAT Version. Verify the "DAT Date:" is within the last 7 days. If the "DAT Date:" is not within the last 7 days, this is a finding.

Responsibility

System Administrator

The McAfee VirusScan Enterprise for Linux 1.9.0 must be configured to receive automatic signature updates.

Finding ID
DTAVSEL-002
Rule ID
SV-61875r1_rule
Severity
Cat II
CCE
(None)
Group Title
DTAVSEL-002 - McAfee VSEL for SVA automatic signature updates
CCI
CCI-001242
Target Key
(None)
Documentable
No
Discussion

Antivirus signature files are updated almost daily by antivirus software vendors. These files are made available to antivirus clients as they are published. Keeping virus signature files as current as possible is vital to the security of any system. The antivirus software product must be configured to receive those updates automatically in order to afford the expected protection.

Fix Text

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on Actions | Agent | Modify Tasks on a Single System. On the Client Tasks page, click on Actions | New Client Task Assignment. On the Client Task Assignment Builder page, under the "Product" section, select "McAfee Agent". Under the "Task Type" section, select "Product Update". Under the "Task Name" section, click on "Create New Task". Type a unique name for the "Task Name". For "Package selection:", select the "All packages" radio button. Click Save. Or, select the "Selected packages" radio button. For the "Package types:" section, select the "DAT" check box and the "Linux Engine" check box under the "Signatures and engines:" section. Click Save. On the Client Task Assignment Builder, under the "Task Name" section, select the task just created. Click on "Next" to schedule the task. For "Schedule status:", select the radio button for "Enabled". For "Schedule type:", choose "Daily". Schedule the "Effective period:", "Start time:" and other options according to best practices. Click Next to view Summary. Click Save.

Check Content

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on Actions | Agent | Modify Tasks on a Single System. From the list of available tasks in the "Task Name" column, with the assistance of the ePO SA, identify the VirusScan DAT update task. Verify the "Task Type" is listed as "Product Update". Verify the "Status" is listed as "Enabled". Under the "Task Name" column, click on the link for the designated task to review the task properties. Next to the "Package selection:", verify the "All packages" radio button is selected. If the "Selected packages" radio button is selected, verify the check box for "DAT" and the check box for "Linux Engine" have been selected for "Signatures and engines:" under the "Package types:" section. If there is not a task designated as the regularly scheduled DAT Update task, this is a finding. If there exists a task designated as the regularly scheduled DAT Update task, but neither the "All packages" nor the "DAT" selection under the "Package types: Signatures and engines:" section is selected, this is a finding.

Responsibility

System Administrator

The McAfee VirusScan Enterprise for Linux 1.9.0 must be configured to enable On-Access scanning.

Finding ID
DTAVSEL-003
Rule ID
SV-61877r1_rule
Severity
Cat I
CCE
(None)
Group Title
DTAVSEL-003-McAfee VSEL for SVA OAS configuration
CCI
CCI-001240
Target Key
(None)
Documentable
No
Discussion

For antivirus software to be effective, it must be running at all times, beginning from the point of the system's initial startup. Otherwise, the risk is greater for viruses, Trojans, and other malware infecting the system during that startup phase.

Fix Text

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select "VirusScan Enterprise for Linux 1.9.0". From the "Policy" column, click on the policy for the "On-Access Scanning Policy". In the "General" tab, next to the "On-access Scan:", select the check box for "Enable on-access scanning (takes effect when policies are enforced)". In the "Quarantine Directory:" field, enter "/quarantine" (or another valid location as determined by the organization). Click Save.

Check Content

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select "VirusScan Enterprise for Linux 1.9.0". From the "Policy" column, click on the policy for the "On-Access Scanning Policy". In the "General" tab, next to the "On-access Scan:", verify the check box for "Enable on-access scanning (takes effect when policies are enforced)" is selected. Verify the "Quarantine Directory:" field is populated with "/quarantine" (or another valid location as determined by the organization). If the checkbox for "Enable on-access scanning (takes effect when policies are enforced)" is not selected, this is a finding. If the "Quarantine Directory:" field is not populated, this is a finding.

Responsibility

System Administrator

The McAfee VirusScan Enterprise for Linux 1.9.0 On-Access scanner must be configured to decompress archives when scanning.

Finding ID
DTAVSEL-004
Rule ID
SV-61881r1_rule
Severity
Cat II
CCE
(None)
Group Title
DTAVSEL-004-McAfee VSEL for SVA OAS decompress archives
CCI
CCI-001242
Target Key
(None)
Documentable
No
Discussion

Malware is often packaged within an archive. In addition, archives may have other archives within. Not scanning archive files introduces the risk of infected files being introduced into the environment.

Fix Text

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select "VirusScan Enterprise for Linux 1.9.0". From the "Policy" column, click on the policy for the "On-Access Scanning Policy". In the "Advanced" tab, next to the "Compressed files", select the check box for "Scan inside multiple-file archives (e.g. .ZIP)". Click Save.

Check Content

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select "VirusScan Enterprise for Linux 1.9.0". From the "Policy" column, click on the policy for the "On-Access Scanning Policy". In the "Advanced" tab, next to the "Compressed files", verify the check box for "Scan inside multiple-file archives (e.g. .ZIP)" is selected. If the check box for "Compressed files: Scan inside multiple-file archives (e.g. .ZIP)" is not selected, this is a finding.

Responsibility

System Administrator

The McAfee VirusScan Enterprise for Linux 1.9.0 On-Access scanner must be configured to find unknown program viruses.

Finding ID
DTAVSEL-005
Rule ID
SV-61893r1_rule
Severity
Cat II
CCE
(None)
Group Title
DTAVSEL-005-McAfee VSEL for SVA OAS find unknown program viruses
CCI
CCI-001242
Target Key
(None)
Documentable
No
Discussion

Due to the ability of malware to mutate after infection, standard antivirus signatures may not be able to catch new strains or variants of the malware. Typically, these strains and variants will share unique characteristics with others in their virus family. By using a generic signature to detect the shared characteristics, using wildcards where differences lie, the generic signature can detect viruses even if they are padded with extra, meaningless code. This method of detection is Heuristic detection.

Fix Text

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select "VirusScan Enterprise for Linux 1.9.0". From the "Policy" column, click on the policy for the "On-Access Scanning Policy". In the "Advanced" tab, next to "Heuristics:", select the check box for "Find unknown program viruses". Click Save.

