Free DISA STIG and SRG Library | Vaulted

McAfee MOVE AV Agentless 4.5 Security Technical Implementation Guide

Version 1 Release 1
2017-12-11
U_McAfee_MOVE_AV_Agentless_4-5_STIG_V1R1_Manual-xccdf.xml
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Vulnerabilities (24)

The admin password for the McAfee MOVE AV Agentless Security Virtual Machine (SVM) must be changed from the default.

Finding ID
MV45-GEN-200002
Rule ID
SV-93167r1_rule
Severity
Cat I
CCE
(None)
Group Title
MV45-GEN-200002
CCI
CCI-002418
Target Key
(None)
Documentable
No
Discussion

The preconfigured Security Virtual Appliance (SVA) comes with a default password for the "SVAadmin" account. This account has root privileges to the Linux operating system of the appliance. By not changing the password from the default, the appliance will be subject to access by unauthorized individuals.

Fix Text

If the McAfee SVM was deployed manually, physically log into the McAfee SVM and change the password from the default. If the McAfee SVM was deployed with VMware vCNS or VMWare NSX, access the McAfee ePO console. From the Menu, select Automation >> MOVE AntiVirus Deployment. Under General >> General Configuration >> SVM Configuration (Agentless Only), populate the "Password" with a unique password. Confirm the password. Click "Save".

Check Content

If the McAfee SVM was deployed manually, physically log into the McAfee SVM and confirm password has been changed from default. If the password has not been changed from the default, this is a finding. If the McAfee SVM was deployed with VMware vCNS or VMWare NSX, access the McAfee ePO console. From the Menu, select Automation >> MOVE AntiVirus Deployment. Under General >> General Configuration >> SVM Configuration (Agentless Only), verify the "Password" shows as configured. It will be masked. Verify with the System Administrator that the password has been changed from the default password. If "Password" does not show as configured and has not been changed from the default password, this is a finding.

The McAfee MOVE AV On Access Scan policy must be configured to enable protection.

Finding ID
MV45-OAS-200001
Rule ID
SV-93169r1_rule
Severity
Cat I
CCE
(None)
Group Title
MV45-OAS-200001
CCI
CCI-001242
Target Key
(None)
Documentable
No
Discussion

Anti-virus software should be installed as soon after operating system installation as possible and then updated with the latest signatures and anti-virus software patches (to eliminate any known vulnerabilities in the anti-virus software itself). The anti-virus software should then perform a complete scan of the host to identify any potential infections. To support the security of the host, the anti-virus software should be configured and maintained properly so it continues to be effective at detecting and stopping malware. Anti-virus software is most effective when its signatures are fully up to date. Accordingly, anti-virus software should be kept current with the latest signature and software updates to improve malware detection.

Fix Text

Access the McAfee ePO console. Select Menu >> Policy >> Policy Catalog and then select "MOVE AntiVirus 4.5.0" from the Product list. From the Category list, select "On Access Scan". Select each configured On Access Scan policy. Under "On-access scan", select the "Enable on-access scan" check box. Click "Save".

Check Content

Access the McAfee ePO console. Select Menu >> Policy >> Policy Catalog and then select "MOVE AntiVirus 4.5.0" from the Product list. From the Category list, select "On Access Scan". Select each configured On Access Scan policy. Under "On-access scan", verify the "Enable on-access scan" check box is selected. If the "Enable on-access scan" check box is not selected, this is a finding.

The McAfee MOVE AV On Access Scan policy must be configured to enforce a maximum On-Access Scan timeout of no less than 45 seconds.

Finding ID
MV45-OAS-200002
Rule ID
SV-93171r1_rule
Severity
Cat II
CCE
(None)
Group Title
MV45-OAS-200002
CCI
CCI-001242
Target Key
(None)
Documentable
No
Discussion

This setting configures the amount of time, in seconds, to wait for a scan to complete. The default setting is 45 seconds. This is the duration for which a McAfee MOVE AV Agent will wait for scan response of a file from the Security Virtual Machine (SVM). Typically, file scans are very fast. However, file scans may take longer due to large file size, file type, or heavy load on the SVM. If the file scan takes longer than the scan timeout limit, the file access is allowed and a scan timeout event is generated. Setting the timeout too low may result in scans of a file terminating before the scan is completed, resulting in malware potentially going undetected.

Fix Text

Access the McAfee ePO console. Select Menu >> Policy >> Policy Catalog and then select "MOVE AntiVirus 4.5.0" from the Product list. From the Category list, select "On Access Scan". Select each configured On Access Scan policy. Click "Show Advanced". Under "On-access Scan", set the "Specify maximum time for each file scan" for "45" seconds or more. Click "Save".

