Free DISA STIG and SRG Library | Vaulted

McAfee MOVE Agentless 3.6.1 Security Virtual Appliance STIG

Version 1 Release 5
2016-10-28
U_McAfee_MOVE_Agentless3-6-1_SVA_V1R5_Manual-xccdf.xml
The McAfee MOVE 3.6.1 Agentless SVA STIG is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the NIST 800-53 and related documents. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil.

Vulnerabilities (26)

The Virtual Machine must have VMware vShield Endpoint thin client installed and shown as protected in the vShield Manager.

Finding ID
AV-MOVE-VM-001
Rule ID
SV-56609r2_rule
Severity
Cat I
CCE
(None)
Group Title
AV-MOVE-VM-001 Virtual Machine protected status
CCI
CCI-001242
Target Key
(None)
Documentable
No
Discussion

The vShield Manager is the centralized network management component of vShield, and is installed as a virtual appliance on an ESX host in a vCenter Server environment. The vShield Manager user interface or vSphere Client plug-in is used by administrators to install, configure, and maintain vShield components. vShield Endpoint offloads antivirus and anti-malware agent processing to a dedicated secure virtual appliance delivered by VMware partners. Since the secure virtual appliance (unlike a guest virtual machine) does not go offline, it can continuously update antivirus signatures thereby giving uninterrupted protection to the virtual machines on the host. Also, new virtual machines (or existing virtual machines that went offline) are immediately protected with the most current antivirus signatures when they come online. vShield Endpoint installs as a hypervisor module and security virtual appliance from a third-party antivirus vendor (VMware partners) on an ESX host. The hypervisor scans guest virtual machines from the outside, removing the need for agents in every virtual machine. This makes vShield Endpoint efficient in avoiding resource bottlenecks while optimizing memory use. McAfee MOVE AV Agentless requires vShield Endpoint to be installed on a virtual machine in order for the McAfee MOVE Security Virtual Appliance to protect it. If the virtual machine did not have vShield Endpoint installed, the virtual machine would not be protected from malware and viruses.

Fix Text

If the virtual machine is not showing as a "Protected VM", install VMware Tools on the guest VM and select Custom install of VMware tools. In the vSphere Client, right-click the appropriate VM, select Guest | Install/Upgrade VMware Tools. In the Install/Upgrade Tools dialog box, select Interactive Tools Upgrade and click OK. Depending on the environment, select setup.exe or setup64.exe and run it as administrator. Select Custom then click Next. Expand VMware Device Drivers | VMCI Drivers, then select vShield Drivers | This feature will be installed on local hard drive. Access vShield Manager to confirm the virtual machine is showing as a "Protected VM".

Check Content

This STIG setting validates whether a virtual machine is protected by the McAfee MOVE Agentless 3.6.1. With the assistance of the System Administrator, verify the client is reporting to the endpoint solution in vShield: a. Log in to vShield Manager b. Browse to Datacenters | <yourdatacenter> | <esx host of vm> | Endpoint tab. Virtual machines should be listed with a description of Thin Agent Enabled. If virtual machines are not listed with a description of Thin Agent Enabled, this is a finding.

Responsibility

System Administrator

The McAfee MOVE AV Agentless SVA policy must be configured with, and managed by, the HBSS ePO server.

Finding ID
AV-MOVE-SVA-001
Rule ID
SV-56787r2_rule
Severity
Cat II
CCE
(None)
Group Title
AV-MOVE-SVA-001-McAfee MOVE SVA policy management
CCI
CCI-001242
Target Key
(None)
Documentable
No
Discussion

Organizations should use centrally managed antivirus software that is controlled and monitored regularly by antivirus administrators, who are also typically responsible for acquiring, testing, approving, and delivering antivirus signature and software updates throughout the organization. Users should not be able to disable or delete antivirus software from their hosts, nor should they be able to alter critical settings. Antivirus administrators should perform continuous monitoring to confirm that hosts are using current antivirus software and that the software is configured properly. Implementing all of these recommendations should strongly support an organization in having a strong and consistent antivirus deployment across the organization.

Fix Text

Obtain the McAfee Agent install files from the McAfee ePO server and install onto the McAfee SVA, following the same procedures as for any other Linux system being managed by the McAfee ePO server. After installation, from the ePO server console System Tree, select "My Organization". Select the Systems tab. Find and double-click on the asset representing the McAfee MOVE Security Virtual Appliance (SVA) to open its properties. Under the System Properties tab, ensure the "Last Communication" date is within the time period designated by the "Agent-to-Server Communication Interval:" under the McAfee Agent tab. Under the System Properties tab, next to the Installed Products field, ensure MOVE AV [Agentless]" is listed as an installed product.

Check Content

NOTE: MOVE Agentless 3.61 Security Virtual Appliance (SVA) comes pre-installed with McAfee Agent 4.8 and requires that the McAfee Agent 4.8 Extension already be installed on the ePO 5.0.x Server. ePO 4.6 environments must upgrade to the McAfee Agent 4.8 Extension prior to deployment of the MOVE Agentless 3.61 SVA. From the ePO server console System Tree, select "My Organization". Select the Systems tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). If the system designated as the McAfee MOVE Security Virtual Appliance (SVA) is not in the ePO server System Tree, this is a finding. If the system designated as the McAfee MOVE Security Virtual Appliance (SVA) is in the ePO server System Tree, click on the system to open the System Information page. On the System Information page, verify "MOVE AV [Agentless]" is listed as an Installed Product. If the system does not show MOVE AV [Agentless] listed as an installed product, this is a finding.

Responsibility

System Administrator

The McAfee MOVE AV Agentless SVA Authentication policy must be configured to communicate with the Hypervisor/vCenter server via HTTPS protocol.

