Free DISA STIG and SRG Library | Vaulted

McAfee VSEL 1.9/2.0 Managed Client Security Technical Implementation Guide

Version 1 Release 2
2016-04-22
U_McAfee_VSEL_1-9_2-0_Managed_Client_STIG_V1R2_Manual-xccdf.xml
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil.

Vulnerabilities (38)

The anti-virus signature file age must not exceed 7 days.

Finding ID
DTAVSEL-001
Rule ID
SV-77283r1_rule
Severity
Cat I
CCE
(None)
Group Title
SRG-APP-000276
CCI
CCI-001240
Target Key
(None)
Documentable
No
Discussion

Anti-virus signature files are updated almost daily by anti-virus software vendors. These files are made available to anti-virus clients as they are published. Keeping virus signature files as current as possible is vital to the security of any system. By configuring a system to attempt an anti-virus update on a daily basis, the system is ensured of maintaining an anti-virus signature age of 7 days or less. If the update attempt were to be configured for only once a week, and that attempt failed, the system would be immediately out of date.

Fix Text

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the Linux system being reviewed. Click on the system to open the System Information page. Click on Actions >> Agent >> Modify Tasks on a Single System. On the Client Tasks page, click on Actions >> New Client Task Assignment. On the Client Task Assignment Builder page, under the "Product" section, select "McAfee Agent". Under the "Task Type" section, select "Product Update". Under the "Task Name" section, click on "Create New Task". Type a unique name for the "Task Name". For "Package selection:", select the "All packages" radio button. Click "Save". Or Select the "Selected packages" radio button. For the "Package types:" section, select the "DAT" check box and the "Linux Engine" check box under the "Signatures and engines:" section. Click "Save". On the Client Task Assignment Builder page, under the "Task Name" section, select the task just created. Click on "Next" to schedule the task. For "Schedule status:", select the radio button for "Enabled". For "Schedule type:", choose "Daily". Schedule the "Effective period:", "Start time:" and other options according to best practices. Click "Next" to view Summary. Click "Save".

Check Content

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the Linux system being reviewed. Click on the system to open the System Information page. On the System Information page, select the "Products" tab. Under the "Product" section, select "VirusScan Enterprise for Linux". Scroll down. Locate the DAT Date and DAT Version. Verify the "DAT Date:" is within the last 7 days. If the "DAT Date:" is not within the last 7 days, this is a finding.

The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x must be configured to receive automatic updates.

Finding ID
DTAVSEL-002
Rule ID
SV-77487r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-APP-000276
CCI
CCI-001240
Target Key
(None)
Documentable
No
Discussion

Anti-virus signature files are updated almost daily by anti-virus software vendors. These files are made available to anti-virus clients as they are published. Keeping virus signature files as current as possible is vital to the security of any system. The anti-virus software product must be configured to receive those updates automatically in order to afford the expected protection.

Fix Text

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the Linux system being reviewed. Click on the system to open the System Information page. Click on Actions >> Agent >> Modify Tasks on a Single System. On the Client Tasks page, click on Actions >> New Client Task Assignment. On the Client Task Assignment Builder page, under the "Product" section, select "McAfee Agent". Under the "Task Type" section, select "Product Update". Under the "Task Name" section, click on "Create New Task". Type a unique name for the "Task Name". For "Package selection:", select the "All packages" radio button. Click "Save". Or Select the "Selected packages" radio button. For the "Package types:" section, select the "DAT" check box and the "Linux Engine" check box under the "Signatures and engines:" section. Click "Save". On the Client Task Assignment Builder, under the "Task Name" section, select the task just created. Click on "Next" to schedule the task. For "Schedule status:", select the radio button for "Enabled". For "Schedule type:", choose "Daily". Schedule the "Effective period:", "Start time:" and other options according to best practices. Click Next to view Summary. Click "Save".

Check Content

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the Linux system being reviewed. Click on the system to open the System Information page. Click on Actions >> Agent >> Modify Tasks on a Single System. From the list of available tasks in the "Task Name" column, with the assistance of the ePO SA, identify the VirusScan DAT update task. Verify the "Task Type" is listed as "Product Update". Verify the "Status" is listed as "Enabled". Under the "Task Name" column, click on the link for the designated task to review the task properties. Next to the "Package selection:", verify the "All packages" radio button is selected. If the "Selected packages" radio button is selected, verify the check box for "DAT" and the check box for "Linux Engine" have been selected for "Signatures and engines:" under the "Package types:" section. If there is not a task designated as the regularly scheduled DAT Update task, this is a finding. If there exists a task designated as the regularly scheduled DAT Update task, but neither the "All packages" nor the "DAT" selection under the "Package types: Signatures and engines:" section is selected, this is a finding.

The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x must be configured to enable On-Access scanning.

Finding ID
DTAVSEL-003
Rule ID
SV-77489r1_rule
Severity
Cat I
CCE
(None)
Group Title
SRG-APP-000279
CCI
CCI-001243
Target Key
(None)
Documentable
No
Discussion

For anti-virus software to be effective, it must be running at all times, beginning from the point of the system's initial startup. Otherwise, the risk is greater for viruses, Trojans, and other malware infecting the system during that startup phase.

Fix Text

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the Linux system being reviewed. Click on the system to open the System Information page. Click on Actions >> Agent >> Modify Policies on a Single System. From the "Product:" drop-down list, select "VirusScan Enterprise for Linux 1.9.x/2.0.x". From the "Policy" column, click on the policy for the "On-Access Scanning Policy". In the "General" tab, next to the "On-access Scan:", select the check box for "Enable on-access scanning (takes effect when policies are enforced)". In the "Quarantine Directory:" field, enter "/quarantine" (or another valid location as determined by the organization).

Check Content

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the Linux system being reviewed. Click on the system to open the System Information page. Click on Actions >> Agent >> Modify Policies on a Single System. From the "Product:" drop-down list, select "VirusScan Enterprise for Linux 1.9.x/2.0.x". From the "Policy" column, click on the policy for the "On-Access Scanning Policy". In the "General" tab, next to the "On-access Scan:", verify the check box for "Enable on-access scanning (takes effect when policies are enforced)" is selected. Verify the "Quarantine Directory:" field is populated with "/quarantine" (or another valid location as determined by the organization). If the check box for "Enable on-access scanning (takes effect when policies are enforced)" is not selected, this is a finding. If the "Quarantine Directory:" field is not populated, this is a finding.

The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Access scanner must be configured to decompress archives when scanning.

Finding ID
DTAVSEL-004
Rule ID
SV-77491r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-APP-000279
CCI
CCI-001243
Target Key
(None)
Documentable
No
Discussion

Malware is often packaged within an archive. In addition, archives may have other archives within. Not scanning archive files introduces the risk of infected files being introduced into the environment.

Fix Text

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the Linux system being reviewed. Click on the system to open the System Information page. Click on Actions >> Agent >> Modify Policies on a Single System. From the "Product:" drop-down list, select "VirusScan Enterprise for Linux 1.9.x/2.0.x". From the "Policy" column, click on the policy for the "On-Access Scanning Policy". In the "Advanced" tab, next to the "Compressed files", select the check box for "Scan inside multiple-file archives (e.g., .ZIP)". Click "Save".

Check Content

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the Linux system being reviewed. Click on the system to open the System Information page. Click on Actions >> Agent >> Modify Policies on a Single System. From the "Product:" drop-down list, select "VirusScan Enterprise for Linux 1.9.x/2.0.x". From the "Policy" column, click on the policy for the "On-Access Scanning Policy". In the "Advanced" tab, next to the "Compressed files", verify the check box for "Scan inside multiple-file archives (e.g., .ZIP)" is selected. If the check box for "Compressed files: Scan inside multiple-file archives (e.g., .ZIP)" is not selected, this is a finding. SECURITY OVERRIDE: If the check box for "Compressed files: Scan inside multiple-file archives (e.g., .ZIP)" is not selected but the On-Demand scan decompress of archives is configured in the regularly scheduled scan, as specified in STIG ID DTAVSEL-101, this is a finding but can be dropped to a CAT III.

The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Access scanner must be configured to find unknown program viruses.

Finding ID
DTAVSEL-005
Rule ID
SV-77493r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-APP-000279
CCI
CCI-001243
Target Key
(None)
Documentable
No
Discussion

Due to the ability of malware to mutate after infection, standard anti-virus signatures may not be able to catch new strains or variants of the malware. Typically, these strains and variants will share unique characteristics with others in their virus family. By using a generic signature to detect the shared characteristics, using wildcards where differences lie, the generic signature can detect viruses even if they are padded with extra, meaningless code. This method of detection is Heuristic detection.