Check Content

Access the McAfee ePO console. Select Menu >> Policy >> Policy Catalog and then select "MOVE AntiVirus 4.5.0" from the Product list. From the Category list, select "On Access Scan". Select each configured On Access Scan policy. Click "Show Advanced". Under "On-access Scan", verify the "Specify maximum time for each file scan" is configured for "45" seconds or more. If "Specify maximum time for each file scan" is not configured for "45" seconds or more, this is a finding.

The McAfee MOVE AV On Access Scan policy must be configured to scan files when writing to disk.

Finding ID
MV45-OAS-200004
Rule ID
SV-93173r1_rule
Severity
Cat II
CCE
(None)
Group Title
MV45-OAS-200004
CCI
CCI-001242
Target Key
(None)
Documentable
No
Discussion

Anti-virus software is the most commonly used technical control for malware threat mitigation. Real-time scanning of files as they are written to disk is a crucial first line of defense from malware attacks.

Fix Text

Access the McAfee ePO console. Select Menu >> Policy >> Policy Catalog and then select "MOVE AntiVirus 4.5.0" from the Product list. From the Category list, select "On Access Scan". Select each configured On Access Scan policy. Under "Scan", select the "When writing to disk" check box. Click "Save".

Check Content

Access the McAfee ePO console. Select Menu >> Policy >> Policy Catalog and then select "MOVE AntiVirus 4.5.0" from the Product list. From the Category list, select "On Access Scan". Select each configured On Access Scan policy. Under "Scan", verify the "When writing to disk" check box is selected. If the "When writing to disk" check box is not selected, this is a finding.

The McAfee MOVE AV On Access Scan policy must be configured to scan files when reading from disk.

Finding ID
MV45-OAS-200005
Rule ID
SV-93175r1_rule
Severity
Cat II
CCE
(None)
Group Title
MV45-OAS-200005
CCI
CCI-001242
Target Key
(None)
Documentable
No
Discussion

Anti-virus software is the most commonly used technical control for malware threat mitigation. Real-time scanning of files as they are read from disk is a crucial first line of defense from malware attacks.

Fix Text

Access the McAfee ePO console. Select Menu >> Policy >> Policy Catalog and then select "MOVE AntiVirus 4.5.0" from the Product list. From the Category list, select "On Access Scan". Select each configured On Access Scan policy. Under "Scan", select the "When reading from disk" check box. Click "Save".

Check Content

Access the McAfee ePO console. Select Menu >> Policy >> Policy Catalog and then select "MOVE AntiVirus 4.5.0" from the Product list. From the Category list, select "On Access Scan". Select each configured On Access Scan policy. Under On-access Scan >> Scan, verify the "When reading from disk" check box is selected. If the "When reading from disk" check box is not selected, this is a finding.

The McAfee MOVE AV On Access Scan policy must be configured to scan all file types.

Finding ID
MV45-OAS-200006
Rule ID
SV-93177r1_rule
Severity
Cat II
CCE
(None)
Group Title
MV45-OAS-200006
CCI
CCI-001242
Target Key
(None)
Documentable
No
Discussion

When scanning for malware, excluding specific file types will increase the risk of a malware-infected file going undetected. By configuring anti-virus software to scan all file types, the scanner has a higher success rate at detecting and eradicating malware.

Fix Text

Access the McAfee ePO console. Select Menu >> Policy >> Policy Catalog and then select "MOVE AntiVirus 4.5.0" from the Product list. From the Category list, select "On Access Scan". Select each configured On Access Scan policy. Under "File Types to Scan", select the "All files" radio button. Click "Save".

Check Content

Access the McAfee ePO console. Select Menu >> Policy >> Policy Catalog and then select "MOVE AntiVirus 4.5.0" from the Product list. From the Category list, select "On Access Scan". Select each configured On Access Scan policy. Under "File Types to Scan", verify the "All files" radio button is selected. If the File Types to Scan "All files" radio button is not selected, this is a finding.

Path or file exclusions configured in the McAfee MOVE AV On Access Scan policy must be formally documented by the System Administrator and approved by the ISSO/ISSM.