Finding ID
AV-MOVE-SVA-002
Rule ID
SV-56788r2_rule
Severity
Cat II
CCE
(None)
Group Title
AV-MOVE-SVA-002-McAfee MOVE Agentless SVA authentication policy
CCI
CCI-001242
Target Key
(None)
Documentable
No
Discussion

Requiring the McAfee MOVE AV Agentless SVA to authenticate to the hypervisor over HTTPs ensures the authentication is over a secure path.

Fix Text

From the ePO server console System Tree, select "My Organization". Select the Systems tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select “MOVE AV [Agentless] 3.6.1”. Locate "SVA" under the "Category" column and select the policy corresponding to it, found under the "Policy" column. On the Policy Settings page, select the “General Settings” tab in McAfee MOVE Agentless 3.6.1 of the Policy Settings page and select "https" from the drop-down list. Click on Save.

Check Content

From the ePO server console System Tree, select "My Organization". Select the Systems tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on Actions | Agent | Modify Policies on a Single System. For McAfee MOVE AV Agentless 3.6.1 From the "Product:" drop-down list, select “MOVE AV [Agentless] 3.6.1”. Locate "SVA" under the "Category" column and select the policy corresponding to it, found under the "Policy" column. On the Policy Settings page, select the “General Settings” tab in McAfee MOVE Agentless 3.6.1 of the Policy Settings page, verify the "Protocol:" is set to “https”. If the "Protocol:" is not set to “https”, this is a finding.

Responsibility

System Administrator

The McAfee MOVE AV Agentless SVA Authentication policy must be configured to authenticate to the Hypervisor/vCenter server with user name and password.

Finding ID
AV-MOVE-SVA-003
Rule ID
SV-56789r2_rule
Severity
Cat II
CCE
(None)
Group Title
AV-MOVE-SVA-003-McAfee MOVES SVA to hypervisor user name and password
CCI
CCI-001242
Target Key
(None)
Documentable
No
Discussion

Requiring the McAfee MOVE AV Agentless SVA to authenticate to the hypervisor with a username and password, coupled with HTTPs, ensures authentication is over a secure path from a valid source.

Fix Text

From the ePO server console System Tree, select "My Organization". Select the Systems tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on “Actions | Agent | Modify Policies on a Single System”. From the "Product:" drop-down list, select “MOVE AV [Agentless]3.6.1”. Locate "SVA" under the "Category" column and select the policy corresponding to it, found under the "Policy" column. On the Policy Settings page, select the “General Settings” tab in McAfee MOVE Agentless 3.6.1 of the Policy Settings page and populate the "User:" and "Password:" fields with a user/password combination which has authentication access to the hypervisor. Click on "Test the connection". Click on Save.

Check Content

From the ePO server console System Tree, select "My Organization". Select the Systems tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on “Actions | Agent | Modify Policies on a Single System”. From the "Product:" drop-down list, select “MOVE AV [Agentless] 3.6.1”. Locate "SVA" under the "Category" column and select the policy corresponding to it, found under the "Policy" column. On the Policy Settings page, select the “General Settings” tab in McAfee MOVE Agentless 3.6.1 of the Policy Settings page, verify the "User:" field is populated. Note: The "Password:" field will appear to be blank. Since the "User:" field cannot be populated and saved without a password, however, the "Password:" field requirement can be considered compliant provided the "User:" field is validated as populated. If the "User:" field is not populated, this is a finding.

Responsibility

System Administrator

The McAfee MOVE AV Agentless SVA Scan Settings policy must be configured with the SVA cache enabled.

Finding ID
AV-MOVE-SVA-004
Rule ID
SV-56790r2_rule
Severity
Cat II
CCE
(None)
Group Title
AV-MOVE-SVA-004-McAfee MOVE SVA Scan Cache
CCI
CCI-001242
Target Key
(None)
Documentable
No
Discussion

Enabling cache in the McAfee MOVE AV Agentless SVA will enable a more effective performance when scanning virtual machines.

Fix Text

From the ePO server console System Tree, select "My Organization". Select the Systems tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. From the "Product:" drop-down list, select MOVE AV [Agentless] 3.6.1. Locate "SVM" under the "Category" column and select the policy corresponding to it, found under the "Policy" column. In the Scan Settings tab of MOVE AV Agentless version 3.6.1 of the Policy Settings page, next to the "SVA cache:", select the checkbox for "Enabled". Click on Save.

Check Content

From the ePO server console System Tree, select "My Organization". Select the Systems tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on Actions | Agent | Modify Policies on a Single System. For McAfee MOVE AV Agentless 3.6.1: From the "Product:" drop-down list, select MOVE AV [Agentless] 3.6.1. Locate "SVM" under the "Category" column and select the policy corresponding to it, found under the "Policy" column. In the Scan Settings tab MOVE AV Agentless version 3.6.1 of the Policy Settings page, next to the "SVM cache:", verify the checkbox for "Enabled" is selected. If the checkbox for "SVM cache: Enabled" is not selected, this is a finding.

Responsibility

System Administrator

The McAfee MOVE AV Agentless SVA Scan Settings policy must be configured to cache scan results for files up to a file size of 1 MB.

Finding ID
AV-MOVE-SVA-005
Rule ID
SV-56791r2_rule
Severity
Cat II
CCE
(None)
Group Title
AV-MOVE-SVA-005-McAfee MOVE SVA Scan Cache file size
CCI
CCI-001242
Target Key
(None)
Documentable
No
Discussion

While enabling cache in the McAfee MOVE AV Agentless SVA will enable a more effective performance when scanning virtual machines, the file size of cached items needs to be restricted in order to prevent excessively large files from being cached, which would have a negative impact on performance.