Fix Text

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the Linux system being reviewed. Click on the system to open the System Information page. Click on Actions >> Agent >> Modify Policies on a Single System. From the "Product:" drop-down list, select "VirusScan Enterprise for Linux 1.9.x/2.0.x". From the "Policy" column, click on the policy for the "On-Access Scanning Policy". In the "Advanced" tab, next to "Heuristics:", select the check box for "Find unknown program viruses".

Check Content

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the Linux system being reviewed. Click on the system to open the System Information page. Click on Actions >> Agent >> Modify Policies on a Single System. From the "Product:" drop-down list, select "VirusScan Enterprise for Linux 1.9.x/2.0.x". From the "Policy" column, click on the policy for the "On-Access Scanning Policy". In the "Advanced" tab, next to "Heuristics:", verify the check box for "Find unknown program viruses" is selected. If the check box for "Heuristics: Find unknown program viruses" is not selected, this is a finding.

The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Access scanner must be configured to find unknown macro viruses.

Finding ID
DTAVSEL-006
Rule ID
SV-77495r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-APP-000279
CCI
CCI-001243
Target Key
(None)
Documentable
No
Discussion

Interpreted viruses are executed by an application. Within this subcategory, macro viruses take advantage of the capabilities of applications' macro programming language to infect application documents and document templates, while scripting viruses infect scripts that are understood by scripting languages processed by services on the OS. Many attackers use toolkits containing several different types of utilities and scripts that can be used to probe and attack hosts. Scanning for unknown macro viruses will mitigate zero-day attacks.

Fix Text

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the Linux system being reviewed. Click on the system to open the System Information page. Click on Actions >> Agent >> Modify Policies on a Single System. From the "Product:" drop-down list, select "VirusScan Enterprise for Linux 1.9.x/2.0.x". From the "Policy" column, click on the policy for the "On-Access Scanning Policy". In the "Advanced" tab, next to "Heuristics:", select the check box for "Find unknown macro viruses".

Check Content

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the Linux system being reviewed. Click on the system to open the System Information page. Click on Actions >> Agent >> Modify Policies on a Single System. From the "Product:" drop-down list, select "VirusScan Enterprise for Linux 1.9.x/2.0.x". From the "Policy" column, click on the policy for the "On-Access Scanning Policy". In the "Advanced" tab, next to "Heuristics:", verify the check box for "Find unknown macro viruses" is selected. If the check box for "Heuristics: Find unknown macro viruses" is not selected, this is a finding.

The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Access scanner must be configured to find potentially unwanted programs.

Finding ID
DTAVSEL-007
Rule ID
SV-77497r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-APP-000279
CCI
CCI-001243
Target Key
(None)
Documentable
No
Discussion

Potentially Unwanted Programs (PUPs) include Spyware, Adware, Remote Administration Tools, Dialers, Password Crackers, Jokes, and Key Loggers. While PUPs do not typically have any infection capability on their own, they rely on malware or other attach mechanisms to be installed onto target hosts, after which they will collect and transfer data from the host to an external host and/or will be used as attach mechanisms. Configuring the anti-virus software to attempt to clean the file first will allow for the possibility of a false positive. In most cases, however, the secondary action of quarantine will be used, mitigating the risk of the PUPs being installed and used maliciously.

Fix Text

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the Linux system being reviewed. Click on the system to open the System Information page. Click on Actions >> Agent >> Modify Policies on a Single System. From the "Product:" drop-down list, select "VirusScan Enterprise for Linux 1.9.x/2.0.x". From the "Policy" column, click on the policy for the "On-Access Scanning Policy". In the "Advanced" tab, next to "Non-viruses:", select the check box for "Find potentially unwanted programs". Select the check box for "Find joke programs". Click "Save".

Check Content

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the Linux system being reviewed. Click on the system to open the System Information page. Click on Actions >> Agent >> Modify Policies on a Single System. From the "Product:" drop-down list, select "VirusScan Enterprise for Linux 1.9.x/2.0.x". From the "Policy" column, click on the policy for the "On-Access Scanning Policy". In the "Advanced" tab, next to "Non-viruses:", verify the check box for "Find potentially unwanted programs" is selected. Verify the check box for "Find joke programs" is selected. If the check box for "Non-viruses: Find potentially unwanted programs" is not selected, this is a finding. If the check box for "Find joke programs" is not selected, this is a finding.

The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Access scanner must be configured to scan files when being written to disk.

Finding ID
DTAVSEL-008
Rule ID
SV-77499r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-APP-000279
CCI
CCI-001243
Target Key
(None)
Documentable
No
Discussion

Anti-virus software is the most commonly used technical control for malware threat mitigation. Real-time scanning of files as they are written to disk is a crucial first line of defense from malware attacks.

Fix Text

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the Linux system being reviewed. Click on the system to open the System Information page. Click on Actions >> Agent >> Modify Policies on a Single System. From the "Product:" drop-down list, select "VirusScan Enterprise for Linux 1.9.x/2.0.x". From the "Policy" column, click on the policy for the "On-Access Scanning Policy". In the "Detections" tab, next to "Scan files:", select the check box for "When writing to disk".

Check Content

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the Linux system being reviewed. Click on the system to open the System Information page. Click on Actions >> Agent >> Modify Policies on a Single System. From the "Product:" drop-down list, select "VirusScan Enterprise for Linux 1.9.x/2.0.x". From the "Policy" column, click on the policy for the "On-Access Scanning Policy". In the "Detections" tab, next to "Scan files:", verify the check box for "When writing to disk" is selected. If the check box for "Scan files: When writing to disk" is not selected, this is a finding.

The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Access scanner must be configured to scan files when being read from disk.

Finding ID
DTAVSEL-009
Rule ID
SV-77501r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-APP-000279
CCI
CCI-001243
Target Key
(None)
Documentable
No
Discussion

Anti-virus software is the most commonly used technical control for malware threat mitigation. Real-time scanning of files as they are read from disk is a crucial first line of defense from malware attacks.

Fix Text

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the Linux system being reviewed. Click on the system to open the System Information page. Click on Actions >> Agent >> Modify Policies on a Single System. From the "Product:" drop-down list, select "VirusScan Enterprise for Linux 1.9.x/2.0.x". From the "Policy" column, click on the policy for the "On-Access Scanning Policy". In the "Detections" tab, next to "Scan files:", select the check box for "When reading from disk". Click "Save".

Check Content

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the Linux system being reviewed. Click on the system to open the System Information page. Click on Actions >> Agent >> Modify Policies on a Single System. From the "Product:" drop-down list, select "VirusScan Enterprise for Linux 1.9.x/2.0.x". From the "Policy" column, click on the policy for the "On-Access Scanning Policy". In the "Detections" tab, next to "Scan files:", verify the check box for "When reading from disk" is selected. If the check box for "Scan files: When reading from disk" is not selected, this is a finding.

The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Access scanner must be configured to scan all file types.

Finding ID
DTAVSEL-010
Rule ID
SV-77503r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-APP-000279
CCI
CCI-001243
Target Key
(None)
Documentable
No
Discussion

When scanning for malware, excluding specific file types will increase the risk of a malware-infected file going undetected. By configuring anti-virus software to scan all file types, the scanner has a higher success rate at detecting and eradicating malware.

Fix Text

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the Linux system being reviewed. Click on the system to open the System Information page. Click on Actions >> Agent >> Modify Policies on a Single System. From the "Product:" drop-down list, select "VirusScan Enterprise for Linux 1.9.x/2.0.x". From the "Policy" column, click on the policy for the "On-Access Scanning Policy". In the "Detections" tab, next to "What to scan:", select the radio button for "All files". Click "Save".

Check Content

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the Linux system being reviewed. Click on the system to open the System Information page. Click on Actions >> Agent >> Modify Policies on a Single System. From the "Product:" drop-down list, select "VirusScan Enterprise for Linux 1.9.x/2.0.x". From the "Policy" column, click on the policy for the "On-Access Scanning Policy". In the "Detections" tab, next to "What to scan:", verify the radio button for "All files" is selected. If the radio button for "What to scan: All files" is not selected, this is a finding.

The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Access scanner maximum scan time must not be less than 45 seconds.

Finding ID
DTAVSEL-011
Rule ID
SV-77505r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-APP-000279
CCI
CCI-001243
Target Key
(None)
Documentable
No
Discussion

When anti-virus software is not configured to limit the amount of time spent trying to scan a file, the total effectiveness of the anti-virus software, and performance on the system being scanned, will be degraded. By limiting the amount of time the anti-virus software uses when scanning a file, the scan will be able to complete in a timely manner.