Finding ID
MV45-OAS-200007
Rule ID
SV-93179r1_rule
Severity
Cat II
CCE
(None)
Group Title
MV45-OAS-200007
CCI
CCI-000366
Target Key
(None)
Documentable
No
Discussion

When scanning for malware, excluding specific file types will increase the risk of a malware-infected file going undetected. By configuring anti-virus software to scan all file types, the scanner has a higher success rate at detecting and eradicating malware. Excluding files, paths, and processes from being scanned expands the potential for malware to be allowed onto the information system. While it is recognized that some file types might need to be excluded for operational reasons and/or because protection is afforded to those files through a different mechanism, allowing those exclusions should always be vetted, documented, and approved before applying.

Fix Text

Access the McAfee ePO console. Select Menu >> Policy >> Policy Catalog and then select "MOVE AntiVirus 4.5.0" from the Product list. From the Category list, select "On Access Scan". Select each configured On Access Scan policy. Under "Exclusions", remove any Path Exclusions that have been configured other than the following and that have not been formally documented by the System Administrator and approved by the ISSO/ISSM: **\McAfee\Common Framework\ **\Program Files\McAfee\Agent\ *.log Click "Save".

Check Content

Access the McAfee ePO console. Select Menu >> Policy >> Policy Catalog and then select "MOVE AntiVirus 4.5.0" from the Product list. From the Category list, select "On Access Scan". Select each configured On Access Scan policy. Under "Exclusions", verify no Path Exclusions have been configured other than the following: **\McAfee\Common Framework\ **\Program Files\McAfee\Agent\ *.log If any Path Exclusions are configured and those Path Exclusions have not been formally documented by the System Administrator and approved by the ISSO/ISSM, this is a finding.

The McAfee MOVE AV On Access Scan policy must be configured to delete files automatically and quarantine as the first response of a threat detection.

Finding ID
MV45-OAS-200008
Rule ID
SV-93181r1_rule
Severity
Cat II
CCE
(None)
Group Title
MV45-OAS-200008
CCI
CCI-001241
Target Key
(None)
Documentable
No
Discussion

Malware incident containment has two major components: stopping the spread of malware and preventing further damage to hosts. Disinfecting a file is generally preferable to quarantining it because the malware is removed and the original file restored; however, many infected files cannot be disinfected. The primary goal of eradication is to remove malware from infected hosts.

Fix Text

Access the McAfee ePO console. Select Menu >> Policy >> Policy Catalog and then select "MOVE AntiVirus 4.5.0" from the Product list. From the Category list, select "On Access Scan". Select each configured On Access Scan policy. Click "Actions". Under "Threat detection first response", select "Delete files automatically and quarantine" from the drop-down list. Click "Save".

Check Content

Access the McAfee ePO console. Select Menu >> Policy >> Policy Catalog and then select "MOVE AntiVirus 4.5.0" from the Product list. From the Category list, select "On Access Scan". Select each configured On Access Scan policy. Click "Actions". Under "Threat detection first response", verify "Delete files automatically and quarantine" is selected. If "Threat detection first response" is not set to "Delete files automatically and quarantine", this is a finding.

The McAfee MOVE AV policy must be configured to enable On-Demand scanning.

Finding ID
MV45-ODS-200001
Rule ID
SV-93183r1_rule
Severity
Cat II
CCE
(None)
Group Title
MV45-ODS-200001
CCI
CCI-001241
Target Key
(None)
Documentable
No
Discussion

Anti-virus software is the most commonly used technical control for malware threat mitigation. Anti-virus software on hosts should be configured to scan all hard drives and folders regularly to identify any file system infections and to scan any removable media, if applicable, before media is inserted into the system. Not scheduling a regular scan of the hard drives of a system and/or not configuring the scan to scan all files and running processes introduces a higher risk of threats going undetected.

Fix Text

Access the McAfee ePO console. Select Menu >> Policy >> Policy Catalog and then select "MOVE AntiVirus 4.5.0" from the Product list. From the Category list, select "On Demand Scan". Select each configured On Demand Scan policy. Click "Show Advanced". Under "On-demand Scan", select the "Enable on-demand scan" check box. Click "Save".

Check Content

Access the McAfee ePO console. Select Menu >> Policy >> Policy Catalog and then select "MOVE AntiVirus 4.5.0" from the Product list. From the Category list, select "On Demand Scan". Select each configured On Demand Scan policy. Click "Show Advanced". Under "On-demand Scan", verify the "Enable on-demand scan" check box is selected. If the "Enable on-demand scan" check box is not selected, this is a finding.

The McAfee MOVE AV On Demand Scan policy must be configured to enforce a maximum time for each file scan of no less than 45 seconds.