Fix Text

From the ePO server console System Tree, select "My Organization". Select the Systems tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select MOVE AV [Agentless] 3.6.1. Locate "SVA" under the "Category" column and select the policy corresponding to it, found under the "Policy" column. In the Scan Settings tab of the Policy Settings page, populate the "Cache scan result of file size up to (MB):" with a value of "1" Click on Save.

Check Content

From the ePO server console System Tree, select "My Organization". Select the Systems tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on “Actions | Agent | Modify Policies on a Single System”. From the "Product:" drop-down list, select “MOVE AV [Agentless] 3.6.1”. Locate "SVA" under the "Category" column and select the policy corresponding to it, found under the "Policy" column. In the Scan Settings tab of the Policy Settings page, verify the "Cache scan result of file size up to (MB):" is configured for "1". If the "Cache scan result of file size up to (MB):" is not configured to "1", this is a finding.

Responsibility

System Administrator

The McAfee MOVE AV Agentless SVA Scan Settings policy for On-Demand Client Scan time interval must be set to no more than every 7 days.

Finding ID
AV-MOVE-SVA-006
Rule ID
SV-56792r2_rule
Severity
Cat II
CCE
(None)
Group Title
AV-MOVE-SVA-006-Mcafee MOVE SVA On-Demand Scan interval
CCI
CCI-001242
Target Key
(None)
Documentable
No
Discussion

Antivirus software is the most commonly used technical control for malware threat mitigation. Antivirus software on hosts should be configured to scan all hard drives regularly to identify any file system infections and to scan any removable media, if applicable, before media is inserted into the system. Not scheduling a regular scan of the hard drives of a system and/or not configuring the scan to scan all files and running processes, introduces a higher risk of threats going undetected.

Fix Text

From the ePO server console System Tree, select "My Organization". Select the Systems tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select "MOVE AV [Agentless]3.6.1". Locate "SVA" under the "Category" column and select the policy corresponding to it, found under the "Policy" column. In the Scan Settings tab of the Policy Settings page, configure the "On-Demand Scan time interval (days):" with a value of "7" or less. Click on Save.

Check Content

From the ePO server console System Tree, select "My Organization". Select the Systems tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on "Actions | Agent | Modify Policies on a Single System". From the "Product:" drop-down list, select "MOVE AV [Agentless] 3.6.1". Locate "SVA" under the "Category" column and select the policy corresponding to it, found under the "Policy" column. In the Scan Settings tab of the Policy Settings page, verify the "On-Demand Scan time interval (days):" is set to "7" or less. If the "On-Demand Scan time interval (days):" is set to a value of more than "7", this is a finding.

Responsibility

System Administrator

The McAfee MOVE AV Agentless Scan policy must be configured to enable On-Access scanning.

Finding ID
AV-MOVE-SVA-101
Rule ID
SV-57765r2_rule
Severity
Cat I
CCE
(None)
Group Title
AV-MOVE-SVA-101-McAfee MOVE SVA On-Access scanning status
CCI
CCI-001242
Target Key
(None)
Documentable
No
Discussion

Antivirus software is the most commonly used technical control for malware threat mitigation. Antivirus software should be configured to perform real-time scans of each file as it is downloaded, opened, or executed.

Fix Text

From the ePO server console System Tree, select "My Organization". Select the Systems tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select "MOVE AV [Agentless] 3.6.1". Locate "Scan" under the "Category" column and select the policy corresponding to it, found under the "Policy" column. In the General tab of the Policy Settings page, next to the "On-Access Scanning:", select the checkbox for "Enabled". Click on Save.

Check Content

From the ePO server console System Tree, select "My Organization". Select the Systems tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select MOVE AV [Agentless] 3.6.1. Locate "Scan" under the "Category" column and select the policy corresponding to it, found under the "Policy" column. In the General tab of the Policy Settings page, next to the "On-Access Scanning:", verify the checkbox for "Enabled" is selected. If the checkbox for "On-Access Scanning: Enabled" is not selected, this is a finding.

Responsibility

System Administrator

The McAfee MOVE AV Agentless Scan policy must be configured to enforce a maximum On-Access Scan timeout of no less than 45 seconds.

Finding ID
AV-MOVE-SVA-102
Rule ID
SV-57767r2_rule
Severity
Cat II
CCE
(None)
Group Title
AV-MOVE-SVA-102-McAfee MOVE On-Access scan timeout
CCI
CCI-001242
Target Key
(None)
Documentable
No
Discussion

This setting configures the amount of time to wait for a scan to complete, in seconds. The default setting is 45 seconds. Typically, file scans are very fast. However, file scans may take longer time due to large file size, file type, or heavy load on the offload scan server. In such cases that the file scan takes longer than the scan timeout limit, the file access is allowed and a scan timeout event is generated. Setting the timeout too low may result in scans of a file terminating before the scan is completed, resulting in malware potentially going undetected.

Fix Text

From the ePO server console System Tree, select "My Organization". Select the Systems tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select MOVE AV [Agentless] 3.6.1. Locate "Scan" under the "Category" column and select the policy corresponding to it, found under the "Policy" column. In the General tab of the Policy Settings page, next to the "On-Access Scan timeout:", select the checkbox for "Enforce a maximum scanning time for all files (On-Access Scans only)". In the "On-Access Scan timeout: Maximum scan time (seconds):" place a value of 45 or more. Click on Save.

