McAfee VirusScan Access Protection: Common Standard Protection must be set to prevent modification of McAfee Scan Engine files and settings.

From McAfee VirusScan 8.8 Managed Client STIG

Part of DTAM143 - Access Protection prevent modification of McAfee scan engine

Associated with: CCI-001248

SV-55249r2_rule McAfee VirusScan Access Protection: Common Standard Protection must be set to prevent modification of McAfee Scan Engine files and settings.

Vulnerability discussion

Many malicious programs have attempted to disable VirusScan by stopping services and processes and leaving the system vulnerable to attack. Self-protection is an important feature of VSE that prevents malicious programs from disabling VirusScan or any of its services or processes. Many trojans and viruses will attempt to terminate or even delete security products. VSE's self-protection features protect VirusScan registry values and processes from being altered or deleted by malicious code. This rule protects the McAfee security product from modification by any process not listed in the policy's exclusion list.

Check content

Note: If the HIPS signature 3900 is enabled to provide this same protection, this check is not applicable. From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Policies on a Single System. From the product pull down list, select VirusScan Enterprise 8.8.0. Select the policy associated with the Access Protection Policies. Under the Access Protection tab, locate the "Access protection rules:" label. In the "Categories" box, select "Common Standard Protection". Ensure "Prevent modification of McAfee Scan Engine files and settings" (Block and Report) options are both selected. Criteria: If "Prevent modification of McAfee Scan Engine files and settings" (Block and Report) options are both selected, this is not a finding. Registry keys are not available for this setting. To validate from client side, Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console. Under the Task column, select Access Protection, right-click, and select Properties. Under the Access Protection tab, locate the "Access protection rules:" label. In the "Categories" box, select "Common Standard Protection". Ensure "Prevent modification of McAfee Scan Engine files and settings" (Block and Report) options are both selected. Criteria: If "Prevent modification of McAfee Scan Engine files and settings" (Block and Report) options are both selected, this is not a finding.

Fix text

From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Policies on a Single System. From the product pull down list, select VirusScan Enterprise 8.8.0. Select the policy associated with the Access Protection Policies. Under the Access Protection tab, locate the "Access protection rules:" label. In the "Categories" box, select "Common Standard Protection". Select both "Prevent modification of McAfee Scan Engine files and settings" (Block and Report) options. Select Save.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer