Free DISA STIG and SRG Library | Vaulted

McAfee MOVE AV Multi-Platform 4.5 Security Technical Implementation Guide

Version 1 Release 21
2018-07-272017-12-11
U_McAfee_MOVE_AV_Multi-Platform_4-5_STIG_V1R21_Manual-xccdf.xml
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Compare Summary

Compare V1R2 to V1R1
  • All
  • Updated 1
  • Added 0
  • Removed 0

Vulnerabilities (34)

The McAfee MOVE AV Options Policy must be configured with the location of quarantine to ensure consistency across all systems.

Finding ID
MV45-OPT-000001
Rule ID
SV-93265r2_rule93265r1_rule
Severity
Cat II
CCE
(None)
Group Title
MV45-OPT-000001
CCI
CCI-001242
Target Key
(None)
Documentable
No
Discussion

The quarantine on each system represents a potential danger should the files contained within the quarantine be executed inadvertently. To centrally manage the quarantine on all systems, the quarantine should always be configured the same across all systems, which will allow management to better control access to those locations.

Fix Text

Access the McAfee ePO console. Select Menu >> Policy >> Policy Catalog and then select "MOVE AntiVirus 4.5.0" from the Product list. From the Category list, select "Options". Select each configured Options policy. Under "Quarantine Manager", configure the Quarantine Directory to <SYSTEM_DRIVE>\Quarantine, or another location authorized by the ISSM. Click "Save".

Check Content

Access the McAfee ePO console. Select Menu >> Policy >> Policy Catalog and then select "MOVE AntiVirus 4.5.0" from the Product list. From the Category list, select "Options". Select each configured Options policy. Under "Quarantine Manager", verify the Quarantine Directory is set to <SYSTEM_DRIVE>\Quarantine or another location authorized by the ISSM. If the Quarantine Directory is not set to <SYSTEM_DRIVE>\Quarantine, or another location authorized by the ISSM, this is a finding.".

The McAfee MOVE AV Common Options policy must be configured to report all events to the Windows Event Log.

Finding ID
MV45-COP-000001
Rule ID
SV-93215r1_rule
Severity
Cat II
CCE
(None)
Group Title
MV45-COP-000001
CCI
CCI-001489
Target Key
(None)
Documentable
No
Discussion

Forensic identification is the practice of identifying infected hosts by looking for evidence of recent infections. The evidence may be very recent (only a few minutes old) or not so recent (hours or days old); the older the information is, the less accurate it is likely to be. The most obvious sources of evidence are those that are designed to identify malware activity, such as anti-virus software, content filtering (e.g., anti-spam measures), IPS, and SIEM technologies. The logs of security applications might contain detailed records of suspicious activity and might also indicate whether a security compromise occurred or was prevented.

Fix Text

Access the McAfee ePO console. Select Menu >> Policy >> Policy Catalog and then select "MOVE AntiVirus 4.5.0" from the Product list. From the Category list, select "Options". Select each configured Options policy. Click "Show Advanced". Under "Events", select the "Log event to Windows Application log" check box. Click "Save".

Check Content

Access the McAfee ePO console. Select Menu >> Policy >> Policy Catalog and then select "MOVE AntiVirus Common 4.5.0" from the Product list. From the Category list, select "Options". Select each configured Options policy. Click "Show Advanced". Under "Events", verify the "Log event to Windows Application log" check box is selected. If the "Log event to Windows Application log" check box is not selected, this is a finding.

The McAfee MOVE AV Common Options policy must be configured to send all events to the HBSS ePO server.

Finding ID
MV45-COP-000002
Rule ID
SV-93217r1_rule
Severity
Cat II
CCE
(None)
Group Title
MV45-COP-000002
CCI
CCI-001489
Target Key
(None)
Documentable
No
Discussion

Forensic identification is the practice of identifying infected hosts by looking for evidence of recent infections. The evidence may be very recent (only a few minutes old) or not so recent (hours or days old); the older the information is, the less accurate it is likely to be. The most obvious sources of evidence are those that are designed to identify malware activity, such as anti-virus software, content filtering (e.g., anti-spam measures), IPS, and SIEM technologies. The logs of security applications might contain detailed records of suspicious activity and might also indicate whether a security compromise occurred or was prevented.

Fix Text

Access the McAfee ePO console. Select Menu >> Policy >> Policy Catalog and then select "MOVE AntiVirus Common 4.5.0" from the Product list. From the Category list, select "Options". Select each configured Options policy. Click "Show Advanced". Under "Events", select the "Send events to McAfee ePO" check box. Click "Save".

Check Content

Access the McAfee ePO console. Select Menu >> Policy >> Policy Catalog and then select "MOVE AntiVirus Common 4.5.0" from the Product list. From the Category list, select "Options". Select each configured Options policy. Click "Show Advanced". Under "Events", verify the "Send events to McAfee ePO" check box is selected. If the "Send events to McAfee ePO" check box is not selected, this is a finding.

The McAfee MOVE AV Common Options policy must be configured to not rotate log files until they reach at least 10 MB in size.

Finding ID
MV45-COP-000003
Rule ID
SV-93219r1_rule
Severity
Cat II
CCE
(None)
Group Title
MV45-COP-000003
CCI
CCI-001489
Target Key
(None)
Documentable
No
Discussion

Forensic identification is the practice of identifying infected hosts by looking for evidence of recent infections. The evidence may be very recent (only a few minutes old) or not so recent (hours or days old); the older the information is, the less accurate it is likely to be. The most obvious sources of evidence are those that are designed to identify malware activity, such as anti-virus software, content filtering (e.g., anti-spam measures), IPS, and SIEM technologies. The logs of security applications might contain detailed records of suspicious activity and might also indicate whether a security compromise occurred or was prevented. While logging is imperative to forensic analysis, logs could grow to the point of impacting disk space on the system. To avoid the risk of logs growing to the size of impacting the operating system, the log size and number of log files will be restricted but must be large enough to retain forensic value.

Fix Text

Access the McAfee ePO console. Select Menu >> Policy >> Policy Catalog and then select "MOVE AntiVirus Common 4.5.0" from the Product list. From the Category list, select "Options". Select each configured Options policy. Click "Show Advanced". Under "Logging", set the "Rotate log file content when the file size reaches" value to "10" MB or greater. Click "Save".

Check Content

Access the McAfee ePO console. Select Menu >> Policy >> Policy Catalog and then select "MOVE AntiVirus Common 4.5.0" from the Product list. From the Category list, select "Options". Select each configured Options policy. Click "Show Advanced". Under "Logging", verify the "Rotate log file content when the file size reaches" field is set to "10" MB or greater. If the "Rotate log file content when the file size reaches" field is not set to "10" MB or greater, this is a finding.

The McAfee MOVE AV Common Options policy must be configured to enable self-protection.

Finding ID
MV45-COP-000004
Rule ID
SV-93221r1_rule
Severity
Cat I
CCE
(None)
Group Title
MV45-COP-000004
CCI
CCI-001242
Target Key
(None)
Documentable
No
Discussion

The self-protection feature defends files, services, and registry keys on virtual machines and will ensure uninterrupted protection. Self-protection on the McAfee MOVE SVM is provided by the SVM's VirusScan Enterprise Access Protection configuration. The self-protection feature is controlled by the IntegrityEnabled configuration parameter. By default, the parameter is set to "0x7", and all components of the feature are enabled.

Fix Text

Access the McAfee ePO console. Select Menu >> Policy >> Policy Catalog and then select "MOVE AntiVirus Common 4.5.0" from the Product list. From the Category list, select "Options". Select each configured Options policy. Under "Self-Protection", select the "Enable Self-Protection" and "Enable Self-Protection for MOVE CLI" check boxes. Click "Save".