Check Content

From the ePO server console System Tree, select "My Organization". Select the Systems tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select MOVE AV [Agentless] 3.6.1. Locate "Scan" under the "Category" column and select the policy corresponding to it, found under the "Policy" column. In the General tab of the Policy Settings page, next to the "On-Access Scan timeout:", verify the "Enforce a maximum scanning time for all files (On-Access Scans only)" checkbox is selected. Verify the "On-Access Scan timeout: Maximum scan time (seconds):" has a value of 45 or more. If the checkbox for "On-Access Scan timeout: Enforce a maximum scanning time for all files (On-Access Scans only)"is not selected and/or the "On-Access Scan timeout: Maximum scan time (seconds):" does not have a value of 45 or more, this is a finding.

Responsibility

System Administrator

The McAfee MOVE AV Agentless Scan policy must be configured to enable On-Demand scanning.

Finding ID
AV-MOVE-SVA-103
Rule ID
SV-57769r2_rule
Severity
Cat II
CCE
(None)
Group Title
AV-MOVE-SVA-103-McAfee Move ODS status
CCI
CCI-001242
Target Key
(None)
Documentable
No
Discussion

Antivirus software is the mostly commonly used technical control for malware threat mitigation. Antivirus software on hosts should be configured to scan all hard drives and folders regularly to identify any file system infections and to scan any removable media, if applicable, before media is inserted into the system. Not scheduling a regular scan of the hard drives of a system and/or not configuring the scan to scan all files and running processes, introduces a higher risk of threats going undetected.

Fix Text

From the ePO server console System Tree, select "My Organization". Select the Systems tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select "MOVE AV [Agentless] 3.6.1". Locate "Scan" under the "Category" column and select the policy corresponding to it, found under the "Policy" column. In the General tab of the Policy Settings page, next to the "On-Demand Scanning:", select the checkbox for "Enabled". Click on Save.

Check Content

From the ePO server console System Tree, select "My Organization". Select the Systems tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select MOVE AV [Agentless] 3.6.1. Locate "Scan" under the "Category" column and select the policy corresponding to it, found under the "Policy" column. In the General tab of the Policy Settings page, next to the "On-Demand Scanning:", verify the checkbox for "Enabled" is selected. If the checkbox for "On-Demand Scanning: Enabled" is not selected, this is a finding.

Responsibility

System Administrator

The McAfee MOVE AV Agentless Scan policy must be configured to scan files when opened.

Finding ID
AV-MOVE-SVA-104
Rule ID
SV-57803r2_rule
Severity
Cat II
CCE
(None)
Group Title
AV-MOVE-SVA-104-McAfee MOVE OAS scan on open
CCI
CCI-001242
Target Key
(None)
Documentable
No
Discussion

Antivirus software is the most commonly used technical control for malware threat mitigation. Real-time scanning of files as they are read from disk is a crucial first line of defense from malware attacks.

Fix Text

From the ePO server console System Tree, select "My Organization". Select the Systems tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select "MOVE AV [Agentless] 3.6.1". Locate "Scan" under the "Category" column and select the policy corresponding to it, found under the "Policy" column. In the Scan Items tab of the Policy Settings, next to the "On-Access Scan files:", select the checkbox for "On Open". Click on Save.

Check Content

From the ePO server console System Tree, select "My Organization". Select the Systems tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select MOVE AV [Agentless] 3.6.1 and locate "Scan" under the "Category" column and select the policy corresponding to it, found under the "Policy" column. In the Scan Items tab of the Policy Settings, next to the "On-Access Scan files:", verify the checkbox for "On Open" is selected. If the checkbox for "On-Access Scan files: On Open" is not selected, this is a finding.

Responsibility

System Administrator

The McAfee MOVE AV Agentless Scan policy must be configured to scan all file types.

Finding ID
AV-MOVE-SVA-105
Rule ID
SV-57807r2_rule
Severity
Cat II
CCE
(None)
Group Title
AV-MOVE-SVA-105-McAfee MOVE scan all file types
CCI
CCI-001242
Target Key
(None)
Documentable
No
Discussion

When scanning for malware, excluding specific file types will increase the risk of a malware-infected file going undetected. By configuring antivirus software to scan all file types, the scanner has a higher success rate at detecting and eradicating malware.

Fix Text

From the ePO server console System Tree, select "My Organization". Select the Systems tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select "MOVE AV [Agentless] 3.6.1". Locate "Scan" under the "Category" column and select the policy corresponding to it, found under the "Policy" column. In the Scan Items tab of the Policy Settings, next to the "Files types to scan:", select the radio button for "All files". Click on Save.

Check Content

From the ePO server console System Tree, select "My Organization". Select the Systems tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select MOVE AV [Agentless] 3.6.1. Locate "Scan" under the "Category" column and select the policy corresponding to it, found under the "Policy" column. In the Scan Items tab of the Policy Settings, next to the "Files types to scan:", verify the radio button for "All files" is selected. If radio button for the "Files types to scan: All files" is not selected, this is a finding.

Responsibility

System Administrator

The McAfee MOVE AV Agentless Scan policy must be configured to scan files when closed.

Finding ID
AV-MOVE-SVA-106
Rule ID
SV-57813r2_rule
Severity
Cat II
CCE
(None)
Group Title
AV-MOVE-SVA-106-McAfee MOVE scan files on close
CCI
CCI-001242
Target Key
(None)
Documentable
No
Discussion

Antivirus software is the most commonly used technical control for malware threat mitigation. Real-time scanning of files as they are written to disk is a crucial first line of defense from malware attacks.

Fix Text

From the ePO server console System Tree, select "My Organization". Select the Systems tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select "MOVE AV [Agentless] 3.6.1". Locate "Scan" under the "Category" column and select the policy corresponding to it, found under the "Policy" column. In the Scan Items tab of the Policy Settings, next to the "On-Access Scan files:", select the checkbox for "On Close". Click on Save.