Check Content

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select "VirusScan Enterprise for Linux 1.9.0". From the "Policy" column, click on the policy for the "On-Access Scanning Policy". In the "Advanced" tab, next to "Heuristics:", verify the check box for "Find unknown program viruses" is selected. If the check box for "Heuristics: Find unknown program viruses" is not selected, this is a finding.

Responsibility

System Administrator

The McAfee VirusScan Enterprise for Linux 1.9.0 On-Access scanner must be configured to find unknown macro viruses.

Finding ID
DTAVSEL-006
Rule ID
SV-61913r1_rule
Severity
Cat II
CCE
(None)
Group Title
DTAVSEL-006--McAfee VSEL for SVA OAS find unknown macro viruses
CCI
CCI-001242
Target Key
(None)
Documentable
No
Discussion

Interpreted viruses are executed by an application. Within this subcategory, macro viruses take advantage of the capabilities of applications' macro programming language to infect application documents and document templates, while scripting viruses infect scripts that are understood by scripting languages processed by services on the OS. Many attackers use toolkits containing several different types of utilities and scripts that can be used to probe and attack hosts. Scanning for unknown macro viruses will mitigate zero-day attacks.

Fix Text

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select "VirusScan Enterprise for Linux 1.9.0". From the "Policy" column, click on the policy for the "On-Access Scanning Policy". In the "Advanced" tab, next to "Heuristics:", select the check box for "Find unknown macro viruses". Click Save.

Check Content

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select "VirusScan Enterprise for Linux 1.9.0". From the "Policy" column, click on the policy for the "On-Access Scanning Policy". In the "Advanced" tab, next to "Heuristics:", verify the check box for "Find unknown macro viruses" is selected. If the check box for "Heuristics: Find unknown macro viruses" is not selected, this is a finding.

Responsibility

System Administrator

The McAfee VirusScan Enterprise for Linux 1.9.0 On-Access scanner must be configured to find potentially unwanted programs.

Finding ID
DTAVSEL-007
Rule ID
SV-61915r1_rule
Severity
Cat II
CCE
(None)
Group Title
DTAVSEL-007-McAfee VSEL for SVA OAS unwanted programs
CCI
CCI-001242
Target Key
(None)
Documentable
No
Discussion

Potentially Unwanted Programs (PUPs) include Spyware, Adware, Remote Administration Tools, Dialers, Password Crackers, Jokes, and Key Loggers. While PUPs do not typically have any infection capability on their own, they rely on malware or other attach mechanisms to be installed onto target hosts, after which they will collect and transfer data from the host to an external host and/or will be used as attach mechanisms. Configuring the antivirus software to attempt to clean the file first will allow for the possibility of a false positive. In most cases, however, the secondary action of delete will be used, mitigating the risk of the PUPs being installed and used maliciously.

Fix Text

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select "VirusScan Enterprise for Linux 1.9.0". From the "Policy" column, click on the policy for the "On-Access Scanning Policy". In the "Advanced" tab, next to "Non-viruses:", select the check box for "Find potentially unwanted programs". Select the check box for "Find joke programs". Click Save.

Check Content

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select "VirusScan Enterprise for Linux 1.9.0". From the "Policy" column, click on the policy for the "On-Access Scanning Policy". In the "Advanced" tab, next to "Non-viruses:", verify the check box for "Find potentially unwanted programs" is selected. Verify the check box for "Find joke programs" is selected. If the check box for "Non-viruses: Find potentially unwanted programs" is not selected, this is a finding. If the check box for "Find joke programs" is not selected, this is a finding.

Responsibility

System Administrator

The McAfee VirusScan Enterprise for Linux 1.9.0 On-Access scanner must be configured to scan files when being written to disk.

Finding ID
DTAVSEL-008
Rule ID
SV-61917r1_rule
Severity
Cat II
CCE
(None)
Group Title
DTAVSEL-008-McAfee VSEL for SVA OAS scan when writing
CCI
CCI-001242
Target Key
(None)
Documentable
No
Discussion

Antivirus software is the most commonly used technical control for malware threat mitigation. Real-time scanning of files as they are written to disk is a crucial first line of defense from malware attacks.

Fix Text

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select "VirusScan Enterprise for Linux 1.9.0". From the "Policy" column, click on the policy for the "On-Access Scanning Policy". In the "Detections" tab, next to "Scan files:", select the check box for "When writing to disk". Click Save.

Check Content

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select "VirusScan Enterprise for Linux 1.9.0". From the "Policy" column, click on the policy for the "On-Access Scanning Policy". In the "Detections" tab, next to "Scan files:", verify the check box for "When writing to disk" is selected. If the check box for "Scan files: When writing to disk" is not selected, this is a finding.

Responsibility

System Administrator

The McAfee VirusScan Enterprise for Linux 1.9.0 On-Access scanner must be configured to scan files when being read from disk.

Finding ID
DTAVSEL-009
Rule ID
SV-61919r1_rule
Severity
Cat II
CCE
(None)
Group Title
DTAVSEL-009-McAfee VSEL for SVA OAS scan when reading from disk
CCI
CCI-001242
Target Key
(None)
Documentable
No
Discussion

Antivirus software is the most commonly used technical control for malware threat mitigation. Real-time scanning of files as they are read from disk is a crucial first line of defense from malware attacks.

Fix Text

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select "VirusScan Enterprise for Linux 1.9.0". From the "Policy" column, click on the policy for the "On-Access Scanning Policy". In the "Detections" tab, next to "Scan files:", select the check box for "When reading from disk". Click Save.

Check Content

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select "VirusScan Enterprise for Linux 1.9.0". From the "Policy" column, click on the policy for the "On-Access Scanning Policy". In the "Detections" tab, next to "Scan files:", verify the check box for "When reading from disk" is selected. If the check box for "Scan files: When reading from disk" is not selected, this is a finding.

Responsibility

System Administrator

The McAfee VirusScan Enterprise for Linux 1.9.0 On-Access scanner must be configured to scan all file types.

Finding ID
DTAVSEL-010
Rule ID
SV-61921r1_rule
Severity
Cat II
CCE
(None)
Group Title
DTAVSEL-010-McAfee VSEL for SVA OAS all file types
CCI
CCI-001242
Target Key
(None)
Documentable
No
Discussion

When scanning for malware, excluding specific file types will increase the risk of a malware-infected file going undetected. By configuring antivirus software to scan all file types, the scanner has a higher success rate at detecting and eradicating malware.

Fix Text

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select "VirusScan Enterprise for Linux 1.9.0". From the "Policy" column, click on the policy for the "On-Access Scanning Policy". In the "Detections" tab, next to "What to scan:", select the radio button for "All files". Click Save.