Fix Text

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the Linux system being reviewed. Click on the system to open the System Information page. Click on Actions >> Agent >> Modify Policies on a Single System. From the "Product:" drop-down list, select "VirusScan Enterprise for Linux 1.9.x/2.0.x". From the "Policy" column, click on the policy for the "On-Access Scanning Policy". In the "General" tab, next to "Maximum Scan Time:", select the check box for "Enforce maximum scanning time for all files". Configure the "Maximum scan time (seconds):" to 45 or more. Click "Save".

Check Content

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the Linux system being reviewed. Click on the system to open the System Information page. Click on Actions >> Agent >> Modify Policies on a Single System. From the "Product:" drop-down list, select "VirusScan Enterprise for Linux 1.9.x/2.0.x". From the "Policy" column, click on the policy for the "On-Access Scanning Policy". In the "General" tab, next to "Maximum Scan Time:", verify the check box for "Enforce maximum scanning time for all files" has been selected. Verify the "Maximum scan time (seconds):" is configured to 45 or more. If the check box for "Maximum Scan Time: Enforce maximum scanning time for all files" is not selected, this is a finding. If the "Maximum Scan Time (seconds):" is not configured to 45 or more, this is a finding. If both the "Maximum Scan Time:" setting for "Enforce maximum scanning time for all files" has a check in the check box and the "Maximum Scan Time:" setting for "Maximum scan time (seconds):" is configured to 45 or more, this is not a finding.

The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Access scanner must only be configured with exclusions which are documented and approved by the ISSO/ISSM/AO.

Finding ID
DTAVSEL-012
Rule ID
SV-77507r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-APP-000279
CCI
CCI-001243
Target Key
(None)
Documentable
No
Discussion

When scanning for malware, excluding specific files will increase the risk of a malware-infected file going undetected. By configuring anti-virus software without any exclusions, the scanner has a higher success rate at detecting and eradicating malware.

Fix Text

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the Linux system being reviewed. Click on the system to open the System Information page. Click on Actions >> Agent >> Modify Policies on a Single System. From the "Product:" drop-down list, select "VirusScan Enterprise for Linux 1.9.x/2.0.x". From the "Policy" column, click on the policy for the "On-Access Scanning Policy". In the "Detections" tab, next to "What not to scan:", verify the only entries for the "Select files and directories to be excluded from virus scanning" field are those below: Under "Paths Excluded From Scanning", remove all entries other than the below listed of approved exclusions. Any additional required exclusions must be documented by the System Administrator and approved by the ISSO/ISSM. /var/log /_admin/Manage_NSS /mnt/system/log /media/nss/.*/(\._NETWARE|\._ADMIN) /.*\.(vmdk|VMDK|dbl|DBL|ctl|CTL|log|LOG|jar|JAR|war|WAR|dtx|DTX|dbf|DBF|frm| FRM|myd|MYD|myi|MYI|rdo|RDO|arc|ARC) /cgroup /dev /proc /selinux /sys

Check Content

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the Linux system being reviewed. Click on the system to open the System Information page. Click on Actions >> Agent >> Modify Policies on a Single System. From the "Product:" drop-down list, select "VirusScan Enterprise for Linux 1.9.x/2.0.x". From the "Policy" column, click on the policy for the "On-Access Scanning Policy". In the "Detections" tab, next to "What not to scan:", verify the only entries for the "Select files and directories to be excluded from virus scanning" field are those below: Under "Paths Excluded From Scanning", verify no entries exist other than the following: /var/log /_admin/Manage_NSS /mnt/system/log /media/nss/.*/(\._NETWARE|\._ADMIN) /.*\.(vmdk|VMDK|dbl|DBL|ctl|CTL|log|LOG|jar|JAR|war|WAR|dtx|DTX|dbf|DBF|frm|FRM|myd|MYD|myi|MYI|rdo|RDO|arc|ARC) /cgroup /dev /proc /selinux /sys If any entries other than the above paths are present in the "What not to scan:" setting for the "Select files and directories to be excluded from virus scanning" field, verify the exclusion of those files and directories has been formally documented by the System Administrator and has been approved by the ISSO/ISSM. If any entries other than the default "/var/log" are present in the "What not to scan:" setting for the "Select files and directories to be excluded from virus scanning" field, and those files and directories have not been formally documented by the System Administrator and approved by the ISSO/ISSM, this is a finding. If any entries other than the default "/var/log" are present in the "What not to scan:" setting for the "Select files and directories to be excluded from virus scanning" field, and those files and directories have been formally documented by the System Administrator and approved by the ISSO/ISSM, this is not a finding.

The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Access scanner must be configured to Clean infected files automatically as first action when a virus or Trojan is detected.

Finding ID
DTAVSEL-013
Rule ID
SV-77509r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-APP-000279
CCI
CCI-001243
Target Key
(None)
Documentable
No
Discussion

Malware may have infected a file that is necessary to the user. By configuring the anti-virus software to first attempt cleaning the infected file, availability to the file is not sacrificed. If a cleaning attempt is not successful, however, deleting the file is the only safe option to ensure the malware is not introduced onto the system or network.

Fix Text

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the Linux system being reviewed. Click on the system to open the System Information page. Click on Actions >> Agent >> Modify Policies on a Single System. From the "Product:" drop-down list, select "VirusScan Enterprise for Linux 1.9.x/2.0.x". From the "Policy" column, click on the policy for the "On-Access Scanning Policy". In the "Actions" tab, next to "When Viruses and Trojans are found:", select the radio button for "Clean infected files automatically". Click "Save".

Check Content

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the Linux system being reviewed. Click on the system to open the System Information page. Click on Actions >> Agent >> Modify Policies on a Single System. From the "Product:" drop-down list, select "VirusScan Enterprise for Linux 1.9.x/2.0.x". From the "Policy" column, click on the policy for the "On-Access Scanning Policy". In the "Actions" tab, next to "When Viruses and Trojans are found:", verify the radio button for "Clean infected files automatically" is selected. If, next to "When Viruses and Trojans are found:", the radio button for "Clean infected files automatically" is not selected, this is a finding.

The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Access scanner must be configured to Move infected files to the quarantine directory if first action fails when a virus or Trojan is detected.

Finding ID
DTAVSEL-014
Rule ID
SV-77511r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-APP-000279
CCI
CCI-001243
Target Key
(None)
Documentable
No
Discussion

Malware may have infected a file that is necessary to the user. By configuring the anti-virus software to first attempt cleaning the infected file, availability to the file is not sacrificed. If a cleaning attempt is not successful, however, deleting the file is the only safe option to ensure the malware is not introduced onto the system or network.

Fix Text

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the Linux system being reviewed. Click on the system to open the System Information page. Click on Actions >> Agent >> Modify Policies on a Single System. From the "Product:" drop-down list, select "VirusScan Enterprise for Linux 1.9.x/2.0.x". From the "Policy" column, click on the policy for the "On-Access Scanning Policy". In the "Actions" tab, under the "When Viruses and Trojans are found:", next to "If the above action fails:", select the radio button for "Move infected files to the quarantine directory". Click "Save".

Check Content

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the Linux system being reviewed. Click on the system to open the System Information page. Click on Actions >> Agent >> Modify Policies on a Single System. From the "Product:" drop-down list, select "VirusScan Enterprise for Linux 1.9.x/2.0.x". From the "Policy" column, click on the policy for the "On-Access Scanning Policy". In the "Actions" tab, under the "When Viruses and Trojans are found:", next to "If the above action fails:", verify the "Move infected files to the quarantine directory" radio button is selected. If, next to "If the above action fails:", the radio button for "Move infected files to the quarantine directory" is not selected, this is a finding.

The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Access scanner must be configured to Clean infected files automatically as first action when programs and jokes are found.

Finding ID
DTAVSEL-015
Rule ID
SV-77513r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-APP-000279
CCI
CCI-001243
Target Key
(None)
Documentable
No
Discussion

Potentially Unwanted Programs (PUPs) include Spyware, Adware, Remote Administration Tools, Dialers, Password Crackers, Jokes, and Key Loggers. While PUPs do not typically have any infection capability on their own, they rely on malware or other attach mechanisms to be installed onto target hosts, after which they will collect and transfer data from the host to an external host and/or will be used as attach mechanisms. Configuring the anti-virus software to attempt to clean the file first will allow for the possibility of a false positive. In most cases, however, the secondary action of quarantine will be used, mitigating the risk of the PUPs being installed and used maliciously.