Check Content

From the ePO server console System Tree, select "My Organization". Select the Systems tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select MOVE AV [Agentless] 3.6.1. Locate "Scan" under the "Category" column and select the policy corresponding to it, found under the "Policy" column. In the Scan Items tab of the Policy Settings, next to the "On-Access Scan files:", verify the checkbox for "On Close" is selected. If the checkbox for "On-Access Scan files: On Close" is not selected, this is a finding.

The McAfee MOVE AV Agentless Scan policy must be configured to scan inside archives.

Finding ID
AV-MOVE-SVA-107
Rule ID
SV-57827r3_rule
Severity
Cat II
CCE
(None)
Group Title
AV-MOVE-SVA-107-McAfee MOVE scan inside archives policy
CCI
CCI-001242
Target Key
(None)
Documentable
No
Discussion

Malware is often packaged within an archive. In addition, archives might have other archives within. Not scanning archive files introduces the risk of infected files being introduced into the environment.

Fix Text

From the ePO server console System Tree, select "My Organization". Select the Systems tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select "MOVE AV [Agentless] 3.6.1". Locate "Scan" under the "Category" column and select the policy corresponding to it, found under the "Policy" column. In the Scan Items tab of the Policy Settings, next to the "Compressed files:", select the check box for "Scan inside archives (e.g., .ZIP)". Click on Save.

Check Content

Note: If the regularly scheduled scan includes the scanning of archive files, this requirement can alternatively be not configured and marked as Not Applicable. If configuring this setting causes performance degradation on virtual machines, this can be downgraded to a CAT III. From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on Actions >> Agent >> Modify Policies on a Single System. From the "Product:" drop-down list, select "MOVE AV [Agentless] 3.6.1". Locate "Scan" under the "Category" column and select the policy corresponding to it, found under the "Policy" column. In the "Scan Items" tab of the Policy Settings, next to the "Compressed files:" Verify the checkbox for "Scan inside archives (e.g., .ZIP)" is selected. If the checkbox for "Compressed files: Scan inside archives (e.g., .ZIP)" is not selected, this is a finding.

Responsibility

System Administrator

The McAfee MOVE AV Agentless Scan policy must be configured to decode MIME encoded files.

Finding ID
AV-MOVE-SVA-108
Rule ID
SV-61731r2_rule
Severity
Cat II
CCE
(None)
Group Title
AV-MOVE-SVA-108-McAfee MOVE scan decode MIME encoded files
CCI
CCI-001242
Target Key
(None)
Documentable
No
Discussion

Multipurpose Internet Mail Extensions (MIME) encoded files can be crafted to hide a malicious payload. When the MIME encoded file is presented to software that decodes the MIME encoded files, such as an email client, the malware is released. Scanning these files as part of the regularly scheduled scans tasks will mitigate this risk.

Fix Text

From the ePO server console System Tree, select "My Organization". Select the Systems tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select "MOVE AV [Agentless] 3.6.1". Locate "Scan" under the "Category" column and select the policy corresponding to it, found under the "Policy" column. In the Scan Items tab of the Policy Settings, next to the "Compressed files:", select the checkbox for "Decode MIME encoded files". Click on Save.

Check Content

From the ePO server console System Tree, select "My Organization". Select the Systems tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select MOVE AV [Agentless] 3.6.1. Locate "Scan" under the "Category" column and select the policy corresponding to it, found under the "Policy" column. In the Scan Items tab of the Policy Settings, next to the "Compressed files:", verify the checkbox for "Decode MIME encoded files" is selected. If the checkbox for "Compressed files: Decode MIME encoded files" is not selected, this is a finding.

Responsibility

System Administrator

The McAfee MOVE AV Agentless Scan policy must be configured to find unknown macro threats.

Finding ID
AV-MOVE-SVA-109
Rule ID
SV-61733r2_rule
Severity
Cat II
CCE
(None)
Group Title
AV-MOVE-SVA-109-McAfee MOVE find unknown macro threats
CCI
CCI-001242
Target Key
(None)
Documentable
No
Discussion

Due to the ability of malware to mutate after infection, standard antivirus signatures may not be able to catch new strains or variants of the malware. Typically, these strains and variants will share unique characteristics with others in their virus family. By using a generic signature to detect the shared characteristics, using wildcards where differences lie, the generic signature can detect viruses even if they are padded with extra, meaningless code. This method of detection is Heuristic detection.

Fix Text

From the ePO server console System Tree, select "My Organization". Select the Systems tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select "MOVE AV [Agentless] 3.6.1. Locate "Scan" under the "Category" column and select the policy corresponding to it, found under the "Policy" column. In the Scan Items tab of the Policy Settings, next to the "Heuristics:", select the checkbox for "Find unknown macro threats". Click on Save.

Check Content

From the ePO server console System Tree, select "My Organization". Select the Systems tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select MOVE AV [Agentless] 3.6.1. Locate "Scan" under the "Category" column and select the policy corresponding to it, found under the "Policy" column. In the Scan Items tab of the Policy Settings, next to the "Heuristics:", verify the checkbox for "Find unknown macro threats" is selected. If the checkbox for "Heuristics: Find unknown macro threats" is not selected, this is a finding.

Responsibility

System Administrator

The McAfee MOVE AV Agentless Scan policy for Heuristics must be configured to find unknown unwanted programs and Trojans.

Finding ID
AV-MOVE-SVA-110
Rule ID
SV-61735r2_rule
Severity
Cat II
CCE
(None)
Group Title
AV-MOVE-SVA-110-McAfee MOVE find unknown unwanted programs and Trojans
CCI
CCI-001242
Target Key
(None)
Documentable
No
Discussion

Due to the ability of malware to mutate after infection, standard antivirus signatures may not be able to catch new strains or variants of the malware. Typically, these strains and variants will share unique characteristics with others in their virus family. By using a generic signature to detect the shared characteristics, using wildcards where differences lie, the generic signature can detect viruses even if they are padded with extra, meaningless code. This method of detection is Heuristic detection.