Check Content

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select "VirusScan Enterprise for Linux 1.9.0". From the "Policy" column, click on the policy for the "On-Access Scanning Policy". In the "Detections" tab, next to "What to scan:", verify the radio button for "All files" is selected. If the radio button for "What to scan: All files" is not selected, this is a finding.

Responsibility

System Administrator

The McAfee VirusScan Enterprise for Linux 1.9.0 On-Access scanner maximum scan time must not be less than 45 seconds.

Finding ID
DTAVSEL-011
Rule ID
SV-61923r1_rule
Severity
Cat II
CCE
(None)
Group Title
DTAVSEL-011-McAfee VSEL for SVA OAS maximum scan time
CCI
CCI-001242
Target Key
(None)
Documentable
No
Discussion

When antivirus software is not configured to limit the amount of time spent trying to scan a file, the total effectiveness of the antivirus software, and performance on the system being scanned, will be degraded. By limiting the amount of time the antivirus software uses when scanning a file, the scan will be able to complete in a timely manner.

Fix Text

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select "VirusScan Enterprise for Linux 1.9.0". From the "Policy" column, click on the policy for the "On-Access Scanning Policy". In the "General" tab, next to "Maximum Scan Time:", select the check box for "Enforce maximum scanning time for all files". Configure the "Maximum scan time (seconds):" to 45 or more. Click Save.

Check Content

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select "VirusScan Enterprise for Linux 1.9.0". From the "Policy" column, click on the policy for the "On-Access Scanning Policy". In the "General" tab, next to "Maximum Scan Time:", verify the check box for "Enforce maximum scanning time for all files" has been selected. Verify the "Maximum scan time (seconds):" is configured to 45 or more. If the check box for "Maximum Scan Time: Enforce maximum scanning time for all files" is not selected, this is a finding. If the "Maximum Scan Time (seconds):" is not configured to 45 or more, this is a finding. If both the "Maximum Scan Time:" setting for "Enforce maximum scanning time for all files" has a check in the check box and the "Maximum Scan Time:" setting for "Maximum scan time (seconds):" is configured to 45 or more, this is not a finding.

Responsibility

System Administrator

Any paths and files excluded by the McAfee VirusScan Enterprise for Linux 1.9.0 On-Access scanner must be formally documented with, and approved by, the IAO/IAM.

Finding ID
DTAVSEL-012
Rule ID
SV-61925r1_rule
Severity
Cat II
CCE
(None)
Group Title
DTAVSEL-012-McAfee VSEL for SVA OAS file exclusions
CCI
CCI-001242
Target Key
(None)
Documentable
No
Discussion

When scanning for malware, excluding specific files will increase the risk of a malware-infected file going undetected. By configuring antivirus software without any exclusions, the scanner has a higher success rate at detecting and eradicating malware.

Fix Text

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select "VirusScan Enterprise for Linux 1.9.0". From the "Policy" column, click on the policy for the "On-Access Scanning Policy". In the "Detections" tab, next to "What not to scan:", remove all entries in the "Select files and directories to be excluded from virus scanning" field other than the default "/var/log". Document justification for any required exclusions and obtain approval from the IAO/IAM. Click Save.

Check Content

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select "VirusScan Enterprise for Linux 1.9.0". From the "Policy" column, click on the policy for the "On-Access Scanning Policy". In the "Detections" tab, next to "What not to scan:", verify the only entry for the "Select files and directories to be excluded from virus scanning" field is the default "/var/log". If any entries other than the default "/var/log" are present in the "What not to scan:" setting for the "Select files and directories to be excluded from virus scanning" field, verify the exclusion of those files and directories has been formally documented by the System Administrator and has been approved by the IAO/IAM. If any entries other than the default "/var/log" are present in the "What not to scan:" setting for the "Select files and directories to be excluded from virus scanning" field, and those files and directories have not been formally documented by the System Administrator and approved by the IAO/IAM, this is a finding. If any entries other than the default "/var/log" are present in the "What not to scan:" setting for the "Select files and directories to be excluded from virus scanning" field, and those files and directories have been formally documented by the System Administrator and approved by the IAO/IAM, this is not a finding.

Responsibility

System Administrator

The McAfee VirusScan Enterprise for Linux 1.9.0 On-Access scanner must be configured to Clean infected files automatically as first action when a virus or Trojan is detected.

Finding ID
DTAVSEL-013
Rule ID
SV-61927r1_rule
Severity
Cat II
CCE
(None)
Group Title
DTAVSEL-013-McAfee VSEL for SVA OAS first action
CCI
CCI-001242
Target Key
(None)
Documentable
No
Discussion

Malware may have infected a file that is necessary to the user. By configuring the antivirus software to first attempt cleaning the infected file, availability to the file is not sacrificed. If a cleaning attempt is not successful, however, deleting the file is the only safe option to ensure the malware is not introduced onto the system or network.

Fix Text

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select "VirusScan Enterprise for Linux 1.9.0". From the "Policy" column, click on the policy for the "On-Access Scanning Policy". In the "Actions" tab, next to "When Viruses and Trojans are found:", select the radio button for "Clean infected files automatically". Click Save.

Check Content

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select "VirusScan Enterprise for Linux 1.9.0". From the "Policy" column, click on the policy for the "On-Access Scanning Policy". In the "Actions" tab, next to "When Viruses and Trojans are found:", verify the radio button for "Clean infected files automatically" is selected. If, next to "When Viruses and Trojans are found:", the radio button for "Clean infected files automatically" is not selected, this is a finding.

Responsibility

System Administrator

The McAfee VirusScan Enterprise for Linux 1.9.0 On-Access scanner must be configured to Move infected files to the quarantine directory if first action fails when a virus or Trojan is detected.

Finding ID
DTAVSEL-014
Rule ID
SV-61929r1_rule
Severity
Cat II
CCE
(None)
Group Title
DTAVSEL-014-McAfee VSEL for SVA OAS second action
CCI
CCI-001242
Target Key
(None)
Documentable
No
Discussion

Malware may have infected a file that is necessary to the user. By configuring the antivirus software to first attempt cleaning the infected file, availability to the file is not sacrificed. If a cleaning attempt is not successful, however, deleting the file is the only safe option to ensure the malware is not introduced onto the system or network.

Fix Text

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select "VirusScan Enterprise for Linux 1.9.0". From the "Policy" column, click on the policy for the "On-Access Scanning Policy". In the "Actions" tab, next to "If the above action fails:", select the radio button for "Move infected files to the quarantine directory". Click Save.