Finding ID
MV45-ODS-200002
Rule ID
SV-93185r1_rule
Severity
Cat II
CCE
(None)
Group Title
MV45-ODS-200002
CCI
CCI-001241
Target Key
(None)
Documentable
No
Discussion

This setting configures the amount of time, in seconds, to wait for a scan to complete. The default setting is 45 seconds. This is the duration for which a McAfee MOVE AV Agent will wait for scan response of a file from the Security Virtual Machine (SVM). Typically, file scans are very fast. However, file scans may take longer due to large file size, file type, or heavy load on the SVM. If the file scan takes longer than the scan timeout limit, the file access is allowed and a scan timeout event is generated. Setting the timeout too low may result in scans of a file terminating before the scan is completed, resulting in malware potentially going undetected.

Fix Text

Access the McAfee ePO console. Select Menu >> Policy >> Policy Catalog and then select "MOVE AntiVirus 4.5.0" from the Product list. From the Category list, select "On Demand Scan". Select each configured On Demand Scan policy. Click "Show Advanced". Under "On-demand Scan", configure the "Specify maximum time for each file scan" for 45 seconds or more. Click "Save".

Check Content

Access the McAfee ePO console. Select Menu >> Policy >> Policy Catalog and then select "MOVE AntiVirus 4.5.0" from the Product list. From the Category list, select "On Demand Scan". Select each configured On Demand Scan policy. Click "Show Advanced". Under "On-demand Scan", verify the "Specify maximum time for each file scan" is configured for 45 seconds or more. If the "Specify maximum time for each file scan" is not configured for 45 seconds or more, this is a finding.

The McAfee MOVE AntiVirus On Demand Scan policy must be configured to stop an on-demand scan after 150 minutes.

Finding ID
MV45-ODS-200003
Rule ID
SV-93187r1_rule
Severity
Cat II
CCE
(None)
Group Title
MV45-ODS-200003
CCI
CCI-001241
Target Key
(None)
Documentable
No
Discussion

This setting configures the maximum time (in minutes) for on-demand scanning. The default setting is 150 minutes. Typically, file scans are very fast. However, file scans may take longer due to large file size, file type, or heavy load on the Security Virtual Machine (SVM). For cases where an on-demand scan will take longer, the organization should determine the maximum amount of time for its on-demand scanning and explicitly configure this setting.

Fix Text

Access the McAfee ePO console. Select Menu >> Policy >> Policy Catalog and then select "MOVE AntiVirus 4.5.0" from the Product list. From the Category list, select "On Demand Scan". Select each configured On Demand Scan policy. Click "Show Advanced". Under "On-demand Scan", configure "On-demand scan will stop after" for 150 minutes or less. Click "Save".

Check Content

Access the McAfee ePO console. Select Menu >> Policy >> Policy Catalog and then select "MOVE AntiVirus 4.5.0" from the Product list. From the Category list, select "On Demand Scan". Select each configured On Demand Scan policy. Click "Show Advanced". Under "On-demand Scan", verify "On-demand scan will stop after" is configured for 150 minutes or less. If "On-demand scan will stop after" is not configured for 150 minutes or less, this is a finding.

The McAfee MOVE AV On Demand Scan policy must be configured to delete files automatically and quarantine as the first response of a threat detection.

Finding ID
MV45-ODS-200005
Rule ID
SV-93189r1_rule
Severity
Cat II
CCE
(None)
Group Title
MV45-ODS-200005
CCI
CCI-001241
Target Key
(None)
Documentable
No
Discussion

Malware incident containment has two major components: stopping the spread of malware and preventing further damage to hosts. Disinfecting a file is generally preferable to quarantining it because the malware is removed and the original file restored; however, many infected files cannot be disinfected. The primary goal of eradication is to remove malware from infected hosts. Deleting files found to contain malware while also moving them to quarantine will allow the files to be rendered useless but recoverable in the event of a false positive.

Fix Text

Access the McAfee ePO console. Select Menu >> Policy >> Policy Catalog and then select "MOVE AntiVirus 4.5.0" from the Product list. From the Category list, select "On Demand Scan". Select each configured On Demand Scan policy. Click "Show Advanced". Under "Actions", configure "Threat detection first response" for "Delete files automatically and quarantine". Click "Save".

Check Content

Access the McAfee ePO console. Select Menu >> Policy >> Policy Catalog and then select "MOVE AntiVirus 4.5.0" from the Product list. From the Category list, select "On Demand Scan". Select each configured On Demand Scan policy. Click "Show Advanced". Under "Actions", verify "Threat detection first response" is configured for "Delete files automatically and quarantine". If "Threat detection first response" is not configured for "Delete files automatically and quarantine", this is a finding.