Check Content

Access the McAfee ePO console. Select Menu >> Policy >> Policy Catalog and then select "MOVE AntiVirus Common 4.5.0" from the Product list. From the Category list, select "Options". Select each configured Options policy. Under "Self-Protection", confirm "Enable Self-Protection" and "Enable Self-Protection for MOVE CLI" check boxes are both selected. If either "Enable Self-Protection" or "Enable Self-Protection for MOVE CLI" check boxes are not selected, this is a finding.

All other anti-virus products must be removed from the virtual machine while the McAfee AV Client is running.

Finding ID
MV45-GEN-000001
Rule ID
SV-93223r1_rule
Severity
Cat II
CCE
(None)
Group Title
MV45-GEN-000001
CCI
CCI-000381
Target Key
(None)
Documentable
No
Discussion

Organizations should deploy anti-virus software on all hosts for which satisfactory anti-virus software is available. Anti-virus software should be installed as soon after operating system installation as possible and then updated with the latest anti-virus software patches (to eliminate any known vulnerabilities in the anti-virus software itself). To support the security of the host, the anti-virus software should be configured and maintained properly so it continues to be effective at detecting and stopping malware. McAfee MOVE AV Client will not function properly with other anti-virus products installed.

Fix Text

Click on Start >> Control Panel. Choose "Uninstall a program" under the "Programs" section. Locate the installed antivirus product, other than the McAfee MOVE AV Client, and choose to uninstall it.

Check Content

Access the system to which the McAfee MOVE Client is installed. In the taskbar, right-click the red McAfee Agent shield and select "About". Ensure neither the "McAfee VirusScan Enterprise + AntiSpyware Enterprise" nor the "Symantec Plugin" is listed as an installed product. Access "services.msc" and review the services running on the system. Ensure no other antivirus products are installed. If either the "McAfee VirusScan Enterprise + AntiSpyware Enterprise" or the "Symantec Plugin" is listed as an installed product in the McAfee Agent "About" dialog box, this is a finding. If neither the "McAfee VirusScan Enterprise + AntiSpyware Enterprise" nor the "Symantec Plugin" is listed as an installed product, but another antivirus product is shown as running as a service on this system, this is a finding.

The McAfee MOVE AV policies must be configured with and managed by the HBSS ePO server.

Finding ID
MV45-GEN-000002
Rule ID
SV-93225r1_rule
Severity
Cat II
CCE
(None)
Group Title
MV45-GEN-000002
CCI
CCI-001242
Target Key
(None)
Documentable
No
Discussion

Organizations should use centrally managed anti-virus software that is controlled and monitored regularly by anti-virus administrators, who are also typically responsible for acquiring, testing, approving, and delivering anti-virus signature and software updates throughout the organization. Users should not be able to disable or delete anti-virus software from their hosts, nor should they be able to alter critical settings. Anti-virus administrators should perform continuous monitoring to confirm that hosts are using current anti-virus software and that the software is configured properly. Implementing all of these recommendations should strongly support an organization in having a strong and consistent anti-virus deployment across the organization.

Fix Text

Access the ePO server. From the system tree, select the "Systems" tab and find and click on the asset to which the "MOVE AV [Multi-Platform] Client 4.5.0" needs to be deployed to open its properties. If the asset is not in the ePO server system tree, configure a task to deploy the McAfee Agent to the asset to which the "MOVE AV [Multi-Platform] Client 4.5.0" will be deployed and proceed to next step. If the asset is in the ePO server system tree, click on the asset to which the "MOVE AV [Multi-Platform] Client 4.5.0" needs to be deployed to open its properties. Select Menu >> Policy >> Client Task Catalog. Select "Product Deployment" in the "Client Task Types" menu and then select >> Actions >> New Task. Select "Product Deployment" from the list and then click "OK" to open the "Client Task Builder" wizard. Type a name for the task being created and add any descriptive information in the "Description" field. Ensure that "Windows" is the only target platform selected. For "Products and components": For "client", select "MOVE AV [Multi-Platform] Client 4.5.0" from the drop-down list. Set the "action" to "Install". Set the "language" to "Language Neutral". Set the "branch" to "Current". Leave the "Command line" setting blank. Review the task settings and click "Save". Assign the newly created task to the asset being reviewed. Send a wake-up call to the asset being reviewed.

Check Content

On the system being reviewed, first confirm the system has a McAfee Agent deployed and running. Click "Start" and type "services.msc" in the "Search programs and files" search bar. Review the services running on the system. Ensure the "McAfee Agent Common Services" and "McAfee Agent Service" are listed as services and have a status of "Started". If the system does not have the McAfee Agent deployed to it, this is a finding. If the McAfee Agent is running on the system, confirm the system has the "MOVE AV [Multi-Platform] Client 4.5.0" policies being enforced by ePO. Navigate to the directory to which the McAfee Agent is installed (default is C:\Program Files\McAfee\Agent). Open the McAfee Agent status monitor by executing the following command: cmdagent /s In the McAfee Agent Monitor, click the "Collect and Send Props" button. Review the "Agent Subsystem" status lines and ensure there is a status for "Agent started performing ASCI", followed by a sequence of status lines showing the "Agent is sending PROPS VERSION package to ePO server" and "Agent communication session closed". These status lines will confirm the system is making a successful connection to the ePO server. Click the "Enforce Policies" button. In the McAfee Agent Monitor, review the "Management" status lines and ensure one shows a status of enforcing policies for the McAfee Move Client 4.5. If McAfee Agent Status Monitor shows successful "Agent Subsystem" status lines of "Agent started performing ASCI", followed by a sequence of status lines showing the "Agent is sending PROPS VERSION package to ePO server" and "Agent communication session closed" but the "Management" status line does not show it is enforcing policies for the McAfee MOVE Client 4.5, this is a finding.

The admin password for the McAfee MOVE AV Security Virtual Machine (SVM) must be changed from the default.

Finding ID
MV45-GEN-000003
Rule ID
SV-93227r1_rule
Severity
Cat I
CCE
(None)
Group Title
MV45-GEN-000003
CCI
CCI-002418
Target Key
(None)
Documentable
No
Discussion

The preconfigured Security Virtual Appliance (SVA) comes with a default password for the "SVAadmin" account. This account has root privileges to the Linux operating system of the appliance. By not changing the password from the default, the appliance will be subject to access by unauthorized individuals.

Fix Text

If the McAfee SVM was deployed manually, physically log into the McAfee SVM and change the password from the default. If the McAfee SVM was deployed with VMware vCNS or VMWare NSX, access the McAfee ePO console. From the Menu, select Automation >> MOVE AntiVirus Deployment. Under General >> General Configuration >> SVM Configuration (Agentless Only), populate the "Password" with a unique password. Confirm the password. Click "Save".

Check Content

If the McAfee SVM was deployed manually, physically log into the McAfee SVM and confirm password has been changed from default. If the password has not been changed from the default, this is a finding. If the McAfee SVM was deployed with VMware vCNS or VMWare NSX, access the McAfee ePO console. From the Menu, select Automation >> MOVE AntiVirus Deployment. Under General >> General Configuration >> SVM Configuration (Agentless Only), verify the "Password" shows as configured. It will be masked. Verify with the System Administrator that the password has been changed from the default password. If "Password" does not show as configured and has not been changed from the default password, this is a finding.

The McAfee VirusScan Enterprise Access Protection rules must be used for self-protection of the files and folder of the McAfee Security Virtual Manager (SVM).