Check Content

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select "VirusScan Enterprise for Linux 1.9.0". From the "Policy" column, click on the policy for the "On-Access Scanning Policy". In the "Actions" tab, next to "If the above action fails:", verify the "Move infected files to the quarantine directory" radio button is selected. If, next to "If the above action fails:", the radio button for "Move infected files to the quarantine directory" is not selected, this is a finding.

Responsibility

System Administrator

The McAfee VirusScan Enterprise for Linux 1.9.0 On-Access scanner must be configured to Clean infected files automatically as first action when programs and jokes are found.

Finding ID
DTAVSEL-015
Rule ID
SV-61933r1_rule
Severity
Cat II
CCE
(None)
Group Title
DTAVSEL-015-McAfee VSEL for SVA OAS PUPS first action
CCI
CCI-001242
Target Key
(None)
Documentable
No
Discussion

Potentially Unwanted Programs (PUPs) include Spyware, Adware, Remote Administration Tools, Dialers, Password Crackers, Jokes, and Key Loggers. While PUPs do not typically have any infection capability on their own, they rely on malware or other attach mechanisms to be installed onto target hosts, after which they will collect and transfer data from the host to an external host and/or will be used as attach mechanisms. Configuring the antivirus software to attempt to clean the file first will allow for the possibility of a false positive. In most cases, however, the secondary action of delete will be used, mitigating the risk of the PUPs being installed and used maliciously.

Fix Text

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select "VirusScan Enterprise for Linux 1.9.0". From the "Policy" column, click on the policy for the "On-Access Scanning Policy". In the "Actions" tab, next to "When Programs & Jokes are found:", select the radio button for "Clean infected files automatically". Click Save.

Check Content

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select "VirusScan Enterprise for Linux 1.9.0". From the "Policy" column, click on the policy for the "On-Access Scanning Policy". In the "Actions" tab, next to "When Programs & Jokes are found:", verify the radio button for "Clean infected files automatically" is selected. If, next to "When Programs & Jokes are found:", the radio button for "Clean infected files automatically" is not selected, this is a finding.

Responsibility

System Administrator

The McAfee VirusScan Enterprise for Linux 1.9.0 On-Access scanner must be configured to Move infected files to the quarantine directory if first action fails when programs and jokes are found.

Finding ID
DTAVSEL-016
Rule ID
SV-61935r1_rule
Severity
Cat II
CCE
(None)
Group Title
DTAVSEL-016-McAfee VSEL for SVA OAS second action for PUPS
CCI
CCI-001242
Target Key
(None)
Documentable
No
Discussion

Potentially Unwanted Programs (PUPs) include Spyware, Adware, Remote Administration Tools, Dialers, Password Crackers, Jokes, and Key Loggers. While PUPs do not typically have any infection capability on their own, they rely on malware or other attach mechanisms to be installed onto target hosts, after which they will collect and transfer data from the host to an external host and/or will be used as attach mechanisms. Configuring the antivirus software to attempt to clean the file first will allow for the possibility of a false positive. In most cases, however, the secondary action of delete will be used, mitigating the risk of the PUPs being installed and used maliciously.

Fix Text

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select "VirusScan Enterprise for Linux 1.9.0". From the "Policy" column, click on the policy for the "On-Access Scanning Policy". In the "Actions" tab, under the "When Programs & Jokes are found:", next to "If the above action fails:", select the radio button for "Move infected files to the quarantine directory". Click Save.

Check Content

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select "VirusScan Enterprise for Linux 1.9.0". From the "Policy" column, click on the policy for the "On-Access Scanning Policy". In the "Actions" tab, under the "When Programs & Jokes are found:", next to "If the above action fails:", verify the "Move infected files to the quarantine directory" radio button is selected. If, next to "When Programs & Jokes are found: If the above action fails:", the radio button for "Move infected files to the quarantine directory" is not selected, this is a finding.

Responsibility

System Administrator

The McAfee VirusScan Enterprise for Linux 1.9.0 On-Access scanner must be configured to deny access to the file if scanning fails.

Finding ID
DTAVSEL-017
Rule ID
SV-61939r1_rule
Severity
Cat II
CCE
(None)
Group Title
DTAVSEL-017-McAfee VSEL for SVA OAS scan failure action
CCI
CCI-001242
Target Key
(None)
Documentable
No
Discussion

Antivirus software is the most commonly used technical control for malware threat mitigation. Real-time scanning of files as they are read from disk is a crucial first line of defense from malware attacks.

Fix Text

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select "VirusScan Enterprise for Linux 1.9.0". From the "Policy" column, click on the policy for the "On-Access Scanning Policy". In the "Actions" tab, select the "If scanning fails:" "Deny access to the file" radio button is selected. Click Save.

Check Content

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select "VirusScan Enterprise for Linux 1.9.0". From the "Policy" column, click on the policy for the "On-Access Scanning Policy". In the "Actions" tab, verify the "If scanning fails:" "Deny access to the file" radio button is selected. If the "If scanning fails: Deny access to the file" radio button is not selected, this is a finding.

Responsibility

System Administrator

The McAfee VirusScan Enterprise for Linux 1.9.0 On-Access scanner must be configured to allow access to files if scanning times out.

Finding ID
DTAVSEL-018
Rule ID
SV-61949r1_rule
Severity
Cat II
CCE
(None)
Group Title
DTAVSEL-018-McAfee VSEL for SVA OAS deny access on scan failure
CCI
CCI-001242
Target Key
(None)
Documentable
No
Discussion

Antivirus software is the most commonly used technical control for malware threat mitigation. Real-time scanning of files as they are read from disk is a crucial first line of defense from malware attacks.

Fix Text

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select "VirusScan Enterprise for Linux 1.9.0". From the "Policy" column, click on the policy for the "On-Access Scanning Policy". In the "Actions" tab, select the "If scanning times out: Allow access to the file" radio button. Click Save.

Check Content

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select "VirusScan Enterprise for Linux 1.9.0". From the "Policy" column, click on the policy for the "On-Access Scanning Policy". In the "Actions" tab, verify the "If scanning times out: Allow access to the file" radio button is selected. If the "If scanning times out: Allow access to the file" radio button is not selected, this is a finding.

Responsibility

System Administrator

The McAfee VirusScan Enterprise for Linux 1.9.0 must be configured to run a scheduled On Demand scan at least once a week.