The McAfee MOVE AV On Demand Scan policy must be configured to scan all file types.

Finding ID
MV45-ODS-200006
Rule ID
SV-93191r1_rule
Severity
Cat II
CCE
(None)
Group Title
MV45-ODS-200006
CCI
CCI-001241
Target Key
(None)
Documentable
No
Discussion

When scanning for malware, excluding specific file types will increase the risk of a malware-infected file going undetected. By configuring anti-virus software to scan all file types, the scanner has a higher success rate at detecting and eradicating malware.

Fix Text

Access the McAfee ePO console. Select Menu >> Policy >> Policy Catalog and then select "MOVE AntiVirus 4.5.0" from the Product list. From the Category list, select "On Demand Scan". Select each configured On Demand Scan policy. Click "Show Advanced". Under "File Type to Scan", select the "All files" radio button. Click "Save".

Check Content

Access the McAfee ePO console. Select Menu >> Policy >> Policy Catalog and then select "MOVE AntiVirus 4.5.0" from the Product list. From the Category list, select "On Demand Scan". Select each configured On Demand Scan policy. Click "Show Advanced". Under "File Type to Scan", verify "All files" is selected. If "All files" is not selected, this is a finding.

Path Exclusions configured in the McAfee MOVE AV On Demand Scan policy must be formally documented by the System Administrator and approved by the ISSO/ISSM.

Finding ID
MV45-ODS-200007
Rule ID
SV-93193r1_rule
Severity
Cat II
CCE
(None)
Group Title
MV45-ODS-200007
CCI
CCI-001241
Target Key
(None)
Documentable
No
Discussion

When scanning for malware, excluding specific file types will increase the risk of a malware-infected file going undetected. By configuring anti-virus software to scan all file types, the scanner has a higher success rate at detecting and eradicating malware. Excluding files, paths, and processes from being scanned expands the potential for malware to be allowed onto the information system. While it is recognized that some file types might need to be excluded for operational reasons and/or because protection is afforded to those files through a different mechanism, allowing those exclusions should always be vetted, documented, and approved before applying.

Fix Text

Access the McAfee ePO console. Select Menu >> Policy >> Policy Catalog and then select "MOVE AntiVirus 4.5.0" from the Product list. From the Category list, select "On Demand Scan". Select each configured On Demand Scan policy. Click "Show Advanced". Under "Exclusions", remove any Path Exclusions, other than the following paths, that have not been formally documented by the System Administrator and approved by the ISSO/ISSM: **\McAfee\Common Framework\ **\Program Files\McAfee\Agent\ *.log Click "Save".

Check Content

Access the McAfee ePO console. Select Menu >> Policy >> Policy Catalog and then select "MOVE AntiVirus 4.5.0" from the Product list. From the Category list, select "On Demand Scan". Select each configured On Demand Scan policy. Click "Show Advanced". Under "Exclusions", verify the Path Exclusions include only the following paths: **\McAfee\Common Framework\ **\Program Files\McAfee\Agent\ *.log If any Path Exclusions are included other than those specified above, and the exclusions have not been formally documented by the System Administrator and approved by the ISSO/ISSM, this is a finding.

The McAfee MOVE AV On-Demand Scan interval must be set to no more than every seven days.

Finding ID
MV45-ODS-200008
Rule ID
SV-93195r1_rule
Severity
Cat II
CCE
(None)
Group Title
MV45-ODS-200008
CCI
CCI-001241
Target Key
(None)
Documentable
No
Discussion

Anti-virus software is the most commonly used technical control for malware threat mitigation. Anti-virus software on hosts should be configured to scan all hard drives and folders regularly to identify any file system infections and to scan any removable media, if applicable, before media is inserted into the system. Not scheduling a regular scan of the hard drives of a system and/or not configuring the scan to scan all files and running processes introduces a higher risk of threats going undetected.

Fix Text

Access the McAfee ePO console. Select Menu >> Policy >> Policy Catalog and then select "MOVE AntiVirus 4.5.0" from the Product list. From the Category list, select "On Demand Scan". Select each configured On Demand Scan policy. Click "Show Advanced". Under "On-demand Scan", configure the "Run on-demand scan for every _ days" to "7" days or less. Click "Save".