Fix Text

From the ePO server console System Tree, select "My Organization". Select the Systems tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select "MOVE AV [Agentless] 3.6.1". Locate "Scan" under the "Category" column and select the policy corresponding to it, found under the "Policy" column. In the Scan Items tab of the Policy Settings, next to the "Heuristics:", select the checkbox for "Find unknown unwanted programs and trojans". Click on Save.

Check Content

From the ePO server console System Tree, select "My Organization". Select the Systems tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select MOVE AV [Agentless] 3.6.1. Locate "Scan" under the "Category" column and select the policy corresponding to it, found under the "Policy" column. In the Scan Items tab of the Policy Settings, next to the "Heuristics:", verify the checkbox for "Find unknown unwanted programs and trojans" is selected. If the checkbox for "Heuristics: Find unknown unwanted programs and trojans" is not selected, this is a finding.

Responsibility

System Administrator

The McAfee MOVE AV Agentless Scan policy must be configured to use McAfee Global Threat Intelligence file reputation set to a sensitivity level of Medium or higher.

Finding ID
AV-MOVE-SVA-111
Rule ID
SV-61737r2_rule
Severity
Cat II
CCE
(None)
Group Title
AV-MOVE-SVA-111-McAfee MOVE GTI sensitivity level
CCI
CCI-001242
Target Key
(None)
Documentable
No
Discussion

Antivirus software vendors use collective intelligence from sensors and cross-vector intelligence from web, email, and network threats to compile scores that reflect the likelihood of whether a file in question is malware. The collective intelligence is constantly being updated, more frequently than the typical daily antivirus signature files. With File Reputation lookup, a more real-time response to potential malicious code is realized than with the local-running antivirus software, since by querying the cloud-based database when a file appears to be suspicious, up-to-the-minute intelligence is provided. This type of protection reduces the threat protection time period from days to milliseconds, increases malware detection rates, and reduces downtime and remediation costs associated with malware attacks. Using File Reputation lookup is mandated by US CYBERCOM on DoD systems.

Fix Text

From the ePO server console System Tree, select "My Organization". Select the Systems tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select "MOVE AV [Agentless] 3.6.1". Locate "Scan" under the "Category" column and select the policy corresponding to it, found under the "Policy" column. In the Scan Items tab of the Policy Settings, next to the "McAfee Global Threat Intelligence file reputation:", select Medium or higher from the "Sensitivity level:" drop-down list. Click on Save.

Check Content

NOTE: This check is Not Applicable for SIPRNet systems. From the ePO server console System Tree, select "My Organization". Select the Systems tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select MOVE AV [Agentless] 3.6.1. Locate "Scan" under the "Category" column and select the policy corresponding to it, found under the "Policy" column. In the Scan Items tab of the Policy Settings, next to the "McAfee Global Threat Intelligence file reputation:", verify the "Sensitivity level:" is set to Medium, or higher. If the "Sensitivity level:" for the "McAfee Global Threat Intelligence file reputation:" is not set to Medium, or higher, this is a finding.

Responsibility

System Administrator

The McAfee MOVE AV Agentless Scan policy must be configured to detect unwanted programs.

Finding ID
AV-MOVE-SVA-112
Rule ID
SV-61739r2_rule
Severity
Cat II
CCE
(None)
Group Title
AV-MOVE-SVA-112-McAfee MOVE detect unwanted programs.
CCI
CCI-001242
Target Key
(None)
Documentable
No
Discussion

Due to the ability of malware to mutate after infection, standard antivirus signatures may not be able to catch new strains or variants of the malware. Typically, these strains and variants will share unique characteristics with others in their virus family. By using a generic signature to detect the shared characteristics, using wildcards where differences lie, the generic signature can detect viruses even if they are padded with extra, meaningless code. This method of detection is Heuristic detection.

Fix Text

From the ePO server console System Tree, select "My Organization". Select the Systems tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select "MOVE AV [Agentless] 3.6.1". Locate "Scan" under the "Category" column and select the policy corresponding to it, found under the "Policy" column. In the Scan Items tab of the Policy Settings, next to the "Unwanted programs detection:", select the checkbox for "Detect unwanted programs". In the Scan Items tab of the Policy Settings, next to the "Unwanted programs detection:", select the checkboxes for "Spyware", "Adware", "Remote Administration Tools", "Dialers", "Password Crackers", "Jokes", "Key Loggers", and "Other Potentially Unwanted Programs". Click on Save.

Check Content

From the ePO server console System Tree, select "My Organization". Select the Systems tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select MOVE AV [Agentless] 3.6.1. Locate "Scan" under the "Category" column and select the policy corresponding to it, found under the "Policy" column. In the Scan Items tab of the Policy Settings, next to the "Unwanted programs detection:", verify the checkbox for "Detect unwanted programs" is selected. In the Scan Items tab of the Policy Settings, next to the "Unwanted programs detection:", verify the checkboxes for "Spyware", "Adware", "Remote Administration Tools", "Dialers", "Password Crackers", "Jokes", "Key Loggers", and "Other Potentially Unwanted Programs" are all selected. If the checkbox for "Unwanted programs detection: Detect unwanted programs", and/or the checkbox for any of "Spyware", "Adware", "Remote Administration Tools", "Dialers", "Password Crackers", "Jokes", "Key Loggers", and "Other Potentially Unwanted Programs" is not selected, this is a finding.