Finding ID
DTAVSEL-100
Rule ID
SV-61961r1_rule
Severity
Cat II
CCE
(None)
Group Title
DTAVSEL-100-McAfee VSEL for SVA ODS scheduled scan frequency
CCI
CCI-001242
Target Key
(None)
Documentable
No
Discussion

Antivirus software is the most commonly used technical control for malware threat mitigation. Real-time scanning of files as they are read from disk is a crucial first line of defense from malware attacks but to ensure all files are frequently scanned, a regularly scheduled full scan will ensure malware missed by the real-time scanning will be detected and mitigated.

Fix Text

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Create a New Client Task to run a regularly schedule On Demand scan at least weekly. Click Save.

Check Content

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on Actions | Agent | Modify Tasks on a Single System. From the list of available tasks in the "Task Name" column, with the assistance of the ePO SA, identify the weekly On Demand scan client task. If a weekly On Demand scan client task does not exist, this is a finding. For the designated weekly On Demand scan client task, verify the "Task Type" is listed as "On Demand Scan". Verify the "Status" is listed as "Enabled". Under the "Task Name" column, click on the link for the designated task to review the task properties. Verify the task is scheduled to run at least weekly. If the task is not scheduled to run at least weekly, this is a finding.

Responsibility

System Administrator

The McAfee VirusScan Enterprise for Linux 1.9.0 On Demand scanner must be configured to find unknown program viruses.

Finding ID
DTAVSEL-102
Rule ID
SV-61963r1_rule
Severity
Cat II
CCE
(None)
Group Title
DTAVSEL-102-McAfee VSEL for SVA ODS scan for unknown program viruses
CCI
CCI-001242
Target Key
(None)
Documentable
No
Discussion

Due to the ability of malware to mutate after infection, standard antivirus signatures may not be able to catch new strains or variants of the malware. Typically, these strains and variants will share unique characteristics with others in their virus family. By using a generic signature to detect the shared characteristics, using wildcards where differences lie, the generic signature can detect viruses even if they are padded with extra, meaningless code. This method of detection is Heuristic detection.

Fix Text

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. If a task does not exist for the regularly scheduled weekly scan, create a New Client Task to run an On Demand scan at least weekly. Click on Actions | Agent | Modify Tasks on a Single System. From the list of available tasks in the "Task Name" column, with the assistance of the ePO SA, identify the weekly On Demand scan client task. For the designated weekly On Demand scan client task, verify the "Task Type" is listed as "On Demand Scan". Under the "Task Name" column, click on the link for the designated task to review the task properties. In the "Advanced" tab, next to the Heuristics, select the check box for "Find unknown program viruses". Click Save.

Check Content

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on Actions | Agent | Modify Tasks on a Single System. From the list of available tasks in the "Task Name" column, with the assistance of the ePO SA, identify the weekly On Demand scan client task. If a weekly On Demand scan client task does not exist, this is a finding. For the designated weekly On Demand scan client task, verify the "Task Type" is listed as "On Demand Scan". Verify the "Status" is listed as "Enabled". Under the "Task Name" column, click on the link for the designated task to review the task properties. In the "Advanced" tab, next to the Heuristics, verify the check box for "Find unknown program viruses" has been selected. If the task designated as the regularly scheduled On Demand Scan, next to the Heuristics, the check box for "Find unknown program viruses" has not been selected, this is a finding.

Responsibility

System Administrator

The McAfee VirusScan Enterprise for Linux 1.9.0 On Demand scanner must be configured to find unknown macro viruses.

Finding ID
DTAVSEL-103
Rule ID
SV-61965r1_rule
Severity
Cat II
CCE
(None)
Group Title
DTAVSEL-103-McAfee VSEL for SVA ODS scan for unknown macro viruses
CCI
CCI-001242
Target Key
(None)
Documentable
No
Discussion

Interpreted viruses are executed by an application. Within this subcategory, macro viruses take advantage of the capabilities of applications' macro programming language to infect application documents and document templates, while scripting viruses infect scripts that are understood by scripting languages processed by services on the OS. Many attackers use toolkits containing several different types of utilities and scripts that can be used to probe and attack hosts. Scanning for unknown macro viruses will mitigate zero-day attacks.

Fix Text

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. If a task does not exist for the regularly scheduled weekly scan, create a New Client Task to run an On Demand scan at least weekly. Click on Actions | Agent | Modify Tasks on a Single System. From the list of available tasks in the "Task Name" column, with the assistance of the ePO SA, identify the weekly On Demand scan client task. For the designated weekly On Demand scan client task, verify the "Task Type" is listed as "On Demand Scan". Under the "Task Name" column, click on the link for the designated task to review the task properties. In the "Advanced" tab, next to "Heuristics:", select the check box for "Find unknown macro viruses". Click Save.

Check Content

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on Actions | Agent | Modify Tasks on a Single System. From the list of available tasks in the "Task Name" column, with the assistance of the ePO SA, identify the weekly On Demand scan client task. If a weekly On Demand scan client task does not exist, this is a finding. For the designated weekly On Demand scan client task, verify the "Task Type" is listed as "On Demand Scan". Verify the "Status" is listed as "Enabled". Under the "Task Name" column, click on the link for the designated task to review the task properties. In the "Advanced" tab, next to "Heuristics:", verify the check box for "Find unknown macro viruses" is selected. If the check box for "Heuristics: Find unknown macro program viruses" is not selected, this is a finding.

Responsibility

System Administrator

The McAfee VirusScan Enterprise for Linux 1.9.0 On Demand scanner must be configured to find potentially unwanted programs.

Finding ID
DTAVSEL-104
Rule ID
SV-61967r1_rule
Severity
Cat II
CCE
(None)
Group Title
DTAVSEL-104-McAfee VSEL for SVA ODS scan for PUPs
CCI
CCI-001242
Target Key
(None)
Documentable
No
Discussion

Potentially Unwanted Programs (PUPs) include Spyware, Adware, Remote Administration Tools, Dialers, Password Crackers, Jokes, and Key Loggers. While PUPs do not typically have any infection capability on their own, they rely on malware or other attach mechanisms to be installed onto target hosts, after which they will collect and transfer data from the host to an external host and/or will be used as attach mechanisms. Configuring the antivirus software to attempt to clean the file first will allow for the possibility of a false positive. In most cases, however, the secondary action of delete will be used, mitigating the risk of the PUPs being installed and used maliciously.

Fix Text

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. If a task does not exist for the regularly scheduled weekly scan, create a New Client Task to run an On Demand scan at least weekly. Click on Actions | Agent | Modify Tasks on a Single System. From the list of available tasks in the "Task Name" column, with the assistance of the ePO SA, identify the weekly On Demand scan client task. For the designated weekly On Demand scan client task, verify the "Task Type" is listed as "On Demand Scan". Under the "Task Name" column, click on the link for the designated task to review the task properties. In the "Advanced" tab, next to "Non-viruses:", select the check box for "Find potentially unwanted programs". Select the check box for "Find joke programs". Click Save.