Fix Text

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the Linux system being reviewed. Click on the system to open the System Information page. Click on Actions >> Agent >> Modify Policies on a Single System. From the "Product:" drop-down list, select "VirusScan Enterprise for Linux 1.9.x/2.0.x". From the "Policy" column, click on the policy for the "On-Access Scanning Policy". In the "Actions" tab, next to "When Programs & Jokes are found:", select the radio button for "Clean infected files automatically". Click "Save".

Check Content

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the Linux system being reviewed. Click on the system to open the System Information page. Click on Actions >> Agent >> Modify Policies on a Single System. From the "Product:" drop-down list, select "VirusScan Enterprise for Linux 1.9.x/2.0.x". From the "Policy" column, click on the policy for the "On-Access Scanning Policy". In the "Actions" tab, next to "When Programs & Jokes are found:", verify the radio button for "Clean infected files automatically" is selected. If, next to "When Programs & Jokes are found:", the radio button for "Clean infected files automatically" is not selected, this is a finding.

The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Access scanner must be configured to Move infected files to the quarantine directory if first action fails when programs and jokes are found.

Finding ID
DTAVSEL-016
Rule ID
SV-77515r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-APP-000279
CCI
CCI-001243
Target Key
(None)
Documentable
No
Discussion

Potentially Unwanted Programs (PUPs) include Spyware, Adware, Remote Administration Tools, Dialers, Password Crackers, Jokes, and Key Loggers. While PUPs do not typically have any infection capability on their own, they rely on malware or other attach mechanisms to be installed onto target hosts, after which they will collect and transfer data from the host to an external host and/or will be used as attach mechanisms. Configuring the anti-virus software to attempt to clean the file first will allow for the possibility of a false positive. In most cases, however, the secondary action of quarantine will be used, mitigating the risk of the PUPs being installed and used maliciously.

Fix Text

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the Linux system being reviewed. Click on the system to open the System Information page. Click on Actions >> Agent >> Modify Policies on a Single System. From the "Product:" drop-down list, select "VirusScan Enterprise for Linux 1.9.x/2.0.x". From the "Policy" column, click on the policy for the "On-Access Scanning Policy". In the "Actions" tab, under the "When Programs & Jokes are found:", next to "If the above action fails:", select the radio button for "Move infected files to the quarantine directory". Click "Save".

Check Content

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the Linux system being reviewed. Click on the system to open the System Information page. Click on Actions >> Agent >> Modify Policies on a Single System. From the "Product:" drop-down list, select "VirusScan Enterprise for Linux 1.9.x/2.0.x". From the "Policy" column, click on the policy for the "On-Access Scanning Policy". In the "Actions" tab, under the "When Programs & Jokes are found:", next to "If the above action fails:", verify the "Move infected files to the quarantine directory" radio button is selected. If, under the "When Programs & Jokes are found:", next to "If the above action fails:", the radio button for "Move infected files to the quarantine directory" is not selected, this is a finding.

The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Access scanner must be configured to deny access to the file if scanning fails.

Finding ID
DTAVSEL-017
Rule ID
SV-77517r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-APP-000279
CCI
CCI-001243
Target Key
(None)
Documentable
No
Discussion

Anti-virus software is the most commonly used technical control for malware threat mitigation. Real-time scanning of files as they are read from disk is a crucial first line of defense from malware attacks.

Fix Text

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the Linux system being reviewed. Click on the system to open the System Information page. Click on Actions >> Agent >> Modify Policies on a Single System. From the "Product:" drop-down list, select "VirusScan Enterprise for Linux 1.9.x/2.0.x". From the "Policy" column, click on the policy for the "On-Access Scanning Policy". In the "Actions" tab, select the "If scanning fails:" "Deny access to the file" radio button is selected. Click "Save".

Check Content

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the Linux system being reviewed. Click on the system to open the System Information page. Click on Actions >> Agent >> Modify Policies on a Single System. From the "Product:" drop-down list, select "VirusScan Enterprise for Linux 1.9.x/2.0.x". From the "Policy" column, click on the policy for the "On-Access Scanning Policy". In the "Actions" tab, verify the "If scanning fails:" "Deny access to the file" radio button is selected. If the "If scanning fails: Deny access to the file" radio button is not selected, this is a finding.

The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Access scanner must be configured to allow access to files if scanning times out.

Finding ID
DTAVSEL-018
Rule ID
SV-77519r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-APP-000279
CCI
CCI-001243
Target Key
(None)
Documentable
No
Discussion

Anti-virus software is the most commonly used technical control for malware threat mitigation. Real-time scanning of files as they are read from disk is a crucial first line of defense from malware attacks.

Fix Text

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the Linux system being reviewed. Click on the system to open the System Information page. Click on Actions >> Agent >> Modify Policies on a Single System. From the "Product:" drop-down list, select "VirusScan Enterprise for Linux 1.9.x/2.0.x". From the "Policy" column, click on the policy for the "On-Access Scanning Policy". In the "Actions" tab, select the "If scanning times out: Allow access to the file" radio button. Click "Save".

Check Content

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the Linux system being reviewed. Click on the system to open the System Information page. Click on Actions >> Agent >> Modify Policies on a Single System. From the "Product:" drop-down list, select "VirusScan Enterprise for Linux 1.9.x/2.0.x". From the "Policy" column, click on the policy for the "On-Access Scanning Policy". In the "Actions" tab, verify the "If scanning times out: Allow access to the file" radio button is selected. If the "If scanning times out: Allow access to the file" radio button is not selected, this is a finding.

The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Access scanner must be enabled to scan mounted volumes when mounted volumes point to a network server without an anti-virus solution installed.

Finding ID
DTAVSEL-019
Rule ID
SV-77521r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-APP-000278
CCI
CCI-001242
Target Key
(None)
Documentable
No
Discussion

Mounting network volumes to other network systems introduces a path for malware to be introduced. It is imperative to protect Linux systems from malware introduced from those other network systems by either ensuring the remote systems are protected or by scanning files from those systems when they are accessed.

Fix Text

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the Linux system being reviewed. Click on the system to open the System Information page. Click on Actions >> Agent >> Modify Policies on a Single System. From the "Product:" drop-down list, select "VirusScan Enterprise for Linux 1.9.x/2.0.x". From the "Policy" column, click on the policy for the "On-Access Scanning Policy". In the "Detections" tab, next to "Scan files:", select the check box for "On network mounted volume". Click "Apply".

Check Content

With the System Administrator's assistance, determine network mounted volumes on the Linux system being reviewed. If network mounted volumes are mounted, verify whether anti-virus protection is locally installed on, and configured to protect, the network servers to which the mounted volumes connect. If all network servers to which mounted volumes connect are protected by locally installed and configured anti-virus protection, this check for the Linux system being reviewed is Not Applicable. If no network mounted volumes are configured on the Linux system being reviewed, this check is Not Applicable. If mounted volumes exist on the Linux system being reviewed which are connecting to network servers which lack locally installed and configured anti-virus protection, this check must be validated. From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the Linux system being reviewed. Click on the system to open the System Information page. Click on Actions >> Agent >> Modify Policies on a Single System. From the "Product:" drop-down list, select "VirusScan Enterprise for Linux 1.9.x/2.0.x". From the "Policy" column, click on the policy for the "On-Access Scanning Policy" In the "Detections" tab, next to "Scan files:", verify the check box for "On network mounted volumes" is selected. If the check box for "On network mounted volumes" is not selected, this is a finding.

The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x must be configured to run a scheduled On-Demand scan at least once a week.

Finding ID
DTAVSEL-100
Rule ID
SV-77523r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-APP-000277
CCI
CCI-001241
Target Key
(None)
Documentable
No
Discussion

Anti-virus software is the most commonly used technical control for malware threat mitigation. Real-time scanning of files as they are read from disk is a crucial first line of defense from malware attacks but to ensure all files are frequently scanned, a regularly scheduled full scan will ensure malware missed by the real-time scanning will be detected and mitigated.

Fix Text

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the Linux system being reviewed. Click on the system to open the System Information page. Create a New Client Task to run a regularly schedule On Demand scan at least weekly, with the following selected: In the "Advanced" tab, next to the Heuristics, select the check box for "Find unknown program viruses". In the "Advanced" tab, next to the Compressed files, select the check box for "Scan inside multiple-file archives (e.g. .ZIP)". In the "Advanced" tab, next to "Heuristics:", select the check box for "Find unknown macro viruses". In the "Advanced" tab, next to "Non-viruses:", select the check box for "Find potentially unwanted programs". In the "Advanced" tab, select the check box for "Disable client Web UI:". In the "Advanced" tab, next to the Compressed files, select the check box for "Decode MIME encoded files:". In the "Where" tab, select the "Specify where scanning will take place" field is populated with all local drives. In the "Detection" tab, next to "What to scan:", select the radio button for "All files". In the "Actions" tab, next to "When Viruses and Trojans are found:", select the radio button for "Clean infected files automatically". In the "Actions" tab, next to "When Programs & Jokes are found:", select the radio button for "Clean infected files automatically". In the "Actions" tab, next to "When Programs & Jokes are found: If the above action fails:", select the radio button for "Move infected files to the quarantine directory". Click "Save".