Responsibility

System Administrator

For any path or file exclusions configured in the McAfee MOVE AV Agentless Scan policy, those exclusions must be formally documented by the System Administrator and approved by the IAO/IAM.

Finding ID
AV-MOVE-SVA-113
Rule ID
SV-61741r2_rule
Severity
Cat II
CCE
(None)
Group Title
AV-MOVE-SVA-113-McAfee MOVE scan file exclusions
CCI
CCI-001242
Target Key
(None)
Documentable
No
Discussion

When scanning for malware, excluding specific file types will increase the risk of a malware-infected file going undetected. By configuring antivirus software to scan all file types, the scanner has a higher success rate at detecting and eradicating malware. The excluding of files, paths, and processes from being scanned expands the potential for malware to be allowed onto the information system. While it is recognized that some file types might need to be excluded for operational reasons and/or because there is protection afforded to those files through a different mechanism, allowing those exclusions should always be vetted, documented and approved before applying.

Fix Text

From the ePO server console System Tree, select "My Organization". Select the Systems tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. From the "Product:" drop-down list, select “MOVE AV [Agentless] 3.6.1”. Locate "Scan" under the "Category" column and select the policy corresponding to it, found under the "Policy" column. In the “Exclusions” tab, removed any entries from the "Path and File Exclusion:" which have not been documented by the System Administrator and approved by the IAO/IAM. Click on Save.

Check Content

From the ePO server console System Tree, select "My Organization". Select the Systems tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select “MOVE AV [Agentless] 3.6.1”. Locate "Scan" under the "Category" column and select the policy corresponding to it, found under the "Policy" column. In the “Exclusions” tab, verify the "Path and File Exclusion:" does not have any entry other than the default "**\McAfee\Common Framework\". If any entries other than the default "**\McAfee\Common Framework\" do exist, verify those exclusions have been formally documented by the System Administrator and approved by the ISSO/ISSM. If there are entries in the "Path and File Exclusion:" other than the default "**\McAfee\Common Framework\" and those exclusions have not been formally documented by the System Administrator and approved by the ISSO/ISSM, this is a finding. If the "Path and File Exclusion:" has been populated with any exclusions other than the default, and those exclusions have been formally documented by the System Administrator and approved by the ISSO/ISSM, this is not a finding.

Responsibility

System Administrator

When a threat is found by the McAfee MOVE AV Agentless On-Access Scan, the Scan policy must be configured to delete files automatically as first action.

Finding ID
AV-MOVE-SVA-115
Rule ID
SV-61743r2_rule
Severity
Cat II
CCE
(None)
Group Title
AV-MOVE-SVA-115-McAfee MOVE scan first action
CCI
CCI-001242
Target Key
(None)
Documentable
No
Discussion

Malware incident containment has two major components: stopping the spread of malware and preventing further damage to hosts. Disinfecting a file is generally preferable to quarantining it because the malware is removed and the original file restored; however, many infected files cannot be disinfected. The primary goal of eradication is to remove malware from infected hosts.

Fix Text

From the ePO server console System Tree, select "My Organization". Select the Systems tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select "MOVE AV [Agentless]3.6.1". Locate "Scan" under the "Category" column and select the policy corresponding to it, found under the "Policy" column. In the Actions tab, next to the "On-Access Scan: When a threat is found:", select "Delete files automatically" from the "Perform this action first:" drop-down list. Click on Save.

Check Content

From the ePO server console System Tree, select "My Organization". Select the Systems tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select MOVE AV [Agentless] 3.6.1. Locate "Scan" under the "Category" column and select the policy corresponding to it, found under the "Policy" column. In the Actions tab, next to the "On-Access Scan: When a threat is found:", verify "Delete files automatically" is selected from the drop-down list for the "Perform this action first". If the "On-Access Scan: When a threat is found: Perform this action first:" does not have "Delete files automatically" selected from the drop-down list, this is a finding.

When a threat is found by the McAfee MOVE AV Agentless On-Access Scan, the Scan policy must be configured to deny access to files if first action fails.

Finding ID
AV-MOVE-SVA-116
Rule ID
SV-61745r2_rule
Severity
Cat II
CCE
(None)
Group Title
AV-MOVE-SVA-116-McAfee MOVE scan second action
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Malware incident containment has two major components: stopping the spread of malware and preventing further damage to hosts. Disinfecting a file is generally preferable to quarantining it because the malware is removed and the original file restored; however, many infected files cannot be disinfected. The primary goal of eradication is to remove malware from infected hosts.

Fix Text

From the ePO server console System Tree, select "My Organization". Select the Systems tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select MOVE AV [Agentless] 3.6.1. Locate "Scan" under the "Category" column and select the policy corresponding to it, found under the "Policy" column. In the Actions tab, next to the "On-Access Scan: When a threat is found:", select "Deny access to files" from the "If the first action fails, then perform this action:" drop-down list. Click on Save.

Check Content

From the ePO server console System Tree, select "My Organization". Select the Systems tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select MOVE AV [Agentless] 3.6.1. Locate "Scan" under the "Category" column and select the policy corresponding to it, found under the "Policy" column. In the Actions tab, next to the "On-Access Scan: When a threat is found:", verify "Deny access to files" is selected from the drop-down list for "If the first action fails, then perform this action". If the "On-Access Scan: When a threat is found: If the first action fails, then perform this action:" does not have "Deny access to files" selected from the drop-down list, this is a finding.

Responsibility

System Administrator

When a threat is found by the McAfee MOVE AV Agentless On-Demand Scan, the Scan policy must be configured to delete files automatically as first action.