Check Content

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on Actions | Agent | Modify Tasks on a Single System. From the list of available tasks in the "Task Name" column, with the assistance of the ePO SA, identify the weekly On Demand scan client task. If a weekly On Demand scan client task does not exist, this is a finding. For the designated weekly On Demand scan client task, verify the "Task Type" is listed as "On Demand Scan". Verify the "Status" is listed as "Enabled". Under the "Task Name" column, click on the link for the designated task to review the task properties. In the "Advanced" tab, next to "Non-viruses:", verify the check box for "Find potentially unwanted programs" is selected. Select the check box for "Find joke programs". If the check box for "Non-viruses: Find potentially unwanted programs" is not selected, this is a finding. If the check box for "Find joke programs" is not selected, this is a finding.

Responsibility

System Administrator

The McAfee VirusScan Enterprise for Linux 1.9.0 On Demand scanner must be configured to scan all file types.

Finding ID
DTAVSEL-105
Rule ID
SV-61969r1_rule
Severity
Cat II
CCE
(None)
Group Title
DTAVSEL-105-McAfee VSEL for SVA ODS scan all file types
CCI
CCI-001242
Target Key
(None)
Documentable
No
Discussion

When scanning for malware, excluding specific file types will increase the risk of a malware-infected file going undetected. By configuring antivirus software to scan all file types, the scanner has a higher success rate at detecting and eradicating malware.

Fix Text

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. If a task does not exist for the regularly scheduled weekly scan, create a New Client Task to run an On Demand scan at least weekly. Click on Actions | Agent | Modify Tasks on a Single System. From the list of available tasks in the "Task Name" column, with the assistance of the ePO SA, identify the weekly On Demand scan client task. For the designated weekly On Demand scan client task, verify the "Task Type" is listed as "On Demand Scan". Under the "Task Name" column, click on the link for the designated task to review the task properties. In the "Detection" tab, next to "What to scan:", select the radio button for "All files". Click Save.

Check Content

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on Actions | Agent | Modify Tasks on a Single System. From the list of available tasks in the "Task Name" column, with the assistance of the ePO SA, identify the weekly On Demand scan client task. If a weekly On Demand scan client task does not exist, this is a finding. For the designated weekly On Demand scan client task, verify the "Task Type" is listed as "On Demand Scan". Verify the "Status" is listed as "Enabled". Under the "Task Name" column, click on the link for the designated task to review the task properties. In the "Detection" tab, next to "What to scan:", verify the radio button for "All files" is selected. If the radio button for "What to scan: All files" is not selected, this is a finding.

Responsibility

System Administrator

The McAfee VirusScan Enterprise for Linux 1.9.0 On Demand scanner must be configured to Clean infected files automatically as first action for when Viruses and Trojans are found.

Finding ID
DTAVSEL-106
Rule ID
SV-61977r1_rule
Severity
Cat II
CCE
(None)
Group Title
DTAVSEL-106-McAfee MOVE VSEL for SVA ODS scan first action
CCI
CCI-001242
Target Key
(None)
Documentable
No
Discussion

Malware may have infected a file that is necessary to the user. By configuring the antivirus software to first attempt cleaning the infected file, availability to the file is not sacrificed. If a cleaning attempt is not successful, however, deleting the file is the only safe option to ensure the malware is not introduced onto the system or network.

Fix Text

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. If a task does not exist for the regularly scheduled weekly scan, create a New Client Task to run an On Demand scan at least weekly. Click on Actions | Agent | Modify Tasks on a Single System. From the list of available tasks in the "Task Name" column, with the assistance of the ePO SA, identify the weekly On Demand scan client task. For the designated weekly On Demand scan client task, verify the "Task Type" is listed as "On Demand Scan". Under the "Task Name" column, click on the link for the designated task to review the task properties. In the "Actions" tab, next to "When Viruses and Trojans are found:", select the radio button for "Clean infected files automatically". Click Save.

Check Content

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on Actions | Agent | Modify Tasks on a Single System. From the list of available tasks in the "Task Name" column, with the assistance of the ePO SA, identify the weekly On Demand scan client task. If a weekly On Demand scan client task does not exist, this is a finding. For the designated weekly On Demand scan client task, verify the "Task Type" is listed as "On Demand Scan". Verify the "Status" is listed as "Enabled". Under the "Task Name" column, click on the link for the designated task to review the task properties. In the "Actions" tab, next to "When Viruses and Trojans are found:", verify the radio button for "Clean infected files automatically" is selected. If the radio button for "When Viruses and Trojans are found: Clean infected files automatically" is not selected, this is a finding.

Responsibility

System Administrator

The McAfee VirusScan Enterprise for Linux 1.9.0 On Demand scanner must be configured to Move infected files to the quarantine directory if first action fails for when Viruses and Trojans are found.

Finding ID
DTAVSEL-107
Rule ID
SV-61985r1_rule
Severity
Cat II
CCE
(None)
Group Title
DTAVSEL-107-McAfee MOVE VSEL for SVA ODS scan second action
CCI
CCI-001242
Target Key
(None)
Documentable
No
Discussion

Malware may have infected a file that is necessary to the user. By configuring the antivirus software to first attempt cleaning the infected file, availability to the file is not sacrificed. If a cleaning attempt is not successful, however, deleting the file is the only safe option to ensure the malware is not introduced onto the system or network.

Fix Text

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. If a task does not exist for the regularly scheduled weekly scan, create a New Client Task to run an On Demand scan at least weekly. Click on Actions | Agent | Modify Tasks on a Single System. From the list of available tasks in the "Task Name" column, with the assistance of the ePO SA, identify the weekly On Demand scan client task. For the designated weekly On Demand scan client task, verify the "Task Type" is listed as "On Demand Scan". Under the "Task Name" column, click on the link for the designated task to review the task properties. In the "Actions" tab, next to "If the above action fails:", select the radio button for "Move infected files to the quarantine directory". Populate the "Quarantine Directory:" field with "/quarantine" (or another valid location as determined by the organization). Click Save.