Check Content

Access the McAfee ePO console. Select Menu >> Policy >> Policy Catalog and then select "MOVE AntiVirus 4.5.0" from the Product list. From the Category list, select "On Demand Scan". Select each configured On Demand Scan policy. Click "Show Advanced". Under "On-demand Scan", verify the "Run on-demand scan for every _ days" is configured to "7" days or less. If the "Run on-demand scan for every _ days" is not configured to "7" days or less, this is a finding.

The McAfee MOVE AV Options policy must specify the location of the quarantine network share.

Finding ID
MV45-OPT-200001
Rule ID
SV-93197r1_rule
Severity
Cat II
CCE
(None)
Group Title
MV45-OPT-200001
CCI
CCI-001242
Target Key
(None)
Documentable
No
Discussion

The quarantine on each system represents a potential danger should the files contained within the quarantine be executed inadvertently. To centrally manage the quarantine on all systems, the quarantine should always be configured the same across all systems, which will allow management to better control access to those locations.

Fix Text

Access the McAfee ePO console. Select Menu >> Policy >> Policy Catalog and then select "MOVE AntiVirus 4.5.0" from the Product list. From the Category list, select "Options". Select each configured Options policy. Under "Quarantine Manager" (Agentless only), populate the "Quarantine network share" field with a valid location for storing the quarantine. Click "Save".

Check Content

Access the McAfee ePO console. Select Menu >> Policy >> Policy Catalog and then select "MOVE AntiVirus 4.5.0" from the Product list. From the Category list, select "Options". Select each configured Options policy. Under "Quarantine Manager" (Agentless only), verify the "Quarantine network share" is populated. If the "Quarantine network share" is not populated, this is a finding.

The McAfee MOVE AV Options policy must specify the username and password for the quarantine network share.

Finding ID
MV45-OPT-200002
Rule ID
SV-93199r1_rule
Severity
Cat II
CCE
(None)
Group Title
MV45-OPT-200002
CCI
CCI-001242
Target Key
(None)
Documentable
No
Discussion

The quarantine on each system represents a potential danger should the files contained within the quarantine be executed inadvertently. To centrally manage the quarantine on all systems, the quarantine should always be configured the same across all systems, which will allow management to better control access to those locations.

Fix Text

Access the McAfee ePO console. Select Menu >> Policy >> Policy Catalog and then select "MOVE AntiVirus 4.5.0" from the Product list. From the Category list, select "Options". Select each configured Options policy. Under "Quarantine Manager" (Agentless only), configure the quarantine with “Network domain and username" and "Network password" for accessing the quarantine network share. Click "Save".

Check Content

Access the McAfee ePO console. Select Menu >> Policy >> Policy Catalog and then select "MOVE AntiVirus 4.5.0" from the Product list. From the Category list, select "Options". Select each configured Options policy. Under "Quarantine Manager" (Agentless only), verify the "Network domain and username", "Network password", and "Confirm password" fields are populated. The "Network password" and "Confirm password" will be masked if populated. If the "Network domain and username", "Network password", and "Confirm password" fields are not populated, this is a finding.

The McAfee MOVE AV SVM Settings policy ODS scheduler must be set to no more than every seven days.

Finding ID
MV45-SVM-200001
Rule ID
SV-93201r1_rule
Severity
Cat II
CCE
(None)
Group Title
MV45-SVM-200001
CCI
CCI-001241
Target Key
(None)
Documentable
No
Discussion

Anti-virus software is the mostly commonly used technical control for malware threat mitigation. Anti-virus software on hosts should be configured to scan all hard drives and folders regularly to identify any file system infections and to scan any removable media, if applicable, before media is inserted into the system. Not scheduling a regular scan of the hard drives of a system and/or not configuring the scan to scan all files and running processes introduces a higher risk of threats going undetected.

Fix Text

Access the McAfee ePO console. Select Menu >> Policy >> Policy Catalog and then select "MOVE AntiVirus 4.5.0" from the Product list. From the Category list, select "SVM Settings". Select each configured SVM Settings policy. Click "Show Advanced". Under "ODS Scheduler", select the "Scan" option. In the schedule, configure scan dates to accomplish at least weekly scanning. Click "Save".

Check Content

Access the McAfee ePO console. Select Menu >> Policy >> Policy Catalog and then select "MOVE AntiVirus 4.5.0" from the Product list. From the Category list, select "SVM Settings". Select each configured SVM Settings policy. Click "Show Advanced". Under "ODS Scheduler", verify the "Scan" option is selected. Review the schedule and verify a schedule of at least weekly is configured. If the ODS Scheduler "Scan" option is not selected or the schedule is not configured for at least weekly, this is a finding.

The McAfee MOVE AV SVM must be managed by the HBSS ePO server.