Finding ID
AV-MOVE-SVA-117
Rule ID
SV-61747r2_rule
Severity
Cat II
CCE
(None)
Group Title
AV-MOVE-SVA-117-McAfee MOVE ODS scan first action
CCI
CCI-001242
Target Key
(None)
Documentable
No
Discussion

Malware incident containment has two major components: stopping the spread of malware and preventing further damage to hosts. Disinfecting a file is generally preferable to quarantining it because the malware is removed and the original file restored; however, many infected files cannot be disinfected. The primary goal of eradication is to remove malware from infected hosts.

Fix Text

From the ePO server console System Tree, select "My Organization". Select the Systems tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select "MOVE AV [Agentless] 3.6.1". Locate "Scan" under the "Category" column and select the policy corresponding to it, found under the "Policy" column. In the Actions tab, next to the "On-Demand Scan: When a threat is found:", select "Delete files automatically" from the "Perform this action first:" drop-down list. Click on Save.

Check Content

From the ePO server console System Tree, select "My Organization". Select the Systems tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select MOVE AV [Agentless] 3.6.1. Locate "Scan" under the "Category" column and select the policy corresponding to it, found under the "Policy" column. In the Actions tab, next to the "On-Demand Scan: When a threat is found:", verify "Delete files automatically" is selected from the drop-down list for "Perform this action first". If the "On-Demand Scan: When a threat is found: Perform this action first:" does not have "Delete files automatically" selected from the drop-down list, this is a finding.

Responsibility

System Administrator

When a threat is found by the McAfee MOVE AV Agentless On-Demand Scan, the Scan policy must be configured to notify only if first action fails.

Finding ID
AV-MOVE-SVA-118
Rule ID
SV-61749r2_rule
Severity
Cat II
CCE
(None)
Group Title
AV-MOVE-SVA-118-McAfee MOVE scan notification
CCI
CCI-001242
Target Key
(None)
Documentable
No
Discussion

Malware incident containment has two major components: stopping the spread of malware and preventing further damage to hosts. Disinfecting a file is generally preferable to quarantining it because the malware is removed and the original file restored; however, many infected files cannot be disinfected. The primary goal of eradication is to remove malware from infected hosts.

Fix Text

From the ePO server console System Tree, select "My Organization". Select the Systems tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select "MOVE AV [Agentless] 3.6.1". Locate "Scan" under the "Category" column and select the policy corresponding to it, found under the "Policy" column. In the Actions tab, next to the "On-Demand Scan: When a threat is found:", select the "Notify Only" from the "If the first action fails, then perform this action:" drop-down list. Click on Save.

Check Content

From the ePO server console System Tree, select "My Organization". Select the Systems tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select MOVE AV [Agentless] 3.6.1. Locate "Scan" under the "Category" column and select the policy corresponding to it, found under the "Policy" column. In the Actions tab, next to the "On-Demand Scan: When a threat is found:", verify "Notify Only" is selected from the drop-down list for "If the first action fails, then perform this action". If the "On-Demand Scan: When a threat is found: If the first action fails, then perform this action:" does not have "Notify Only" selected from the drop-down list, this is a finding.

Responsibility

System Administrator

The McAfee MOVE AV Agentless Scan policy must be configured to enable the quarantine.

Finding ID
AV-MOVE-SVA-119
Rule ID
SV-61751r2_rule
Severity
Cat II
CCE
(None)
Group Title
AV-MOVE-SVA-119-McAfee MOVE quarantine
CCI
CCI-001242
Target Key
(None)
Documentable
No
Discussion

Malware incident containment has two major components: stopping the spread of malware and preventing further damage to hosts. Disinfecting a file is generally preferable to quarantining it because the malware is removed and the original file restored; however, many infected files cannot be disinfected. Accordingly, antivirus software should be configured to attempt to disinfect infected files and to either quarantine or delete files that cannot be disinfected. By enabling the Quarantine, organizations will have the ability to submit copies of unknown malware to their security software vendors for analysis and will able to conduct internal forensic evaluation.

Fix Text

From the ePO server console System Tree, select "My Organization". Select the Systems tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select "MOVE AV [Agentless] 3.6.1". Locate "Scan" under the "Category" column and select the policy corresponding to it, found under the "Policy" column. In the Quarantine tab, next to the "Quarantine configuration:", select the checkbox for "Enabled". Click on Save.

Check Content

From the ePO server console System Tree, select "My Organization". Select the Systems tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the McAfee MOVE Security Virtual Appliance (SVA). Click on the system to open the System Information page. Click on Actions | Agent | Modify Policies on a Single System. From the "Product:" drop-down list, select MOVE AV [Agentless] 3.6.1. Locate "Scan" under the "Category" column and select the policy corresponding to it, found under the "Policy" column. In the Quarantine tab, next to Quarantine configuration, verify the checkbox for "Enabled" is selected. If the checkbox for "Quarantine configuration: Enabled" is not selected, this is a finding.

Responsibility

System Administrator

The McAfee MOVE AV Agentless SVAadmin account password must be changed from the default.

Finding ID
AV-MOVE-SVA-10
Rule ID
SV-62603r1_rule
Severity
Cat I
CCE
(None)
Group Title
AV-MOVE-SVA-10-McAfee MOVE SVAadmin password
CCI
CCI-001242
Target Key
(None)
Documentable
No
Discussion

The pre-configured Security Virtual Appliance (SVA) comes with a default password for the SVAadmin account. This account has root privileges to the Linux O/S of the appliance. By not changing the password from the default, the appliance will be subject to access by unauthorized individuals.

Fix Text

Following local password change procedures for Linux systems, change the SVAadmin password from the default of "admin".

Check Content

Have the System Administrator confirm the default SVAadmin password has been change from the default of "admin". If the SVAadmin password has not been changed from the default of "admin", this is a finding.

Responsibility

System Administrator