Check Content

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the Linux system being reviewed. Click on the system to open the System Information page. Click on Actions >> Agent >> Modify Tasks on a Single System. From the list of available tasks in the "Task Name" column, with the assistance of the ePO SA, identify the weekly On Demand scan client task. If a weekly On Demand scan client task does not exist, this is a finding. For the designated weekly On Demand scan client task, verify the "Task Type" is listed as "On Demand Scan". Verify the "Status" is listed as "Enabled". If the task designated as the regularly scheduled On Demand Scan, next to the Compressed files, the check box for "Scan inside multiple-file archives (e.g., .ZIP)" is not selected, this is a finding.

The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Demand scanner must be configured to decompress archives when scanning.

Finding ID
DTAVSEL-101
Rule ID
SV-77525r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-APP-000277
CCI
CCI-001241
Target Key
(None)
Documentable
No
Discussion

Malware is often packaged within an archive. In addition, archives might have other archives within. Not scanning archive files introduces the risk of infected files being introduced into the environment.

Fix Text

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the Linux system being reviewed. Click on the system to open the System Information page. If a task does not exist for the regularly scheduled weekly scan, create a New Client Task to run an On Demand scan at least weekly. Click on Actions >> Agent >> Modify Tasks on a Single System. From the list of available tasks in the "Task Name" column, with the assistance of the ePO SA, identify the weekly On Demand scan client task. Under the "Task Name" column, click on the link for the designated task to review the task properties. In the "Advanced" tab, next to the Compressed files, select the check box for "Scan inside multiple-file archives (e.g., .ZIP)". Click "Save".

Check Content

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the Linux system being reviewed. Click on the system to open the System Information page. Click on Actions >> Agent >> Modify Tasks on a Single System. From the list of available tasks in the "Task Name" column, with the assistance of the ePO SA, identify the weekly On Demand scan client task. If a weekly On Demand scan client task does not exist, this is a finding. For the designated weekly On Demand scan client task, verify the "Task Type" is listed as "On Demand Scan". Verify the "Status" is listed as "Enabled". Under the "Task Name" column, click on the link for the designated task to review the task properties. In the "Advanced" tab, next to the Compressed files, verify the check box for "Scan inside multiple-file archives (e.g. .ZIP)" has been selected. If the task designated as the regularly scheduled On Demand Scan, next to the Compressed files, the check box for "Scan inside multiple-file archives (e.g., .ZIP)" is not selected, this is a finding.

The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Demand scanner must be configured to find unknown program viruses.

Finding ID
DTAVSEL-102
Rule ID
SV-77527r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-APP-000277
CCI
CCI-001241
Target Key
(None)
Documentable
No
Discussion

Due to the ability of malware to mutate after infection, standard anti-virus signatures may not be able to catch new strains or variants of the malware. Typically, these strains and variants will share unique characteristics with others in their virus family. By using a generic signature to detect the shared characteristics, using wildcards where differences lie, the generic signature can detect viruses even if they are padded with extra, meaningless code. This method of detection is Heuristic detection.

Fix Text

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the Linux system being reviewed. Click on the system to open the System Information page. If a task does not exist for the regularly scheduled weekly scan, create a New Client Task to run an On Demand scan at least weekly. Click on Actions >> Agent >> Modify Tasks on a Single System. From the list of available tasks in the "Task Name" column, with the assistance of the ePO SA, identify the weekly On Demand scan client task. For the designated weekly On Demand scan client task, verify the "Task Type" is listed as "On Demand Scan". Under the "Task Name" column, click on the link for the designated task to review the task properties. In the "Advanced" tab, next to the Heuristics, select the check box for "Find unknown program viruses". Click "Save".

Check Content

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the Linux system being reviewed. Click on the system to open the System Information page. Click on Actions >> Agent >> Modify Tasks on a Single System. From the list of available tasks in the "Task Name" column, with the assistance of the ePO SA, identify the weekly On Demand scan client task. If a weekly On Demand scan client task does not exist, this is a finding. For the designated weekly On Demand scan client task, verify the "Task Type" is listed as "On Demand Scan". Verify the "Status" is listed as "Enabled". Under the "Task Name" column, click on the link for the designated task to review the task properties. In the "Advanced" tab, next to the Heuristics, verify the check box for "Find unknown program viruses" has been selected. If the task designated as the regularly scheduled On Demand Scan, next to the Heuristics, the check box for "Find unknown program viruses" has not been selected, this is a finding.

The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Demand scanner must be configured to find unknown macro viruses.

Finding ID
DTAVSEL-103
Rule ID
SV-77529r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-APP-000277
CCI
CCI-001241
Target Key
(None)
Documentable
No
Discussion

Interpreted viruses are executed by an application. Within this subcategory, macro viruses take advantage of the capabilities of applications' macro programming language to infect application documents and document templates, while scripting viruses infect scripts that are understood by scripting languages processed by services on the OS. Many attackers use toolkits containing several different types of utilities and scripts that can be used to probe and attack hosts. Scanning for unknown macro viruses will mitigate zero-day attacks.

Fix Text

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the Linux system being reviewed. Click on the system to open the System Information page. If a task does not exist for the regularly scheduled weekly scan, create a New Client Task to run an On Demand scan at least weekly. Click on Actions >> Agent >> Modify Tasks on a Single System. From the list of available tasks in the "Task Name" column, with the assistance of the ePO SA, identify the weekly On Demand scan client task. For the designated weekly On Demand scan client task, verify the "Task Type" is listed as "On Demand Scan". Under the "Task Name" column, click on the link for the designated task to review the task properties. In the "Advanced" tab, next to "Heuristics:", select the check box for "Find unknown macro viruses". Click "Save".

Check Content

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the Linux system being reviewed. Click on the system to open the System Information page. Click on Actions >> Agent >> Modify Tasks on a Single System. From the list of available tasks in the "Task Name" column, with the assistance of the ePO SA, identify the weekly On Demand scan client task. If a weekly On Demand scan client task does not exist, this is a finding. For the designated weekly On Demand scan client task, verify the "Task Type" is listed as "On Demand Scan". Verify the "Status" is listed as "Enabled". Under the "Task Name" column, click on the link for the designated task to review the task properties. In the "Advanced" tab, next to "Heuristics:", verify the check box for "Find unknown macro viruses" is selected. If the check box for "Heuristics: Find unknown macro program viruses" is not selected, this is a finding.

The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Demand scanner must be configured to find potentially unwanted programs.

Finding ID
DTAVSEL-104
Rule ID
SV-77531r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-APP-000277
CCI
CCI-001241
Target Key
(None)
Documentable
No
Discussion

Potentially Unwanted Programs (PUPs) include Spyware, Adware, Remote Administration Tools, Dialers, Password Crackers, Jokes, and Key Loggers. While PUPs do not typically have any infection capability on their own, they rely on malware or other attach mechanisms to be installed onto target hosts, after which they will collect and transfer data from the host to an external host and/or will be used as attach mechanisms. Configuring the anti-virus software to attempt to clean the file first will allow for the possibility of a false positive. In most cases, however, the secondary action of quarantine will be used, mitigating the risk of the PUPs being installed and used maliciously.

Fix Text

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the Linux system being reviewed. Click on the system to open the System Information page. If a task does not exist for the regularly scheduled weekly scan, create a New Client Task to run an On Demand scan at least weekly. Click on Actions >> Agent >> Modify Tasks on a Single System. From the list of available tasks in the "Task Name" column, with the assistance of the ePO SA, identify the weekly On Demand scan client task. For the designated weekly On Demand scan client task, verify the "Task Type" is listed as "On Demand Scan". Under the "Task Name" column, click on the link for the designated task to review the task properties. In the "Advanced" tab, next to "Non-viruses:", select the check box for "Find potentially unwanted programs". Select the check box for "Find joke programs". Click "Save".