Finding ID
MV45-GEN-000004
Rule ID
SV-93229r1_rule
Severity
Cat I
CCE
(None)
Group Title
MV45-GEN-000004
CCI
CCI-001242
Target Key
(None)
Documentable
No
Discussion

The VirusScan Enterprise Access Protection rules will defend files, services, and registry keys on the McAfee Security Virtual Manager (SVM).

Fix Text

The McAfee MOVE AV [Multi-Platform] SVM does not have a built-in protection mechanism. In order to protect the McAfee MOVE AV [Multi-Platform] SVM's files, services, and registry keys, the McAfee VirusScan Enterprise Access Protection features are used. From the ePO server console System Tree, select the "Systems" tab, find and click on the asset representing the McAfee MOVE SVM to open its properties, select "Actions", select "Agent", and select "Modify Policies on a Single System". From the product drop-down list, select "VirusScan Enterprise 8.8.x". Click "Access Protection Policies" policy to open the properties. From the "Settings for:" drop-down list, select "Server". In the "Access protection rules:" settings, under "Categories", click "User-defined Rules", click "New". Choose "File/Folder Blocking Rule" to create the rule identified as the File protection rule. Specify an appropriate Rule name: (i.e., McAfee MOVE SVM File and Folder Protection). Enter the path to which the McAfee MOVE SVM has been installed (default is C:\Program Files (x86)\McAfee\MOVE AV Server\**) in the "File or folder name to block:" section. Select the "Write access to files", "New files being created", and "Files being deleted" under the "File actions to prevent:" section. Click "OK". After the rule is created, select the "Block" and "Report" check boxes. Click "Save". Configure an additional rule for the registry protection of the following registry paths: Under "Block/Report/Rules", ensure rules are configured for registry protection for the following registry paths: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mvserver HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mvserver\Parameters HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mvserver\Parameters\ODS

Check Content

The McAfee MOVE AV [Multi-Platform] SVM does not have a built-in protection mechanism. In order to protect the McAfee MOVE AV [Multi-Platform] SVM's files, services, and registry keys, the McAfee VirusScan Enterprise Access Protection features are used. From the ePO server console System Tree, select the Systems tab, find and click on the asset representing the McAfee MOVE SVM to open its properties, select "Actions", select "Agent", and select "Modify Policies on a Single System". From the product drop-down list, select "VirusScan Enterprise 8.8.x". Click on the "Access Protection Policies" policy to open the properties. From the "Settings for:" drop-down list, select "Server". In the "Access protection rules:" settings, under "Categories", click to select the "User-defined Rules". Under "Block/Report/Rules", ensure rules are configured for McAfee MOVE SVM protection. If multiple User-defined rules are created, consult with the System Administration to determine the rules for the purpose of this requirement. For the File/Folder Access Protection rule created to protect the MOVE AV Server folder, ensure both the "Block" and "Report" check boxes are selected. Select the rule and click "Edit". Ensure the path to which the McAfee MOVE SVM has been installed (default is C:\Program Files (x86)\McAfee\MOVE AV Server\**) is reflected in the "File or folder name to block:" section. Ensure "Write access to files", "New files being created", and "Files being deleted" are selected under the "File actions to prevent:" section. If a File/Folder Blocking rule does not exist to protect the path to which the McAfee MOVE SVM Server has been installed (default is C:\Program Files (x86)\McAfee\MOVE AV Server), this is a finding. On the system designated as the McAfee MOVE SVM Server, access the local McAfee VirusScan Enterprise Console. Under the "Task" column, right-click on "Access Protection", select "Properties". In the "Access protection rules:" settings, under "Categories", click "User-defined Rules". Under "Block/Report/Rules", ensure rules are configured for McAfee MOVE SVM protection. If multiple User-defined rules are created, consult with the System Administration to determine the rules for the purpose of this requirement. For the File/Folder Access Protection rule created to protect the MOVE AV Server folder, ensure both the "Block" and "Report" check boxes are selected. Select the rule, click "Edit". Ensure "mvserver.exe" is reflected under the "Processes to exclude:" section. Ensure the path to which the McAfee MOVE SVM has been installed (default is C:\Program Files (x86)\McAfee\MOVE AV Server\**) is reflected in the "File or folder name to block:" section. Ensure "Write access to files", "New files being created", and "Files being deleted" are selected under the "File actions to prevent:" section. If a File/Folder Blocking rule does not exist to protect the path to which the McAfee MOVE SVM Server has been installed (default is C:\Program Files (x86)\McAfee\MOVE AV Server), this is a finding. In the "Access protection rules:" settings, under "Categories", click "User-defined Rules". Under "Block/Report/Rules", ensure rules are configured for registry protection for the following registry paths: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mvserver HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mvserver\Parameters HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mvserver\Parameters\ODS If a registry protection rule does not exist to protect the specified registry paths, this is a finding.

The McAfee MOVE AV On Access Scan Policy must be configured to enable protection.

Finding ID
MV45-OAS-000001
Rule ID
SV-93231r1_rule
Severity
Cat I
CCE
(None)
Group Title
MV45-OAS-000001
CCI
CCI-001242
Target Key
(None)
Documentable
No
Discussion

Anti-virus software should be installed as soon after operating system installation as possible and then updated with the latest signatures and anti-virus software patches (to eliminate any known vulnerabilities in the anti-virus software itself). The anti-virus software should then perform a complete scan of the host to identify any potential infections. To support the security of the host, the anti-virus software should be configured and maintained properly so it continues to be effective at detecting and stopping malware. Anti-virus software is most effective when its signatures are fully up to date. Accordingly, antivirus software should be kept current with the latest signature and software updates to improve malware detection.

Fix Text

Access the McAfee ePO console. Select Menu >> Policy >> Policy Catalog and then select "MOVE AntiVirus 4.5.0" from the Product list. From the Category list, select "On Access Scan". Select each configured On Access Scan policy. Under "On-access scan", select the "Enable on-access scan" check box. Click "Save".

Check Content

Access the McAfee ePO console. Select Menu >> Policy >> Policy Catalog and then select "MOVE AntiVirus 4.5.0" from the Product list. From the Category list, select "On Access Scan". Select each configured On Access Scan policy. Under "On-access scan", verify the "Enable on-access scan" check box is selected. If the "Enable on-access scan" check box is not selected, this is a finding.

The McAfee MOVE AV On Access Scan Policy must be configured with a scan timeout of 45 seconds or more.

Finding ID
MV45-OAS-000002
Rule ID
SV-93233r1_rule
Severity
Cat II
CCE
(None)
Group Title
MV45-OAS-000002
CCI
CCI-001242
Target Key
(None)
Documentable
No
Discussion

This setting configures the amount of time, in seconds, to wait for a scan to complete. The default setting is 45 seconds. This is the duration for which a McAfee MOVE AV Agent will wait for scan response of a file from the Security Virtual Machine (SVM). Typically, file scans are very fast. However, file scans may take longer due to large file size, file type, or heavy load on the SVM. If the file scan takes longer than the scan timeout limit, the file access is allowed and a scan timeout event is generated. Setting the timeout too low may result in scans of a file terminating before the scan is completed, resulting in malware potentially going undetected.

Fix Text

Access the McAfee ePO console. Select Menu >> Policy >> Policy Catalog and then select "MOVE AntiVirus 4.5.0" from the Product list. From the Category list, select "On Access Scan". Select the On Access Scan policy to be configured. Under "Scan", set "Specify maximum time for each file scan" to "45" seconds or more. Click "Save".