Check Content

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on Actions | Agent | Modify Tasks on a Single System. From the list of available tasks in the "Task Name" column, with the assistance of the ePO SA, identify the weekly On Demand scan client task. If a weekly On Demand scan client task does not exist, this is a finding. For the designated weekly On Demand scan client task, verify the "Task Type" is listed as "On Demand Scan". Verify the "Status" is listed as "Enabled". Under the "Task Name" column, click on the link for the designated task to review the task properties. In the "Actions" tab, next to "If the above action fails:", verify the radio button for "Move infected files to the quarantine directory" is selected. Verify the "Quarantine Directory:" field is populated with "/quarantine" (or another valid location as determined by the organization). If the radio button for "If the above action fails: Move infected files to the quarantine directory" is not selected, this is a finding. If the "Quarantine Directory:" field is not populated, this is a finding.

Responsibility

System Administrator

Any paths and files excluded by the McAfee VirusScan Enterprise for Linux 1.9.0 On Demand scanner must be documented with, and approved by, the IAO/IAM.

Finding ID
DTAVSEL-108
Rule ID
SV-61991r1_rule
Severity
Cat II
CCE
(None)
Group Title
DTAVSEL-108-McAfee MOVE VSEL for SVA ODS file exclusions
CCI
CCI-001242
Target Key
(None)
Documentable
No
Discussion

When scanning for malware, excluding specific files will increase the risk of a malware-infected file going undetected. By configuring antivirus software without any exclusions, the scanner has a higher success rate at detecting and eradicating malware.

Fix Text

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. If a task does not exist for the regularly scheduled weekly scan, create a New Client Task to run an On Demand scan at least weekly. Click on Actions | Agent | Modify Tasks on a Single System. From the list of available tasks in the "Task Name" column, with the assistance of the ePO SA, identify the weekly On Demand scan client task. For the designated weekly On Demand scan client task, verify the "Task Type" is listed as "On Demand Scan". Under the "Task Name" column, click on the link for the designated task to review the task properties. In the "Detection" tab, next to "What not to scan:", remove any entries from the "What not to scan:" section for which there has not been IAO/IAM approval. Click Save.

Check Content

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on Actions | Agent | Modify Tasks on a Single System. From the list of available tasks in the "Task Name" column, with the assistance of the ePO SA, identify the weekly On Demand scan client task. If a weekly On Demand scan client task does not exist, this is a finding. For the designated weekly On Demand scan client task, verify the "Task Type" is listed as "On Demand Scan". Verify the "Status" is listed as "Enabled". Under the "Task Name" column, click on the link for the designated task to review the task properties. In the "Detection" tab, next to "What not to scan:", verify no entries exist. If any entries exist, verify the exclusion of those files and directories has been documented by the System Administrator and approved by the IAO/IAM. If any entries are present in the "What not to scan:" setting for the "Select files and directories to be excluded from virus scanning" field, and those files and directories have not been documented by the System Administrator and approved by the IAO/IAM, this is a finding. If any entries are present in the "What not to scan:" setting for the "Select files and directories to be excluded from virus scanning" field, and those files and directories have been documented by the System Administrator and approved by the IAO/IAM, this is not a finding.

Responsibility

System Administrator

The McAfee VirusScan Enterprise for Linux 1.9.0 On Demand scanner must be configured to Clean infected files automatically as first action when programs and jokes are found.

Finding ID
DTAVSEL-110
Rule ID
SV-62001r1_rule
Severity
Cat II
CCE
(None)
Group Title
DTAVSEL-110-McAfee MOVE VSEL for SVA ODS PUPS first action
CCI
CCI-001242
Target Key
(None)
Documentable
No
Discussion

Potentially Unwanted Programs (PUPs) include Spyware, Adware, Remote Administration Tools, Dialers, Password Crackers, Jokes, and Key Loggers. While PUPs do not typically have any infection capability on their own, they rely on malware or other attach mechanisms to be installed onto target hosts, after which they will collect and transfer data from the host to an external host and/or will be used as attach mechanisms. Configuring the antivirus software to attempt to clean the file first will allow for the possibility of a false positive. In most cases, however, the secondary action of delete will be used, mitigating the risk of the PUPs being installed and used maliciously.

Fix Text

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on Actions | Agent | Modify Tasks on a Single System. From the list of available tasks in the "Task Name" column, with the assistance of the ePO SA, identify the weekly On Demand scan client task. For the designated weekly On Demand scan client task, verify the "Task Type" is listed as "On Demand Scan". Under the "Task Name" column, click on the link for the designated task to review the task properties. In the "Actions" tab, next to "When Programs & Jokes are found:", select the radio button for "Clean infected files automatically". Click Save.

Check Content

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on Actions | Agent | Modify Tasks on a Single System. From the list of available tasks in the "Task Name" column, with the assistance of the ePO SA, identify the weekly On Demand scan client task. If a weekly On Demand scan client task does not exist, this is a finding. For the designated weekly On Demand scan client task, verify the "Task Type" is listed as "On Demand Scan". Verify the "Status" is listed as "Enabled". Under the "Task Name" column, click on the link for the designated task to review the task properties. In the "Actions" tab, next to "When Programs & Jokes are found:", verify the radio button for "Clean infected files automatically" is selected. If the radio button for "When Programs & Jokes are found: Clean infected files automatically" is not selected, this is a finding.

Responsibility

System Administrator

The McAfee VirusScan Enterprise for Linux 1.9.0 On Demand scanner must be configured to Move infected files to the quarantine directory if first action fails when programs and jokes are found.

Finding ID
DTAVSEL-111
Rule ID
SV-62005r1_rule
Severity
Cat II
CCE
(None)
Group Title
DTAVSEL-111-McAfee MOVE VSEL for SVA ODS scan PUPS second action
CCI
CCI-001242
Target Key
(None)
Documentable
No
Discussion

Potentially Unwanted Programs (PUPs) include Spyware, Adware, Remote Administration Tools, Dialers, Password Crackers, Jokes, and Key Loggers. While PUPs do not typically have any infection capability on their own, they rely on malware or other attach mechanisms to be installed onto target hosts, after which they will collect and transfer data from the host to an external host and/or will be used as attach mechanisms. Configuring the antivirus software to attempt to clean the file first will allow for the possibility of a false positive. In most cases, however, the secondary action of delete will be used, mitigating the risk of the PUPs being installed and used maliciously.

Fix Text

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on Actions | Agent | Modify Tasks on a Single System. From the list of available tasks in the "Task Name" column, with the assistance of the ePO SA, identify the weekly On Demand scan client task. For the designated weekly On Demand scan client task, verify the "Task Type" is listed as "On Demand Scan". Under the "Task Name" column, click on the link for the designated task to review the task properties. In the "Actions" tab, next to "When Programs & Jokes are found: If the above action fails:", select the radio button for "Move infected files to the quarantine directory" is selected. Populate the "Quarantine Directory:" field with "/quarantine" (or another valid location as determined by the organization). Click Save.