Check Content

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the Linux system being reviewed. Click on the system to open the System Information page. Click on Actions >> Agent >> Modify Tasks on a Single System. From the list of available tasks in the "Task Name" column, with the assistance of the ePO SA, identify the weekly On Demand scan client task. If a weekly On Demand scan client task does not exist, this is a finding. For the designated weekly On Demand scan client task, verify the "Task Type" is listed as "On Demand Scan". Verify the "Status" is listed as "Enabled". Under the "Task Name" column, click on the link for the designated task to review the task properties. In the "Advanced" tab, next to "Non-viruses:", verify the check box for "Find potentially unwanted programs" is selected. Select the check box for "Find joke programs". If the check box for "Non-viruses: Find potentially unwanted programs" is not selected, this is a finding. If the check box for "Find joke programs" is not selected, this is a finding.

The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Demand scanner must be configured to scan all file types.

Finding ID
DTAVSEL-105
Rule ID
SV-77533r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-APP-000277
CCI
CCI-001241
Target Key
(None)
Documentable
No
Discussion

When scanning for malware, excluding specific file types will increase the risk of a malware-infected file going undetected. By configuring anti-virus software to scan all file types, the scanner has a higher success rate at detecting and eradicating malware.

Fix Text

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the Linux system being reviewed. Click on the system to open the System Information page. If a task does not exist for the regularly scheduled weekly scan, create a New Client Task to run an On Demand scan at least weekly. Click on Actions >> Agent >> Modify Tasks on a Single System. From the list of available tasks in the "Task Name" column, with the assistance of the ePO SA, identify the weekly On Demand scan client task. For the designated weekly On Demand scan client task, verify the "Task Type" is listed as "On Demand Scan". Under the "Task Name" column, click on the link for the designated task to review the task properties. In the "Detection" tab, next to "What to scan:", select the radio button for "All files". Click "Save".

Check Content

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the Linux system being reviewed. Click on the system to open the System Information page. Click on Actions >> Agent >> Modify Tasks on a Single System. From the list of available tasks in the "Task Name" column, with the assistance of the ePO SA, identify the weekly On Demand scan client task. If a weekly On Demand scan client task does not exist, this is a finding. For the designated weekly On Demand scan client task, verify the "Task Type" is listed as "On Demand Scan". Verify the "Status" is listed as "Enabled". Under the "Task Name" column, click on the link for the designated task to review the task properties. In the "Detection" tab, next to "What to scan:", verify the radio button for "All files" is selected. If the radio button for "What to scan: All files" is not selected, this is a finding.

The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Demand scanner must be configured to Clean infected files automatically as first action when a virus or Trojan is detected.

Finding ID
DTAVSEL-106
Rule ID
SV-77535r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-APP-000277
CCI
CCI-001241
Target Key
(None)
Documentable
No
Discussion

Malware may have infected a file that is necessary to the user. By configuring the anti-virus software to first attempt cleaning the infected file, availability to the file is not sacrificed. If a cleaning attempt is not successful, however, deleting the file is the only safe option to ensure the malware is not introduced onto the system or network.

Fix Text

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the Linux system being reviewed. Click on the system to open the System Information page. If a task does not exist for the regularly scheduled weekly scan, create a New Client Task to run an On Demand scan at least weekly. Click on Actions >> Agent >> Modify Tasks on a Single System. From the list of available tasks in the "Task Name" column, with the assistance of the ePO SA, identify the weekly On Demand scan client task. For the designated weekly On Demand scan client task, verify the "Task Type" is listed as "On Demand Scan". Under the "Task Name" column, click on the link for the designated task to review the task properties. In the "Actions" tab, next to "When Viruses and Trojans are found:", select the radio button for "Clean infected files automatically". Click "Save".

Check Content

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the Linux system being reviewed. Click on the system to open the System Information page. Click on Actions >> Agent >> Modify Tasks on a Single System. From the list of available tasks in the "Task Name" column, with the assistance of the ePO SA, identify the weekly On Demand scan client task. If a weekly On Demand scan client task does not exist, this is a finding. For the designated weekly On Demand scan client task, verify the "Task Type" is listed as "On Demand Scan". Verify the "Status" is listed as "Enabled". Under the "Task Name" column, click on the link for the designated task to review the task properties. In the "Actions" tab, next to "When Viruses and Trojans are found:", verify the radio button for "Clean infected files automatically" is selected. If the radio button for "When Viruses and Trojans are found: Clean infected files automatically" is not selected, this is a finding.

The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Demand scanner must be configured to Move infected files to the quarantine directory if first action fails when a virus or Trojan is detected.

Finding ID
DTAVSEL-107
Rule ID
SV-77537r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-APP-000277
CCI
CCI-001241
Target Key
(None)
Documentable
No
Discussion

Malware may have infected a file that is necessary to the user. By configuring the anti-virus software to first attempt cleaning the infected file, availability to the file is not sacrificed. If a cleaning attempt is not successful, however, deleting the file is the only safe option to ensure the malware is not introduced onto the system or network.

Fix Text

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the Linux system being reviewed. Click on the system to open the System Information page. If a task does not exist for the regularly scheduled weekly scan, create a New Client Task to run an On Demand scan at least weekly. Click on Actions >> Agent >> Modify Tasks on a Single System. From the list of available tasks in the "Task Name" column, with the assistance of the ePO SA, identify the weekly On Demand scan client task. For the designated weekly On Demand scan client task, verify the "Task Type" is listed as "On Demand Scan". Under the "Task Name" column, click on the link for the designated task to review the task properties. In the "Actions" tab, under the "When Viruses and Trojans are found:", next to "If the above action fails:", select the radio button for "Move infected files to the quarantine directory". Populate the "Quarantine Directory:" field with "/quarantine" (or another valid location as determined by the organization). Click "Save".

Check Content

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the Linux system being reviewed. Click on the system to open the System Information page. Click on Actions >> Agent >> Modify Tasks on a Single System. From the list of available tasks in the "Task Name" column, with the assistance of the ePO SA, identify the weekly On Demand scan client task. If a weekly On Demand scan client task does not exist, this is a finding. For the designated weekly On Demand scan client task, verify the "Task Type" is listed as "On Demand Scan". Verify the "Status" is listed as "Enabled". Under the "Task Name" column, click on the link for the designated task to review the task properties. In the "Actions" tab, under the "When Viruses and Trojans are found:", next to "If the above action fails:", verify the radio button for "Move infected files to the quarantine directory" is selected. Verify the "Quarantine Directory:" field is populated with "/quarantine" (or another valid location as determined by the organization). If the radio button for "If the above action fails: Move infected files to the quarantine directory" is not selected, this is a finding. If the "Quarantine Directory:" field is not populated, this is a finding.

The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Demand scanner must only be configured with exclusions which are documented and approved by the ISSO/ISSM/AO.

Finding ID
DTAVSEL-108
Rule ID
SV-77539r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-APP-000277
CCI
CCI-001241
Target Key
(None)
Documentable
No
Discussion

When scanning for malware, excluding specific files will increase the risk of a malware-infected file going undetected. By configuring anti-virus software without any exclusions, the scanner has a higher success rate at detecting and eradicating malware.

Fix Text

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the Linux system being reviewed. Click on the system to open the System Information page. If a task does not exist for the regularly scheduled weekly scan, create a New Client Task to run an On Demand scan at least weekly. Click on Actions >> Agent >> Modify Tasks on a Single System. From the list of available tasks in the "Task Name" column, with the assistance of the ePO SA, identify the weekly On Demand scan client task. For the designated weekly On Demand scan client task, verify the "Task Type" is listed as "On Demand Scan". Under the "Task Name" column, click on the link for the designated task to review the task properties. In the "Detection" tab, next to "What not to scan:", remove any entries from the "What not to scan:" section for which there has not been ISSO/ISSM approval. Click "Save".

Check Content

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the Linux system being reviewed. Click on the system to open the System Information page. Click on Actions >> Agent >> Modify Tasks on a Single System. From the list of available tasks in the "Task Name" column, with the assistance of the ePO SA, identify the weekly On Demand scan client task. If a weekly On Demand scan client task does not exist, this is a finding. For the designated weekly On Demand scan client task, verify the "Task Type" is listed as "On Demand Scan". Verify the "Status" is listed as "Enabled". Under the "Task Name" column, click on the link for the designated task to review the task properties. In the "Detection" tab, next to "What not to scan:", verify no entries exist other than the following approved paths: /var/log /_admin/Manage_NSS /mnt/system/log /media/nss/.*/(\._NETWARE|\._ADMIN) /.*\.(vmdk|VMDK|dbl|DBL|ctl|CTL|log|LOG|jar|JAR|war|WAR|dtx|DTX|dbf|DBF|frm| FRM|myd|MYD|myi|MYI|rdo|RDO|arc|ARC) /cgroup /dev /proc /selinux /sys If any entries exist, verify the exclusion of those files and directories has been documented by the System Administrator and approved by the ISSO/ISSM.

The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x Web UI must be disabled.