Check Content

Access the McAfee ePO console. Select Menu >> Policy >> Policy Catalog and then select "MOVE AntiVirus 4.5.0" from the Product list. From the Category list, select "On Access Scan". Select each configured On Access Scan policy. Under "Scan", verify "Specify maximum time for each file scan" is set to "45" seconds or more. If "Specify maximum time for each file scan" is not set to "45" seconds or more, this is a finding.

The McAfee MOVE AV On Access Scan Policy must be configured to cache scan results for files smaller than 40 MB.

Finding ID
MV45-OAS-000003
Rule ID
SV-93235r1_rule
Severity
Cat II
CCE
(None)
Group Title
MV45-OAS-000003
CCI
CCI-001242
Target Key
(None)
Documentable
No
Discussion

This setting configures the maximum file size (in MB) up to which scan results should be cached. The default setting is 40 MB. Files smaller than this threshold are copied completely to the Security Virtual Machine (SVM) and scanned. If the file is found to be clean, its scan result is cached based on its SHA 1 checksum for faster future access. Files larger than this size threshold are transferred in chunks that are requested by the SVM and scanned. Setting that threshold higher could impact the performance of the scan processes.

Fix Text

Access the McAfee ePO console. Select Menu >> Policy >> Policy Catalog and then select "MOVE AntiVirus 4.5.0" from the Product list. From the Category list, select "On Access Scan". Select the On Access Scan policy to be configured. Under "Scan", set "Cache scan results for files smaller than" to "40" MB or smaller. Click "Save".

Check Content

Access the McAfee ePO console. Select Menu >> Policy >> Policy Catalog and then select "MOVE AntiVirus 4.5.0" from the Product list. From the Category list, select "On Access Scan". Select each configured On Access Scan policy. Under "Scan", verify the "Cache scan results for files smaller than" is set to "40" MB or smaller. If "Cache scan results for files smaller than" is not set to "40" MB or less, this is a finding.

The McAfee MOVE AV On Access Scan Policy must be configured to scan when writing to disk.

Finding ID
MV45-OAS-000004
Rule ID
SV-93237r1_rule
Severity
Cat II
CCE
(None)
Group Title
MV45-OAS-000004
CCI
CCI-001242
Target Key
(None)
Documentable
No
Discussion

Anti-virus software is the most commonly used technical control for malware threat mitigation. Real-time scanning of files as they are written to disk is a crucial first line of defense from malware attacks.

Fix Text

Access the McAfee ePO console. Select Menu >> Policy >> Policy Catalog and then select "MOVE AntiVirus 4.5.0" from the Product list. From the Category list, select "On Access Scan". Select each configured On Access Scan policy. Select the On Access Scan policy to be configured. Under "Scan", select the "When writing to disk" check box. Click "Save".

Check Content

Access the McAfee ePO console. Select Menu >> Policy >> Policy Catalog and then select "MOVE AntiVirus 4.5.0" from the Product list. From the Category list, select "On Access Scan". Select each configured On Access Scan policy. Under "Scan", verify the "When writing to disk" check box is selected. If the "When writing to disk" check box is not selected, this is a finding.

The McAfee MOVE AV On Access Scan Policy must be configured to scan when reading from disk.

Finding ID
MV45-OAS-000005
Rule ID
SV-93239r1_rule
Severity
Cat II
CCE
(None)
Group Title
MV45-OAS-000005
CCI
CCI-001242
Target Key
(None)
Documentable
No
Discussion

Anti-virus software is the most commonly used technical control for malware threat mitigation. Real-time scanning of files as they are read from disk is a crucial first line of defense from malware attacks.

Fix Text

Access the McAfee ePO console. Select Menu >> Policy >> Policy Catalog and then select "MOVE AntiVirus 4.5.0" from the Product list. From the Category list, select "On Access Scan". Select each configured On Access Scan policy. Select the On Access Scan policy to be configured. Under "Scan", select the "When reading from disk" check box. Click "Save".

Check Content

Access the McAfee ePO console. Select Menu >> Policy >> Policy Catalog and then select "MOVE AntiVirus 4.5.0" from the Product list. From the Category list, select "On Access Scan". Select each configured On Access Scan policy. Under "Scan", verify the "When reading from disk" check box is selected. If the "When reading from disk" check box is not selected, this is a finding.

The McAfee MOVE AV On Access Scan Policy must be configured to scan all file types.

Finding ID
MV45-OAS-000006
Rule ID
SV-93241r1_rule
Severity
Cat II
CCE
(None)
Group Title
MV45-OAS-000006
CCI
CCI-001242
Target Key
(None)
Documentable
No
Discussion

When scanning for malware, excluding specific file types will increase the risk of a malware-infected file going undetected. By configuring anti-virus software to scan all file types, the scanner has a higher success rate at detecting and eradicating malware.

Fix Text

Access the McAfee ePO console. Select Menu >> Policy >> Policy Catalog and then select "MOVE AntiVirus 4.5.0" from the Product list. From the Category list, select "On Access Scan". Select each configured On Access Scan policy. Under "File Types to Scan", select the "All files" radio button. Click "Save".

Check Content

Access the McAfee ePO console. Select Menu >> Policy >> Policy Catalog and then select "MOVE AntiVirus 4.5.0" from the Product list. From the Category list, select "On Access Scan". Select each configured On Access Scan policy. Under "File Types to Scan", verify the "All files" radio button is selected. If the File Types to Scan "All files" radio button is not selected, this is a finding.

Path or file exclusions configured in McAfee MOVE AV On Access Scan Policy must be formally documented by the System Administrator and approved by the ISSO/ISSM.

Finding ID
MV45-OAS-000007
Rule ID
SV-93243r1_rule
Severity
Cat II
CCE
(None)
Group Title
MV45-OAS-000007
CCI
CCI-000366
Target Key
(None)
Documentable
No
Discussion

When scanning for malware, excluding specific file types will increase the risk of a malware-infected file going undetected. By configuring anti-virus software to scan all file types, the scanner has a higher success rate at detecting and eradicating malware. Excluding files, paths, and processes from being scanned expands the potential for malware to be allowed onto the information system. While it is recognized that some file types might need to be excluded for operational reasons and/or because there is protection afforded to those files through a different mechanism, allowing those exclusions should always be vetted, documented, and approved before applying.

Fix Text

Access the McAfee ePO console. Select Menu >> Policy >> Policy Catalog and then select "MOVE AntiVirus 4.5.0" from the Product list. From the Category list, select "On Access Scan". Select each configured On Access Scan policy. Under "Exclusions", remove any Path Exclusions that have been configured other than the following and that have not been formally documented by the System Administrator and approved by the ISSO/ISSM: **\McAfee\Common Framework\ **\Program Files\McAfee\Agent\ *.log Click "Save".

Check Content

Access the McAfee ePO console. Select Menu >> Policy >> Policy Catalog and then select "MOVE AntiVirus 4.5.0" from the Product list. From the Category list, select "On Access Scan". Select each configured On Access Scan policy. Under "Exclusions", verify no Path Exclusions have been configured other than the following: **\McAfee\Common Framework\ **\Program Files\McAfee\Agent\ *.log If any Path Exclusions are configured and those Path Exclusions have not been formally documented by the System Administrator and approved by the ISSO/ISSM, this is a finding.

Process exclusions configured in McAfee MOVE AV On Access Scan Policy must be formally documented by the System Administrator and approved by the ISSO/ISSM.

Finding ID
MV45-OAS-000008
Rule ID
SV-93245r1_rule
Severity
Cat II
CCE
(None)
Group Title
MV45-OAS-000008
CCI
CCI-000366
Target Key
(None)
Documentable
No
Discussion

When scanning for malware, excluding specific file types will increase the risk of a malware-infected file going undetected. By configuring anti-virus software to scan all file types, the scanner has a higher success rate at detecting and eradicating malware. Excluding files, paths, and processes from being scanned expands the potential for malware to be allowed onto the information system. While it is recognized that some file types might need to be excluded for operational reasons and/or because there is protection afforded to those files through a different mechanism, allowing those exclusions should always be vetted, documented, and approved before applying.