Finding ID
MV45-SVM-200003
Rule ID
SV-93203r1_rule
Severity
Cat II
CCE
(None)
Group Title
MV45-SVM-200003
CCI
CCI-000366
Target Key
(None)
Documentable
No
Discussion

Organizations should use centrally managed anti-virus software that is controlled and monitored regularly by anti-virus administrators, who are also typically responsible for acquiring, testing, approving, and delivering anti-virus signature and software updates throughout the organization. Users should not be able to disable or delete anti-virus software from their hosts, nor should they be able to alter critical settings. Anti-virus administrators should perform continuous monitoring to confirm that hosts are using current anti-virus software and that the software is configured properly. Implementing all of these recommendations should strongly support an organization in having a strong and consistent anti-virus deployment across the organization.

Fix Text

In the McAfee Management for Optimized Virtual Environments AntiVirus 4.5.0 Installation Guide, follow the Agentless installation and configuration sections for Deploying the McAfee MOVE AntiVirus service (NSX), Register vCenter Server with NXS Manager and Register a VMware vCenter account with McAfee ePO.

Check Content

Access the ePO server. From the system tree, select the "Systems" tab and then find and click on the asset representing the McAfee MOVE SVM to open its properties. If the SVM is not listed as an asset in the ePO system tree, this is a finding.

The McAfee MOVE AV SVM Settings policy must be configured to scan for potentially unwanted programs.

Finding ID
MV45-SVM-200005
Rule ID
SV-93205r1_rule
Severity
Cat II
CCE
(None)
Group Title
MV45-SVM-200005
CCI
CCI-001242
Target Key
(None)
Documentable
No
Discussion

Due to the ability of malware to mutate after infection, standard anti-virus signatures may not be able to catch new strains or variants of the malware. Typically, these strains and variants will share unique characteristics with others in their virus family. By using a generic signature to detect the shared characteristics, using wildcards where differences lie, the generic signature can detect viruses even if they are padded with extra, meaningless code. This method of detection is heuristic detection.

Fix Text

Access the McAfee ePO console. Select Menu >> Policy >> Policy Catalog and then select "MOVE AntiVirus 4.5.0" from the Product list. From the Category list, select "SVM Settings". Select each configured SVM Settings policy. Click "Show Advanced". Under "Scanning Options", select the check box for "Enable scanning for potentially unwanted programs". Click "Save".

Check Content

Access the McAfee ePO console. Select Menu >> Policy >> Policy Catalog and then select "MOVE AntiVirus 4.5.0" from the Product list. From the Category list, select "SVM Settings". Select each configured SVM Settings policy. Click "Show Advanced". Under "Scanning Options", verify the check box for "Enable scanning for potentially unwanted programs" is selected. If the check box for "Enable scanning for potentially unwanted programs" is not selected, this is a finding.

The McAfee MOVE AV SVM Settings policy must be configured to scan for Multipurpose Internet Mail Extensions (MIME)-encoded files.

Finding ID
MV45-SVM-200006
Rule ID
SV-93207r1_rule
Severity
Cat II
CCE
(None)
Group Title
MV45-SVM-200006
CCI
CCI-001242
Target Key
(None)
Documentable
No
Discussion

MIME-encoded files can be crafted to hide a malicious payload. When the MIME-encoded file is presented to software that decodes the MIME encoded files, such as an email client, the malware is released. Scanning these files as part of the regularly scheduled scans tasks will mitigate this risk.

Fix Text

Access the McAfee ePO console. Select Menu >> Policy >> Policy Catalog and then select "MOVE AntiVirus 4.5.0" from the Product list. From the Category list, select "SVM Settings". Select each configured SVM Settings policy. Click "Show Advanced". Under "Scanning Options", select the "Enabled scanning for MIME-encoded files" check box. Click "Save".

Check Content

Access the McAfee ePO console. Select Menu >> Policy >> Policy Catalog and then select "MOVE AntiVirus 4.5.0" from the Product list. From the Category list, select "SVM Settings". Select each configured SVM Settings policy. Click "Show Advanced". Under "Scanning Options", verify "Enabled scanning for MIME-encoded files" check box is selected. If "Enabled scanning for MIME-encoded files" is not selected, this is a finding.

The McAfee MOVE AV SVM Settings policy must be configured to use McAfee Global Threat Intelligence File Reputation with a sensitivity level of medium or higher.