Check Content

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on Actions | Agent | Modify Tasks on a Single System. From the list of available tasks in the "Task Name" column, with the assistance of the ePO SA, identify the weekly On Demand scan client task. If a weekly On Demand scan client task does not exist, this is a finding. For the designated weekly On Demand scan client task, verify the "Task Type" is listed as "On Demand Scan". Verify the "Status" is listed as "Enabled". Under the "Task Name" column, click on the link for the designated task to review the task properties. In the "Actions" tab, next to "When Programs & Jokes are found: If the above action fails:", verify the radio button for "Move infected files to the quarantine directory" is selected. Verify the "Quarantine Directory:" field is populated with "/quarantine" (or another valid location as determined by the organization). If the radio button for "When Programs & Jokes are found: If the above action fails: Move infected files to the quarantine directory" is not selected, this is a finding. If the "Quarantine Directory:" field is not populated with "/quarantine" (or another valid location as determined by the organization), this is a finding.

Responsibility

System Administrator

The McAfee VirusScan Enterprise for Linux 1.9.0 On Demand scanner must be configured to include all local drives and their sub-directories.

Finding ID
DTAVSEL-113
Rule ID
SV-62011r1_rule
Severity
Cat II
CCE
(None)
Group Title
DTAVSEL-113-McAfee MOVE VSEL for SVA ODS scan local drives
CCI
CCI-001242
Target Key
(None)
Documentable
No
Discussion

When scanning for malware, excluding specific file types will increase the risk of a malware-infected file going undetected. By configuring antivirus software to scan all file types, the scanner has a higher success rate at detecting and eradicating malware.

Fix Text

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on Actions | Agent | Modify Tasks on a Single System. From the list of available tasks in the "Task Name" column, with the assistance of the ePO SA, identify the weekly On Demand scan client task. For the designated weekly On Demand scan client task, verify the "Task Type" is listed as "On Demand Scan". Under the "Task Name" column, click on the link for the designated task to review the task properties. In the "Where" tab, populate the "Specify where scanning will take place" field with all local drives. Next to "Scan options", select the checkbox for "Include sub-directories". Click Save.

Check Content

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on Actions | Agent | Modify Tasks on a Single System. From the list of available tasks in the "Task Name" column, with the assistance of the ePO SA, identify the weekly On Demand scan client task. If a weekly On Demand scan client task does not exist, this is a finding. For the designated weekly On Demand scan client task, verify the "Task Type" is listed as "On Demand Scan". Verify the "Status" is listed as "Enabled". Under the "Task Name" column, click on the link for the designated task to review the task properties. In the "Where" tab, verify the "Specify where scanning will take place" field is populated with all local drives. Next to "Scan options", verify the checkbox for "Include sub-directories" is selected. If the "Specify where scanning will take place" field is not populated with all local drives, this is a finding. If the "Include sub-directories" is not selected, this is a finding.

Responsibility

System Administrator

The McAfee VirusScan Enterprise for Linux 1.9.0 On Demand scanner must be configured to decompress archives when scanning.

Finding ID
DTAVSEL-101
Rule ID
SV-62149r1_rule
Severity
Cat II
CCE
(None)
Group Title
DTAVSEL-101-McAfee MOVE VSEL for SVA ODS decompress archive files
CCI
CCI-001242
Target Key
(None)
Documentable
No
Discussion

Malware is often packaged within an archive. In addition, archives might have other archives within. Not scanning archive files introduces the risk of infected files being introduced into the environment.

Fix Text

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. If a task does not exist for the regularly scheduled weekly scan, create a New Client Task to run an On Demand scan at least weekly. Click on Actions | Agent | Modify Tasks on a Single System. From the list of available tasks in the "Task Name" column, with the assistance of the ePO SA, identify the weekly On Demand scan client task. Under the "Task Name" column, click on the link for the designated task to review the task properties. In the "Advanced" tab, next to the Compressed files, select the check box for "Scan inside multiple-file archives (e.g. .ZIP)". Click Save.

Check Content

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on Actions | Agent | Modify Tasks on a Single System. From the list of available tasks in the "Task Name" column, with the assistance of the ePO SA, identify the weekly On Demand scan client task. If a weekly On Demand scan client task does not exist, this is a finding. For the designated weekly On Demand scan client task, verify the "Task Type" is listed as "On Demand Scan". Verify the "Status" is listed as "Enabled". Under the "Task Name" column, click on the link for the designated task to review the task properties. In the "Advanced" tab, next to the Compressed files, verify the check box for "Scan inside multiple-file archives (e.g. .ZIP)" has been selected. If the task designated as the regularly scheduled On Demand Scan, next to the Compressed files, the check box for "Scan inside multiple-file archives (e.g. .ZIP)" is not selected, this is a finding.

Responsibility

System Administrator

The McAfee VirusScan Enterprise for Linux 1.9.0 On Demand scanner must be configured to decode MIME encoded files.

Finding ID
DTAVSEL-112
Rule ID
SV-62151r1_rule
Severity
Cat II
CCE
(None)
Group Title
DTAVSEL-112-McAfee MOVE VSEL for SVA ODS decode MIME encoded files
CCI
CCI-001242
Target Key
(None)
Documentable
No
Discussion

Malware is often packaged within an archive. In addition, archives might have other archives within. Not scanning archive files introduces the risk of infected files being introduced into the environment.

Fix Text

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on Actions | Agent | Modify Tasks on a Single System. From the list of available tasks in the "Task Name" column, with the assistance of the ePO SA, identify the weekly On Demand scan client task. Under the "Task Name" column, click on the link for the designated task to review the task properties. In the "Advanced" tab, next to the Compressed files, select the check box for "Decode MIME encoded files:". Click Save.

Check Content

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on Actions | Agent | Modify Tasks on a Single System. From the list of available tasks in the "Task Name" column, with the assistance of the ePO SA, identify the weekly On Demand scan client task. If a weekly On Demand scan client task does not exist, this is a finding. For the designated weekly On Demand scan client task, verify the "Task Type" is listed as "On Demand Scan". Verify the "Status" is listed as "Enabled". Under the "Task Name" column, click on the link for the designated task to review the task properties. In the "Advanced" tab, next to the Compressed files, verify the check box for "Decode MIME encoded files:" has been selected. If the task designated as the regularly scheduled On Demand Scan, next to the Compressed files, the check box for "Decode MIME encoded files:" is not selected, this is a finding.

Responsibility

System Administrator