Finding ID
DTAVSEL-109
Rule ID
SV-77541r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-APP-000141
CCI
CCI-000381
Target Key
(None)
Documentable
No
Discussion

If the Web UI was left enabled, the system to which the VSEL has been installed would be vulnerable for Web attacks. Disabling the Web UI will prevent the system from listening on HTTP.

Fix Text

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the Linux system being reviewed. Click on the system to open the System Information page. Click on Actions >> Agent >> Modify Policies on a Single System. From the "Product:" drop-down list, select "VirusScan Enterprise for Linux 1.9.x/2.0.x". From the "Policy" column, click on the policy for the "General Policies". In the "Advanced" tab, select the check box for "Disable client Web UI:". Click "Save".

Check Content

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the Linux system being reviewed. Click on the system to open the System Information page. Click on Actions >> Agent >> Modify Policies on a Single System. From the "Product:" drop-down list, select "VirusScan Enterprise for Linux 1.9.x/2.0.x". From the "Policy" column, click on the policy for the "General Policies". In the "Advanced" tab, verify the check box for "Disable client Web UI:" is selected. If the check box for "Disable client Web UI:" is not selected, this is a finding.

The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Demand scanner must be configured to Clean infected files automatically as first action when programs and jokes are found.

Finding ID
DTAVSEL-110
Rule ID
SV-77543r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-APP-000277
CCI
CCI-001241
Target Key
(None)
Documentable
No
Discussion

Potentially Unwanted Programs (PUPs) include Spyware, Adware, Remote Administration Tools, Dialers, Password Crackers, Jokes, and Key Loggers. While PUPs do not typically have any infection capability on their own, they rely on malware or other attach mechanisms to be installed onto target hosts, after which they will collect and transfer data from the host to an external host and/or will be used as attach mechanisms. Configuring the anti-virus software to attempt to clean the file first will allow for the possibility of a false positive. In most cases, however, the secondary action of quarantine will be used, mitigating the risk of the PUPs being installed and used maliciously.

Fix Text

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the Linux system being reviewed. Click on the system to open the System Information page. Click on Actions >> Agent >> Modify Tasks on a Single System. From the list of available tasks in the "Task Name" column, with the assistance of the ePO SA, identify the weekly On Demand scan client task. For the designated weekly On Demand scan client task, verify the "Task Type" is listed as "On Demand Scan". Under the "Task Name" column, click on the link for the designated task to review the task properties. In the "Actions" tab, next to "When Programs & Jokes are found:", select the radio button for "Clean infected files automatically". Click "Save".

Check Content

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the Linux system being reviewed. Click on the system to open the System Information page. Click on Actions >> Agent >> Modify Tasks on a Single System. From the list of available tasks in the "Task Name" column, with the assistance of the ePO SA, identify the weekly On Demand scan client task. If a weekly On Demand scan client task does not exist, this is a finding. For the designated weekly On Demand scan client task, verify the "Task Type" is listed as "On Demand Scan". Verify the "Status" is listed as "Enabled". Under the "Task Name" column, click on the link for the designated task to review the task properties. In the "Actions" tab, next to "When Programs & Jokes are found:", verify the radio button for "Clean infected files automatically" is selected. If the radio button for "When Programs & Jokes are found: Clean infected files automatically" is not selected, this is a finding.

The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Demand scanner must be configured to Move infected files to the quarantine directory if first action fails when programs and jokes are found.

Finding ID
DTAVSEL-111
Rule ID
SV-77545r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-APP-000277
CCI
CCI-001241
Target Key
(None)
Documentable
No
Discussion

Potentially Unwanted Programs (PUPs) include Spyware, Adware, Remote Administration Tools, Dialers, Password Crackers, Jokes, and Key Loggers. While PUPs do not typically have any infection capability on their own, they rely on malware or other attach mechanisms to be installed onto target hosts, after which they will collect and transfer data from the host to an external host and/or will be used as attach mechanisms. Configuring the anti-virus software to attempt to clean the file first will allow for the possibility of a false positive. In most cases, however, the secondary action of quarantine will be used, mitigating the risk of the PUPs being installed and used maliciously.

Fix Text

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the Linux system being reviewed. Click on the system to open the System Information page. Click on Actions >> Agent >> Modify Tasks on a Single System. From the list of available tasks in the "Task Name" column, with the assistance of the ePO SA, identify the weekly On Demand scan client task. For the designated weekly On Demand scan client task, verify the "Task Type" is listed as "On Demand Scan". Under the "Task Name" column, click on the link for the designated task to review the task properties. In the "Actions" tab, for "When Programs & Jokes are found: If the above action fails:", select the radio button for "Move infected files to the quarantine directory" is selected. Populate the "Quarantine Directory:" field with "/quarantine" (or another valid location as determined by the organization). Click "Save".

Check Content

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the Linux system being reviewed. Click on the system to open the System Information page. Click on Actions >> Agent >> Modify Tasks on a Single System. From the list of available tasks in the "Task Name" column, with the assistance of the ePO SA, identify the weekly On Demand scan client task. If a weekly On Demand scan client task does not exist, this is a finding. For the designated weekly On Demand scan client task, verify the "Task Type" is listed as "On Demand Scan". Verify the "Status" is listed as "Enabled". Under the "Task Name" column, click on the link for the designated task to review the task properties. In the "Actions" tab, for "When Programs & Jokes are found: If the above action fails:", verify the radio button for "Move infected files to the quarantine directory" is selected. Verify the "Quarantine Directory:" field is populated with "/quarantine" (or another valid location as determined by the organization). If the radio button for "When Programs & Jokes are found: If the above action fails: Move infected files to the quarantine directory" is not selected, this is a finding. If the "Quarantine Directory:" field is not populated with "/quarantine" (or another valid location as determined by the organization), this is a finding.

The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Demand scanner must be configured to decode MIME encoded files.

Finding ID
DTAVSEL-112
Rule ID
SV-77547r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-APP-000277
CCI
CCI-001241
Target Key
(None)
Documentable
No
Discussion

Malware is often packaged within an archive. In addition, archives might have other archives within. Not scanning archive files introduces the risk of infected files being introduced into the environment.

Fix Text

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the Linux system being reviewed. Click on the system to open the System Information page. Click on Actions >> Agent >> Modify Tasks on a Single System. From the list of available tasks in the "Task Name" column, with the assistance of the ePO SA, identify the weekly On Demand scan client task. Under the "Task Name" column, click on the link for the designated task to review the task properties. In the "Advanced" tab, next to the Compressed files, select the check box for "Decode MIME encoded files:". Click "Save".

Check Content

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the Linux system being reviewed. Click on the system to open the System Information page. Click on Actions >> Agent >> Modify Tasks on a Single System. From the list of available tasks in the "Task Name" column, with the assistance of the ePO SA, identify the weekly On Demand scan client task. If a weekly On Demand scan client task does not exist, this is a finding. For the designated weekly On Demand scan client task, verify the "Task Type" is listed as "On Demand Scan". Verify the "Status" is listed as "Enabled". Under the "Task Name" column, click on the link for the designated task to review the task properties. In the "Advanced" tab, next to the Compressed files, verify the check box for "Decode MIME encoded files:" has been selected. If the task designated as the regularly scheduled On Demand Scan, next to the Compressed files, the check box for "Decode MIME encoded files:" is not selected, this is a finding.

The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Demand scanner must be configured to include all local drives and their sub-directories.

Finding ID
DTAVSEL-113
Rule ID
SV-77549r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-APP-000277
CCI
CCI-001241
Target Key
(None)
Documentable
No
Discussion

When scanning for malware, excluding specific file types will increase the risk of a malware-infected file going undetected. By configuring anti-virus software to scan all file types, the scanner has a higher success rate at detecting and eradicating malware.

Fix Text

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the Linux system being reviewed. Click on the system to open the System Information page. Click on Actions >> Agent >> Modify Tasks on a Single System. From the list of available tasks in the "Task Name" column, with the assistance of the ePO SA, identify the weekly On Demand scan client task. For the designated weekly On Demand scan client task, verify the "Task Type" is listed as "On Demand Scan". Under the "Task Name" column, click on the link for the designated task to review the task properties. In the "Where" tab, populate the "Specify where scanning will take place" field with "/". Next to "Scan options", select the check box for "Include sub-directories". Click "Save".