Fix Text

Access the McAfee ePO console. Select Menu >> Policy >> Policy Catalog and then select "MOVE AntiVirus 4.5.0" from the Product list. From the Category list, select "On Access Scan". Select each configured On Access Scan policy. Under "Exclusions", remove any Process Exclusions that have been configured other than the following: %WINDIR%\system32\mssearch.exe UserProfileManager.exe %WINDIR%\system32\searchindexer.exe %WINDIR%\system32\mssdmn.exe %WINDIR%\system32\winfs\winfs.exe %WINDIR%\system32\mssfh.exe Click "Save".

Check Content

Access the McAfee ePO console. Select Menu >> Policy >> Policy Catalog and then select "MOVE AntiVirus 4.5.0" from the Product list. From the Category list, select "On Access Scan". Select each configured On Access Scan policy. Under "Exclusions", verify no Process Exclusions have been configured other than the following: %WINDIR%\system32\mssearch.exe UserProfileManager.exe %WINDIR%\system32\searchindexer.exe %WINDIR%\system32\mssdmn.exe %WINDIR%\system32\winfs\winfs.exe %WINDIR%\system32\mssfh.exe If any Process Exclusions are configured and those Process Exclusions have not been formally documented by the System Administrator and approved by the ISSO/ISSM, this is a finding.

The McAfee MOVE AV On Access Scan policy must be configured to delete files automatically and quarantine as the first response of a threat detection.

Finding ID
MV45-OAS-000009
Rule ID
SV-93247r1_rule
Severity
Cat II
CCE
(None)
Group Title
MV45-OAS-000009
CCI
CCI-001242
Target Key
(None)
Documentable
No
Discussion

Malware incident containment has two major components: stopping the spread of malware and preventing further damage to hosts. Disinfecting a file is generally preferable to quarantining it because the malware is removed and the original file restored; however, many infected files cannot be disinfected. The primary goal of eradication is to remove malware from infected hosts.

Fix Text

Access the McAfee ePO console. Select Menu >> Policy >> Policy Catalog and then select "MOVE AntiVirus 4.5.0" from the Product list. From the Category list, select "On Access Scan". Select each configured "On Access Scan" policy. Click "Actions". Under "Threat detection first response", select "Delete files automatically and quarantine" from the drop-down list. Click "Save".

Check Content

Access the McAfee ePO console. Select Menu >> Policy >> Policy Catalog and then select "MOVE AntiVirus 4.5.0" from the Product list. From the Category list, select "On Access Scan". Select each configured On Access Scan policy. Click "Actions". Under "Threat detection first response", verify "Delete files automatically and quarantine" is selected. If "Threat detection first response" is not set to "Delete files automatically and quarantine", this is a finding.

The McAfee MOVE AV On Demand Scan policy must be configured to enable on-demand scan.

Finding ID
MV45-ODS-000001
Rule ID
SV-93249r1_rule
Severity
Cat II
CCE
(None)
Group Title
MV45-ODS-000001
CCI
CCI-001241
Target Key
(None)
Documentable
No
Discussion

Anti-virus software is the most commonly used technical control for malware threat mitigation. Anti-virus software on hosts should be configured to scan all hard drives and folders regularly to identify any file system infections and to scan any removable media, if applicable, before media is inserted into the system. Not scheduling a regular scan of the hard drives of a system and/or not configuring the scan to scan all files and running processes introduces a higher risk of threats going undetected.

Fix Text

Access the McAfee ePO console. Select Menu >> Policy >> Policy Catalog and then select "MOVE AntiVirus 4.5.0" from the Product list. From the Category list, select "On Demand Scan". Select each configured On Demand Scan policy. Click "Show Advanced". Under "On-demand Scan", select the "Enable on-demand scan" check box. Click "Save".

Check Content

Access the McAfee ePO console. Select Menu >> Policy >> Policy Catalog and then select "MOVE AntiVirus 4.5.0" from the Product list. From the Category list, select "On Demand Scan". Select each configured On Demand Scan policy. Click "Show Advanced". Under "On-demand Scan", verify the "Enable on-demand scan" check box is selected. If the "Enable on-demand scan" check box is not selected, this is a finding.

The McAfee MOVE AV On Demand Scan policy must be configured to enforce a maximum time for each file scan of no less than 45 seconds.

Finding ID
MV45-ODS-000002
Rule ID
SV-93251r1_rule
Severity
Cat II
CCE
(None)
Group Title
MV45-ODS-000002
CCI
CCI-001241
Target Key
(None)
Documentable
No
Discussion

This setting configures the amount of time, in seconds, to wait for a scan to complete. The default setting is 45 seconds. This is the duration for which a McAfee MOVE AV Agent will wait for scan response of a file from the Security Virtual Machine (SVM). Typically, file scans are very fast. However, file scans may take longer due to large file size, file type, or heavy load on the SVM. If the file scan takes longer than the scan timeout limit, the file access is allowed and a scan timeout event is generated. Setting the timeout too low may result in scans of a file terminating before the scan is completed, resulting in malware potentially going undetected.

Fix Text

Access the McAfee ePO console. Select Menu >> Policy >> Policy Catalog and then select "MOVE AntiVirus 4.5.0" from the Product list. From the Category list, select "On Demand Scan". Select each configured On Demand Scan policy. Click "Show Advanced". Under "On-demand Scan", configure the "Specify maximum time for each file scan" for "45" seconds or more. Click "Save".

Check Content

Access the McAfee ePO console. Select Menu >> Policy >> Policy Catalog and then select "MOVE AntiVirus 4.5.0" from the Product list. From the Category list, select "On Demand Scan". Select each configured On Demand Scan policy. Click "Show Advanced". Under "On-demand Scan", verify the "Specify maximum time for each file scan" is configured for "45" seconds or more. If "Specify maximum time for each file scan" is not configured for "45" seconds or more, this is a finding.

The McAfee MOVE AV On Demand Scan policy must be explicitly configured to stop an on-demand scan after an organization-specific period.

Finding ID
MV45-ODS-000003
Rule ID
SV-93253r1_rule
Severity
Cat II
CCE
(None)
Group Title
MV45-ODS-000003
CCI
CCI-001241
Target Key
(None)
Documentable
No
Discussion

This setting configures the maximum time, in minutes, for on-demand scanning. The default setting is 150 minutes. Typically, file scans are very fast. However, file scans may take longer due to large file size, file type, or heavy load on the Security Virtual Machine (SVM). For cases where an on-demand scan will take longer, an organization should determine the maximum amount of time for its on-demand scanning and explicitly configure this setting.

Fix Text

Access the McAfee ePO console. Select Menu >> Policy >> Policy Catalog and then select "MOVE AntiVirus 4.5.0" from the Product list. From the Category list, select "On Demand Scan". Select each configured On Demand Scan policy. Click "Show Advanced". Under "On-demand Scan", configure "On-demand scan will stop after" for 150 minutes or less. Click "Save".

Check Content

Access the McAfee ePO console. Select Menu >> Policy >> Policy Catalog and then select "MOVE AntiVirus 4.5.0" from the Product list. From the Category list, select "On Demand Scan". Select each configured On Demand Scan policy. Click "Show Advanced". Under "On-demand Scan", verify "On-demand scan will stop after" is configured for "150" minutes or less. If "On-demand scan will stop after" is not configured for "150" minutes or less, this is a finding.