Finding ID
MV45-SVM-200007
Rule ID
SV-93209r1_rule
Severity
Cat II
CCE
(None)
Group Title
MV45-SVM-200007
CCI
CCI-001242
Target Key
(None)
Documentable
No
Discussion

Anti-virus software vendors use collective intelligence from sensors and cross-vector intelligence from web, email, and network threats to compile scores that reflect the likelihood of whether a file in question is malware. The collective intelligence is constantly being updated, more frequently than the typical daily anti-virus signature files. With File Reputation lookup, a more real-time response to potential malicious code is realized than with the local-running anti-virus software, since by querying the cloud-based database when a file appears to be suspicious, up-to-the-minute intelligence is provided. This type of protection reduces the threat protection time period from days to milliseconds, increases malware detection rates, and reduces downtime and remediation costs associated with malware attacks. Using File Reputation lookup is mandated by USCYBERCOM on DoD systems.

Fix Text

Access the McAfee ePO console. Select Menu >> Policy >> Policy Catalog and then select "MOVE AntiVirus 4.5.0" from the Product list. From the Category list, select "SVM Settings". Select each configured SVM Settings policy. Click "Show Advanced". Under "McAfee GTI", select the "Enable McAfee GTI" check box. Select "Medium" or higher for sensitivity level. Click "Save".

Check Content

Access the McAfee ePO console. Select Menu >> Policy >> Policy Catalog and then select "MOVE AntiVirus 4.5.0" from the Product list. From the Category list, select "SVM Settings". Select each configured SVM Settings policy. Click "Show Advanced". Under "McAfee GTI", verify the "Enable McAfee GTI" check box is selected with a sensitivity level of "Medium" or higher. If the "Enable McAfee GTI" check box is not selected or the sensitivity level is lower than "Medium", this is a finding.

The McAfee MOVE AV SVM settings policy must be configured to communicate with the hypervisor/vCenter server via HTTPS protocol.

Finding ID
MV45-SVM-200008
Rule ID
SV-93211r1_rule
Severity
Cat II
CCE
(None)
Group Title
MV45-SVM-200008
CCI
CCI-002418
Target Key
(None)
Documentable
No
Discussion

Requiring the McAfee MOVE AV Agentless SVA to authenticate to the hypervisor over HTTPs ensures the authentication is over a secure path.

Fix Text

Access the McAfee ePO console. Select Menu >> Policy >> Policy Catalog and then select "MOVE AntiVirus 4.5.0" from the Product list. From the Category list, select "SVM Settings". Select each configured SVM Settings policy. Click "Show Advanced". Under "SVM Configuration" (Agentless only), select "HTTPS" for the "Protocol" option. Click "Save".

Check Content

Access the McAfee ePO console. Select Menu >> Policy >> Policy Catalog and then select "MOVE AntiVirus 4.5.0" from the Product list. From the Category list, select "SVM Settings". Select each configured SVM Settings policy. Click "Show Advanced". Under "SVM Configuration" (Agentless only), verify the "Protocol" option is set for "HTTPS". If the "Protocol" option is not set to "HTTPS", this is a finding.

The McAfee MOVE AV SVM settings policy must be configured to authenticate to the hypervisor/vCenter server with user name and password.

Finding ID
MV45-SVM-200009
Rule ID
SV-93213r1_rule
Severity
Cat II
CCE
(None)
Group Title
MV45-SVM-200009
CCI
CCI-002418
Target Key
(None)
Documentable
No
Discussion

Requiring the McAfee MOVE AV Agentless SVA to authenticate to the hypervisor with a username and password, coupled with HTTPs, ensures authentication is over a secure path from a valid source.

Fix Text

Access the McAfee ePO console. Select Menu >> Policy >> Policy Catalog and then select "MOVE AntiVirus 4.5.0" from the Product list. From the Category list, select "SVM Settings". Select each configured SVM Settings policy. Click "Show Advanced". Under "SVM Configuration" (Agentless only), populate the "Username:" and "Password:" fields with a user/password combination that has authentication access to the hypervisor. Click "Test connection settings". Click "Save".

Check Content

Access the McAfee ePO console. Select Menu >> Policy >> Policy Catalog and then select "MOVE AntiVirus 4.5.0" from the Product list. From the Category list, select "SVM Settings". Select each configured SVM Settings policy. Click "Show Advanced". Under "SVM Configuration" (Agentless only), verify the "Username:" field is populated. Note: The "Password:" field will appear to be blank. Since the "Username:" field cannot be populated and saved without a password, the "Password:" field requirement can be considered compliant provided the "Username:" field is validated as populated. If the "Username:" field is not populated, this is a finding.