Check Content

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the Linux system being reviewed. Click on the system to open the System Information page. Click on Actions >> Agent >> Modify Tasks on a Single System. From the list of available tasks in the "Task Name" column, with the assistance of the ePO SA, identify the weekly On Demand scan client task. If a weekly On Demand scan client task does not exist, this is a finding. For the designated weekly On Demand scan client task, verify the "Task Type" is listed as "On Demand Scan". Verify the "Status" is listed as "Enabled". Under the "Task Name" column, click on the link for the designated task to review the task properties. In the "Where" tab, verify the "Specify where scanning will take place" field is populated with all local drives. Next to "Scan options", verify the check box for "Include sub-directories" is selected. If the "Specify where scanning will take place" field is not populated with all local drives, this is a finding. If the "Include sub-directories" is not selected, this is a finding.

The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x On-Demand scan must be configured to scan mounted volumes when mounted volumes point to a network server without an anti-virus solution installed.

Finding ID
DTAVSEL-114
Rule ID
SV-77551r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-APP-000278
CCI
CCI-001242
Target Key
(None)
Documentable
No
Discussion

Removable media such as CD/DVDs allow a path for malware to be introduced to a Linux System. It is imperative to protect Linux systems from malware introduced from removable media by ensuring they are scanned before use.

Fix Text

From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the Linux system being reviewed. Click on the system to open the System Information page. Click on Actions >> Agent >> Modify Tasks on a Single System. From the list of available tasks in the "Task Name" column, with the assistance of the ePO SA, identify the weekly On Demand scan client task. If a weekly On Demand scan client task does not exist, this is a finding. For the designated weekly On Demand scan client task, verify the "Task Type" is listed as "On Demand Scan". Verify the "Status" is listed as "Enabled". Under the "Task Name" column, click on the link for the designated task to review the task properties. In the "Where" tab, in the "Specify where scanning will take place", verify the all otherwise unprotected network servers to which this Linux system has mounted volumes is included.

Check Content

With the System Administrator's assistance, determine network mounted volumes on the Linux system being reviewed. If network mounted volumes are mounted, verify whether anti-virus protection is locally installed and configured to protect the network servers to which the mounted volumes connect. If all network servers to which mounted volumes connect are protected by locally installed and configured anti-virus protection, this check for the Linux system being reviewed is Not Applicable. If no network mounted volumes are configured on the Linux system being reviewed, this check is Not Applicable. If mounted volumes exist on the Linux system being reviewed which are connecting to network servers which lack locally installed and configured anti-virus protection, this check must be validated. From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the Linux system being reviewed. Click on the system to open the System Information page. Click on Actions >> Agent >> Modify Tasks on a Single System. From the list of available tasks in the "Task Name" column, with the assistance of the ePO SA, identify the weekly On Demand scan client task. If a weekly On Demand scan client task does not exist, this is a finding. For the designated weekly On Demand scan client task, verify the "Task Type" is listed as "On Demand Scan". Verify the "Status" is listed as "Enabled". Under the "Task Name" column, click on the link for the designated task to review the task properties. In the "Where" tab, in the "Specify where scanning will take place", verify all otherwise unprotected network servers to which this Linux system has mounted volumes have been included. If the "Specify where scanning will take place" does not have all otherwise unprotected network servers to which this Linux system has mounted volumes included, this is a finding.

The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x must scan all media used for system maintenance prior to use.

Finding ID
DTAVSEL-200
Rule ID
SV-77553r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-APP-000073
CCI
CCI-000870
Target Key
(None)
Documentable
No
Discussion

Removable media such as CD/DVDs allow a path for malware to be introduced to a Linux System. It is imperative to protect Linux systems from malware introduced from removable media by ensuring they are scanned before use.

Fix Text

Create procedures, or add to existing system administration procedures, which require the scanning of all media used for system maintenance before media is used.

Check Content

Consult with the System Administrator of the Linux system being reviewed. Verify procedures are documented which require the manual scanning of all media used for system maintenance before media is used. If a procedure is not documented requiring the manual scanning of all media used for system maintenance before media is used, this is a finding.

The McAfee VirusScan Enterprise for Linux 1.9.x/2.0.x must be configured to receive all patches, service packs and updates from a DoD-managed source.

Finding ID
DTAVSEL-201
Rule ID
SV-77555r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-APP-000131
CCI
CCI-001749
Target Key
(None)
Documentable
No
Discussion

Anti-virus signature files are updated almost daily by anti-virus software vendors. These files are made available to anti-virus clients as they are published. Keeping virus signature files as current as possible is vital to the security of any system. The anti-virus software product must be configured to receive those updates automatically in order to afford the expected protection. While obtaining updates, patches, service packs and updates from the vendor are timelier, the possibility of corruption or malware being introduced to the system is higher. By obtaining these from an official DoD source and/or downloading them to a separate system first and validating them before making them available to systems, the possibility of malware being introduced is mitigated.

Fix Text

Configure the ePO server to use the DoD-controlled source repository.

Check Content

Log into the ePO server console. From Menu, select Configuration >> Server Settings. From Setting Categories, select Source Sites. Verify the DoD-controlled entry (mcafee.csd.disa.mil) for source repositories is present. If the DoD-controlled entry for source sites is not present, this is a finding. Note: If this is a disconnected network, this requirement can be met via the use of a manual distribution. The process must be documented and meet the requirements for frequency as defined in this document. Note: If the ePO server is outside of the .mil address space (such as, .edu, .gov, etc.), connection to the DoD-controlled servers for updates will not be possible. In this case, updates from the vendor are acceptable and this check should be marked NA.

The nails user and nailsgroup group must be restricted to the least privilege access required for the intended role.

Finding ID
DTAVSEL-202
Rule ID
SV-77557r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-APP-000340
CCI
CCI-002235
Target Key
(None)
Documentable
No
Discussion

The McAfee VirusScan Enterprise for Linux software runs its processes under the nails user, which is part of the nailsgroup group. The WEB GUI is also accessed using the nails user. Ensuring this account only has access to the required functions necessary for its intended role will mitigate the possibility of the nails user/nailsgroup group from being used to perform malicious destruction to the system in the event of a compromise.

Fix Text

Access the Linux system console command line as root. Navigate to each path to which the nails user or nailsgroup group has unnecessary permissions/ownership. Using the chmod command, reduce or remove permissions for the nails user. Using the chown command to remove ownership by the nails user or nailsgroup group.

Check Content

Access the Linux system console command line as root. Execute the following commands. This command will pipe the results to text files for easier review. find / -group nailsgroup >nailsgroup.txt find / -user nails >nails.txt Execute the following commands to individually review each of the text files of results, pressing space bar to move to each page until the end of the exported text. more nailsgroup.txt more nails.txt When reviewing the results, verify the nailsgroup group and nails user only own the following paths. The following paths assume an INSTALLDIR of /opt/NAI/LinuxShield and a RUNTIMEDIR of /var/opt/NAI/LinuxShield. If alternative folders were used, replace the following paths accordingly when validating. /var/opt/NAI and sub-folders /opt/NAI and sub-folders /McAfee/lib /var/spool/mail/nails /proc/##### (where ##### represents the various process IDs for the VSEL processes.) If any other folder is owned by either the nailsgroup group or the nails user, this is a finding.

A notification mechanism or process must be in place to notify Administrators of out of date DAT, detected malware and error codes.

Finding ID
DTAVSEL-205
Rule ID
SV-77559r2_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-APP-000276
CCI
CCI-001240
Target Key
(None)
Documentable
No
Discussion

Failure of anti-virus signature updates will eventually render the software to be useless in protecting the Linux system from malware. Administration notification for failed updates, via SMTP, will ensure timely remediation of errors causing DATs to not be updated.

Fix Text

Configure Automatic Response to capture all required event descriptions and to send email notifications to the System Administrator(s).

Check Content

The preferred method for notification is via ePO Automatic Responses using SMTP. Consult with the System Administrator to determine whether ePO Automatic Responses are configured or whether some other notification mechanism (i.e., regular manual review of reports)is used. If ePO Automatic Responses are not configured, some other notification mechanism must be configured. For ePO Automatic Response using SMTP: Log onto the ePO server console. From Menu, select Automation >> Automatic Responses. With the assistance of the System Administrator, determine the Automatic Responses configured for this requirement. Click on Edit to review each of the designated Automatic Responses. Automatic Responses must be configured for the following Event Descriptions, at a minimum, with a response of "Send Email" to System Administrator(s). The DAT version was not new enough. Boot record infection clean error. Buffer overflow detected and NOT blocked. Centralized Alerting-Scan reported an internal application error. Centralized Alerting-Scan reports general system error. Centralized Alerting-Scan reports memory allocation error. File infected. Delete failed, quarantine failed. If Automatic Response is not configured to detect the minimum Event Descriptions and/or is not configured to send an email notification to the System Administrator(s) or some other mechanism is not used to provide this notification to System Administrators, this is a finding.