The McAfee MOVE AV On Demand Scan policy must be configured to cache scan results for files smaller than 40 MB.

Finding ID
MV45-ODS-000004
Rule ID
SV-93255r1_rule
Severity
Cat II
CCE
(None)
Group Title
MV45-ODS-000004
CCI
CCI-001241
Target Key
(None)
Documentable
No
Discussion

This setting configures the maximum file size (in MB) up to which scan results should be cached. The default setting is 40 MB. Files smaller than this threshold are copied completely to the Security Virtual Machine (SVM) and scanned. If the file is found to be clean, its scan result is cached based on its SHA 1 checksum for faster future access. Files larger than this size threshold are transferred in chunks that are requested by the SVM and scanned. Setting that threshold higher could impact the performance of the scan processes.

Fix Text

Access the McAfee ePO console. Select Menu >> Policy >> Policy Catalog and then select "MOVE AntiVirus 4.5.0" from the Product list. From the Category list, select "On Demand Scan". Select each configured On Demand Scan policy. Click "Show Advanced". Under "On-demand Scan", configure "Cache scan results for files smaller than" for 40 MB or smaller. Click "Save".

Check Content

Access the McAfee ePO console. Select Menu >> Policy >> Policy Catalog and then select "MOVE AntiVirus 4.5.0" from the Product list. From the Category list, select "On Demand Scan". Select each configured On Demand Scan policy. Click "Show Advanced". Under "On-demand Scan", verify "Cache scan results for files smaller than" is configured for 40 MB or smaller. If "Cache scan results for files smaller than" is not configured for 40 MB or smaller, this is a finding.

The McAfee MOVE AV On Demand Scan policy must be configured to delete files automatically and quarantine as the first response of a threat detection.

Finding ID
MV45-ODS-000005
Rule ID
SV-93257r1_rule
Severity
Cat II
CCE
(None)
Group Title
MV45-ODS-000005
CCI
CCI-001241
Target Key
(None)
Documentable
No
Discussion

Malware incident containment has two major components: stopping the spread of malware and preventing further damage to hosts. Disinfecting a file is generally preferable to quarantining it because the malware is removed and the original file restored; however, many infected files cannot be disinfected. The primary goal of eradication is to remove malware from infected hosts. Deleting files found to contain malware, while also moving them to quarantine, will allow the files to be rendered useless but are recoverable in the event of false positive.

Fix Text

Access the McAfee ePO console. Select Menu >> Policy >> Policy Catalog and then select "MOVE AntiVirus 4.5.0" from the Product list. From the Category list, select "On Demand Scan". Select each configured On Demand Scan policy. Click "Show Advanced". Under "Actions", configure the "Threat detection first response" for "Delete files automatically and quarantine". Click "Save".

Check Content

Access the McAfee ePO console. Select Menu >> Policy >> Policy Catalog and then select "MOVE AntiVirus 4.5.0" from the Product list. From the Category list, select "On Demand Scan". Select each configured On Demand Scan policy. Click "Show Advanced". Under "Actions", verify the "Threat detection first response" is configured for "Delete files automatically and quarantine". If the "Threat detection first response" is not configured for "Delete files automatically and quarantine", this is a finding.

The McAfee MOVE AV On Demand Scan policy must be configured to scan all file types.

Finding ID
MV45-ODS-000006
Rule ID
SV-93259r1_rule
Severity
Cat II
CCE
(None)
Group Title
MV45-ODS-000006
CCI
CCI-001241
Target Key
(None)
Documentable
No
Discussion

When scanning for malware, excluding specific file types will increase the risk of a malware-infected file going undetected. By configuring anti-virus software to scan all file types, the scanner has a higher success rate at detecting and eradicating malware.

Fix Text

Access the McAfee ePO console. Select Menu >> Policy >> Policy Catalog and then select "MOVE AntiVirus 4.5.0" from the Product list. From the Category list, select "On Demand Scan". Select each configured On Demand Scan policy. Click "Show Advanced". Under "File Type to Scan", select the "All files" radio button. Click "Save".

Check Content

Access the McAfee ePO console. Select Menu >> Policy >> Policy Catalog and then select "MOVE AntiVirus 4.5.0" from the Product list. From the Category list, select "On Demand Scan". Select each configured On Demand Scan policy. Click "Show Advanced". Under "File Type to Scan", verify "All files" is selected. If "All files" is not selected, this is a finding.

Path Exclusions configured in the McAfee MOVE AV On Demand Scan policy must be formally documented by the System Administrator and approved by the ISSO/ISSM.

Finding ID
MV45-ODS-000007
Rule ID
SV-93261r1_rule
Severity
Cat II
CCE
(None)
Group Title
MV45-ODS-000007
CCI
CCI-001241
Target Key
(None)
Documentable
No
Discussion

When scanning for malware, excluding specific file types will increase the risk of a malware-infected file going undetected. By configuring anti-virus software to scan all file types, the scanner has a higher success rate at detecting and eradicating malware. Excluding files, paths, and processes from being scanned expands the potential for malware to be allowed onto the information system. While it is recognized that some file types might need to be excluded for operational reasons and/or because there is protection afforded to those files through a different mechanism, allowing those exclusions should always be vetted, documented, and approved before applying.

Fix Text

Access the McAfee ePO console. Select Menu >> Policy >> Policy Catalog and then select "MOVE AntiVirus 4.5.0" from the Product list. From the Category list, select "On Demand Scan". Select each configured On Demand Scan policy. Click "Show Advanced". Under "Exclusions", remove any Path Exclusions, other than the following paths, that have not been formally documented by the System Administrator and approved by the ISSO/ISSM: **\McAfee\Common Framework\ **\Program Files\McAfee\Agent\ *.log Click "Save".

Check Content

Access the McAfee ePO console. Select Menu >> Policy >> Policy Catalog and then select "MOVE AntiVirus 4.5.0" from the Product list. From the Category list, select "On Demand Scan". Select each configured On Demand Scan policy. Click "Show Advanced". Under "Exclusions", verify the "Path Exclusions" include only the following paths: **\McAfee\Common Framework\ **\Program Files\McAfee\Agent\ *.log If any Path Exclusions are included other than those specified above, and the exclusions have not been formally documented by the System Administrator and approved by the ISSO/ISSM, this is a finding.

The McAfee MOVE AV On-Demand Scan interval must be set to no more than every seven days.

Finding ID
MV45-ODS-000008
Rule ID
SV-93263r1_rule
Severity
Cat II
CCE
(None)
Group Title
MV45-ODS-000008
CCI
CCI-001241
Target Key
(None)
Documentable
No
Discussion

Anti-virus software is the most commonly used technical control for malware threat mitigation. Anti-virus software on hosts should be configured to scan all hard drives and folders regularly to identify any file system infections and to scan any removable media, if applicable, before media is inserted into the system. Not scheduling a regular scan of the hard drives of a system and/or not configuring the scan to scan all files and running processes introduces a higher risk of threats going undetected.

Fix Text

Access the McAfee ePO console. Select Menu >> Policy >> Policy Catalog and then select "MOVE AntiVirus 4.5.0" from the Product list. From the Category list, select "On Demand Scan". Select each configured On Demand Scan policy. Click "Show Advanced". Under "On-demand Scan", configure the "Run on-demand scan for every _ days" to "7" days or less. Click "Save".

Check Content

Access the McAfee ePO console. Select Menu >> Policy >> Policy Catalog and then select "MOVE AntiVirus 4.5.0" from the Product list. From the Category list, select "On Demand Scan". Select each configured On Demand Scan policy. Click "Show Advanced". Under "On-demand Scan", verify the "Run on-demand scan for every _ days" is configured to "7" days or less. If the "Run on-demand scan for every _ days" is not configured to "7" days or less, this is a finding.

The McAfee MOVE AV Options Policy must be configured to automatically delete quarantined data after a time period of no more than 28 days.

Finding ID
MV45-OPT-000002
Rule ID
SV-93267r1_rule
Severity
Cat II
CCE
(None)
Group Title
MV45-OPT-000002
CCI
CCI-001242
Target Key
(None)
Documentable
No
Discussion

The quarantine on each system represents a potential danger should the files contained within the quarantine be executed inadvertently. Deleting the quarantine contents on a regular basis will alleviate the ability of malware from being executed. An organization's incident response policy should also contain steps in removing quarantined items after their forensic value has been depleted.

Fix Text

Access the McAfee ePO console. Select Menu >> Policy >> Policy Catalog and then select "MOVE AntiVirus 4.5.0" from the Product list. From the Category list, select "Options". Select each configured Options policy. Under "Quarantine Manager", set the value for "Specify the maximum number of days to keep quarantine data" to "28" days or less. Click "Save".

Check Content

Access the McAfee ePO console. Select Menu >> Policy >> Policy Catalog and then select "MOVE AntiVirus 4.5.0" from the Product list. From the Category list, select "Options". Select each configured Options policy. Under "Quarantine Manager", verify the value for "Specify the maximum number of days to keep quarantine data" is set to "28" days or less. If the value for "Specify the maximum number of days to keep quarantine data" is not set to "28" days or less, this is a finding.

The McAfee MOVE AV SVM Settings policy ODS scan interval must be set to no more than every seven days.

Finding ID
MV45-SVM-000001
Rule ID
SV-93269r1_rule
Severity
Cat II
CCE
(None)
Group Title
MV45-SVM-000001
CCI
CCI-001241
Target Key
(None)
Documentable
No
Discussion

Anti-virus software is the mostly commonly used technical control for malware threat mitigation. Anti-virus software on hosts should be configured to scan all hard drives and folders regularly to identify any file system infections and to scan any removable media, if applicable, before media is inserted into the system. Not scheduling a regular scan of the hard drives of a system and/or not configuring the scan to scan all files and running processes introduces a higher risk of threats going undetected.

Fix Text

Access the McAfee ePO console. Select Menu >> Policy >> Policy Catalog and then select "MOVE AntiVirus 4.5.0" from the Product list. From the Category list, select "SVM Settings". Select each configured SVM Settings policy. Click "Show Advanced". Under "ODS Scheduler", select the "Scan" option. In the schedule, configure scan dates to accomplish at least weekly scanning. Click "Save".

Check Content

Access the McAfee ePO console. Select Menu >> Policy >> Policy Catalog and then select "MOVE AntiVirus 4.5.0" from the Product list. From the Category list, select "SVM Settings". Select each configured SVM Settings policy. Click "Show Advanced". Under "ODS Scheduler", verify the "Scan" option is selected. Review the schedule and verify a schedule of at least weekly is configured. If the ODS Scheduler "Scan" option is not selected or the schedule is not configured for at least weekly, this is a finding.

The McAfee MOVE AV SVM must have McAfee VirusScan Enterprise installed.

Finding ID
MV45-SVM-000002
Rule ID
SV-93271r1_rule
Severity
Cat II
CCE
(None)
Group Title
MV45-SVM-000002
CCI
CCI-002605
Target Key
(None)
Documentable
No
Discussion

Organizations should deploy anti-virus software on all hosts for which satisfactory anti-virus software is available. Anti-virus software should be installed as soon after OS installation as possible and then updated with the latest signatures and anti-virus software patches (to eliminate any known vulnerabilities in the anti-virus software itself). To support the security of the host, the anti-virus software should be configured and maintained properly so it continues to be effective at detecting and stopping malware. Anti-virus software is most effective when its signatures are fully up to date. Accordingly, anti-virus software should be kept current with the latest signature and software updates to improve malware detection.

Fix Text

Access the ePO server. From the system tree, select the "Systems" tab and find and click on the asset representing the McAfee MOVE SVM to open its properties. Click on Actions >> Agent >> Modify Tasks on a Single System. Click Actions >> New Client Task Assignment. Under "Product", select "McAfee Agent". Under "Task Type", select "Product Deployment". Under "Task Name", select "Create New Task". Next to "Task Name", enter "Deploy VSE to MOVE SVM". Next to "Target Platforms", ensure only Windows is selected. In the drop-down box for "Products and components", select "VirusScan Enterprise 8.8.0.x" and ensure the drop-down box for "Action" is set to Install. Click "Save". Click "Next". For the "Schedule status:", select "Enabled". Configure the schedule variable in accordance with local Change Control policy and click "Next". On the "Summary" tab, click "Save" and then "Close". Back at the "Systems Information" screen, click on the "Wake Up Agents" button. In the "Wake Up McAfee Agent" screen, for the "Force policy update:" settings, select the "Force complete policy and task update" check box. Click "OK".

Check Content

Access the server designated as the McAfee MOVE SVM. In the taskbar, right-click the red McAfee Agent shield and select "About". Under "McAfee Agent", ensure "Last agent-to-server communication:" is within the time period designated by the "Agent to Server Communication Interval". Ensure the "McAfee VirusScan Enterprise + AntiSpyware Enterprise" is listed as an installed product. Ensure the version number is "8.8.0" or higher. To use an alternative method for validating: From the ePO server console system tree, select the "Systems tab" and find and click on the asset representing the McAfee MOVE SVM to open its properties. Under the "System Properties" tab, ensure the "Last communication" is within the time period designated by the "Agent-to-Server Communication Interval:" under the "McAfee Agent" tab. Under the "System Properties" tab, next to the "Installed Products" field, ensure VirusScan Enterprise 8.8.0.x is listed as an installed product. Ensure the "Product Version" for VirusScan Enterprise is listed as "8.8.0" or higher. If VirusScan Enterprise 8.8.0 or higher is not installed and/or the "Last communication" to the ePO server is not within the specified Agent-to-Server Communication interval, this is a finding.

The McAfee MOVE AV SVM must be managed by the HBSS ePO server.

Finding ID
MV45-SVM-000003
Rule ID
SV-93273r1_rule
Severity
Cat II
CCE
(None)
Group Title
MV45-SVM-000003
CCI
CCI-000366
Target Key
(None)
Documentable
No
Discussion

Organizations should use centrally managed anti-virus software that is controlled and monitored regularly by anti-virus administrators, who are also typically responsible for acquiring, testing, approving, and delivering anti-virus signature and software updates throughout the organization. Users should not be able to disable or delete anti-virus software from their hosts, nor should they be able to alter critical settings. Anti-virus administrators should perform continuous monitoring to confirm that hosts are using current anti-virus software and that the software is configured properly. Implementing all of these recommendations should strongly support an organization in having a strong and consistent anti-virus deployment across the organization.

Fix Text

Access the ePO server. From the system tree, select the "Systems tab" and find and click on the asset representing the McAfee MOVE SVM to open its properties. If the asset representing the McAfee MOVE SVM is not in the ePO server system tree, configure a task to deploy the McAfee Agent to the system designated as the McAfee MOVE SVM. Once the system is communicating with the ePO server and is in the ePO server system tree, find and click on the asset representing the McAfee MOVE SVM to open its properties. Click on Actions >> Agent >> Modify Tasks on a Single System. Click on "Actions" and select "New Client Task Assignment". Under "Product", select "McAfee Agent". Under "Task Type", select "Product Deployment". Under "Task Name", select "Create New Task." Next to "Task Name", enter "Deploy MOVE to the SVM". Next to "Target Platforms", ensure only "Windows" is selected. In the drop-down box for "Products and components", select "MOVE AV [Multi-Platform] SVM 4.5x" and ensure the drop-down box for "Action" is set to "Install". Click "Save". Click "Next". For the "Schedule status:", select "Enabled". Configure the schedule variable in accordance with local Change Control policy and click "Next". On "Summary" tab, click "Save" and then "Close". Back at the "System Information" screen, click on the "Wake Up Agents" button. In the "Wake Up McAfee Agent" screen, for the "Force policy update:" settings, place a check in the "Force complete policy and task update" check box. Click "OK".

Check Content

Access the server designated as the McAfee MOVE SVM. In the taskbar, right-click the red McAfee Agent shield and select "McAfee Agent Status Monitor". Click the "Collect and Send Props" button. This will perform the ASCI, send the PROPS VERSION package to the ePO, and close the session. Click the "Enforce Policies" button. In the McAfee Agent Monitor, review the Management status lines and ensure one shows a status of "Enforcing Policies for DC_AM_4000" and "Enforcing Policies for DC_GS_4000". This status lines will confirm the system is enforcing policies for the McAfee MOVE AV SVM. If the system does not show "Agent started performing ASCI", followed by a sequence of status lines showing the "Agent is sending PROPS VERSION package to ePO server" and "Agent communication session closed", or does not show a Management status line of "Enforcing Policies for DC_AM_4000" and "Enforcing Policies for DC_GS_4000", this is a finding.

The McAfee MOVE AV SVM must be configured with a static Internet Protocol (IP) address.

Finding ID
MV45-SVM-000004
Rule ID
SV-93275r1_rule
Severity
Cat II
CCE
(None)
Group Title
MV45-SVM-000004
CCI
CCI-000366
Target Key
(None)
Documentable
No
Discussion

Security management devices must be configured to ensure consistent and uninterrupted connectivity to/from the systems they manage/control. Otherwise, the security management device will be less than effective.

Fix Text

In accordance with local operational procedures, assign a static IP address to the server designated as the McAfee MOVE SVM.

Check Content

Access the server designated as the McAfee MOVE SVM. Access Network properties. From listed Network adapters, right-click on the active adapter and select "Properties". Highlight "Internet Protocol Version 4 (TCP/IPv4)" and click on the "Properties" button. On the "General" tab, ensure "Use the following IP address:" is selected and the "IP address:", "Subnet mask:", and "Default gateway:" are all populated. If the IPv4 protocol has not been configured to use a static IP address, subnet mask, and default gateway, this is a finding.

The McAfee MOVE AV SVM Settings policy must be configured to scan for potentially unwanted programs.

Finding ID
MV45-SVM-000005
Rule ID
SV-93277r1_rule
Severity
Cat II
CCE
(None)
Group Title
MV45-SVM-000005
CCI
CCI-001242
Target Key
(None)
Documentable
No
Discussion

Due to the ability of malware to mutate after infection, standard anti-virus signatures may not be able to catch new strains or variants of the malware. Typically, these strains and variants will share unique characteristics with others in their virus family. By using a generic signature to detect the shared characteristics, using wildcards where differences lie, the generic signature can detect viruses even if they are padded with extra, meaningless code. This method of detection is heuristic detection.

Fix Text

Access the McAfee ePO console. Select Menu >> Policy >> Policy Catalog and then select "MOVE AntiVirus 4.5.0" from the Product list. From the Category list, select "SVM Settings". Select each configured SVM Settings policy. Click "Show Advanced". Under "Scanning Options", select the "Enable scanning for potentially unwanted programs" check box. Click "Save".

Check Content

Access the McAfee ePO console. Select Menu >> Policy >> Policy Catalog and then select "MOVE AntiVirus 4.5.0" from the Product list. From the Category list, select "SVM Settings". Select each configured SVM Settings policy. Click "Show Advanced". Under "Scanning Options", verify the "Enable scanning for potentially unwanted programs" check box is selected. If the check box for "Enable scanning for potentially unwanted programs" is not selected, this is a finding.

The McAfee MOVE AV SVM Settings policy must be configured to scan for Multipurpose Internet Mail Extensions (MIME)-encoded files.

Finding ID
MV45-SVM-000006
Rule ID
SV-93279r1_rule
Severity
Cat II
CCE
(None)
Group Title
MV45-SVM-000006
CCI
CCI-001242
Target Key
(None)
Documentable
No
Discussion

Multipurpose Internet Mail Extensions (MIME) encoded files can be crafted to hide a malicious payload. When the MIME encoded file is presented to software that decodes the MIME encoded files, such as an email client, the malware is released. Scanning these files as part of the regularly scheduled scans tasks will mitigate this risk.

Fix Text

Access the McAfee ePO console. Select Menu >> Policy >> Policy Catalog and then select "MOVE AntiVirus 4.5.0" from the Product list. From the Category list, select "SVM Settings". Select each configured SVM Settings policy. Click "Show Advanced". Under "Scanning Options", select the "Enabled scanning for MIME-encoded files" check box. Click "Save".

Check Content

Access the McAfee ePO console. Select Menu >> Policy >> Policy Catalog and then select "MOVE AntiVirus 4.5.0" from the Product list. From the Category list, select "SVM Settings". Select each configured SVM Settings policy. Click "Show Advanced". Under "Scanning Options", verify the "Enabled scanning for MIME-encoded files" check box is selected. If the "Enabled scanning for MIME-encoded files" is not selected, this is a finding.

The McAfee MOVE AV SVM Settings policy must be configured to use McAfee Global Threat Intelligence file reputation with a sensitivity level of medium or higher.

Finding ID
MV45-SVM-000007
Rule ID
SV-93281r1_rule
Severity
Cat II
CCE
(None)
Group Title
MV45-SVM-000007
CCI
CCI-001242
Target Key
(None)
Documentable
No
Discussion

Anti-virus software vendors use collective intelligence from sensors and cross-vector intelligence from web, email, and network threats to compile scores that reflect the likelihood of whether a file in question is malware. The collective intelligence is constantly being updated, more frequently than the typical daily anti-virus signature files. With File Reputation lookup, a more real-time response to potential malicious code is realized than with the local-running anti-virus software, since by querying the cloud-based database when a file appears to be suspicious, up-to-the-minute intelligence is provided. This type of protection reduces the threat protection time period from days to milliseconds, increases malware detection rates, and reduces downtime and remediation costs associated with malware attacks. Using File Reputation lookup is mandated by USCYBERCOM on DoD systems.

Fix Text

NOTE: This requirement is Not Applicable on the classified network. Access the McAfee ePO console. Select Menu >> Policy >> Policy Catalog and then select "MOVE AntiVirus 4.5.0" from the Product list. From the Category list, select "SVM Settings". Select each configured SVM Settings policy. Click "Show Advanced". Under McAfee GTI, select the "Enable McAfee GTI" check box. Select "Medium" or higher for sensitivity level. Click "Save".

Check Content

NOTE: This requirement is Not Applicable on the classified network. Access the McAfee ePO console. Select Menu >> Policy >> Policy Catalog and then select "MOVE AntiVirus 4.5.0" from the Product list. From the Category list, select "SVM Settings". Select each configured SVM Settings policy. Click "Show Advanced". Under McAfee GTI, verify the "Enable McAfee GTI" check box is selected with a sensitivity level of "Medium" or higher. If the "Enable McAfee GTI" check box is not selected or sensitivity level is lower than "Medium", this is a finding.