{ "name": "stig_mcafee_move_2.6_multi-platform_oss", "date": "2015-10-05", "description": "The McAfee MOVE 2.6 Multi-Platform OSS STIG is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the NIST 800-53 and related documents. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil.", "title": "McAfee MOVE 2.6 Multi-Platform OSS STIG", "version": "1", "item_syntax": "^\\w-\\d+$", "section_separator": null, "items": [ { "id": "V-42964", "title": "The McAfee MOVE AV [Multi-Platform] Offload Scan Server must have McAfee VirusScan Enterprise 8.8 (or most current version) installed.", "description": "Organizations should deploy anti-virus software on all hosts for which satisfactory anti-virus software is available. Anti-virus software should be installed as soon after OS installation as possible and then updated with the latest signatures and anti-virus software patches (to eliminate any known vulnerabilities in the anti-virus software itself). To support the security of the host, the anti-virus software should be configured and maintained properly so it continues to be effective at detecting and stopping malware. Anti-virus software is most effective when its signatures are fully up-to-date. Accordingly, anti-virus software should be kept current with the latest signature and software updates to improve malware detection.", "severity": "high" }, { "id": "V-42965", "title": "The McAfee MOVE AV [Multi-Platform] Offload Scan Server packages policies must be configured with and managed by the HBSS ePO server.", "description": "Organizations should use centrally managed anti-virus software that is controlled and monitored regularly by anti-virus administrators, who are also typically responsible for acquiring, testing, approving, and delivering anti-virus signature and software updates throughout the organization. Users should not be able to disable or delete anti-virus software from their hosts, nor should they be able to alter critical settings. Anti-virus administrators should perform continuous monitoring to confirm that hosts are using current anti-virus software and that the software is configured properly. Implementing all of these recommendations should strongly support an organization in having a strong and consistent anti-virus deployment across the organization.", "severity": "medium" }, { "id": "V-42966", "title": "The McAfee MOVE AV [Multi-Platform] Offload Scan Server must be configured with a static IP address.", "description": "Security management devices must be configured to ensure consistent and uninterrupted connectivity to/from the systems it manages/controls. Otherwise, the security management device will be less than effective.", "severity": "medium" }, { "id": "V-42968", "title": "The McAfee MOVE AV [Multi-Platform] Offload Scan Server General policy must be configured to maintain a minimum of 7 log files before removing oldest log file.", "description": "Forensic identification is the practice of identifying infected hosts by looking for evidence of recent infections. The evidence may be very recent (only a few minutes old) or not so recent (hours or days old); the older the information is, the less accurate it is likely to be. The most obvious sources of evidence are those that are designed to identify malware activity, such as anti-virus software, content filtering (e.g., anti-spam measures), IPS, and SIEM technologies. The logs of security applications might contain detailed records of suspicious activity, and might also indicate whether a security compromise occurred or was prevented. While logging is imperative to forensic analysis, logs could grow to the point of impacting disk space on the system. In order to avoid the risk of logs growing to the size of impacting the operating system, the log size and number of log files will be restricted, but must also be large enough to retain forensic value.", "severity": "medium" }, { "id": "V-42971", "title": "The McAfee MOVE AV [Multi-Platform] Offload Scan Server General policy must be configured to rotate log files when they reach at least 10MB in size.", "description": "Forensic identification is the practice of identifying infected hosts by looking for evidence of recent infections. The evidence may be very recent (only a few minutes old) or not so recent (hours or days old); the older the information is, the less accurate it is likely to be. The most obvious sources of evidence are those that are designed to identify malware activity, such as anti-virus software, content filtering (e.g., anti-spam measures), IPS, and SIEM technologies. The logs of security applications might contain detailed records of suspicious activity, and might also indicate whether a security compromise occurred or was prevented. While logging is imperative to forensic analysis, logs could grow to the point of impacting disk space on the system. In order to avoid the risk of logs growing to the size of impacting the operating system, the log size and number of log files will be restricted, but must also be large enough to retain forensic value.", "severity": "medium" }, { "id": "V-42973", "title": "The McAfee MOVE AV [Multi-Platform] Offload Scan Server General policy Scan Settings must be configured to scan inside archive files.", "description": "Malware is often packaged within an archive. In addition, archives might have other archives within. Not scanning archive files introduces the risk of infected files being introduced into the environment.", "severity": "medium" }, { "id": "V-42974", "title": "The McAfee MOVE AV [Multi-Platform] Offload Scan Server General policy Scan Settings must be configured to scan for potentially unwanted programs.", "description": "Due to the ability of malware to mutate after infection, standard anti-virus signatures may not be able to catch new strains or variants of the malware. Typically, these strains and variants will share unique characteristics with others in their virus family. By using a generic signature to detect the shared characteristics, using wildcards where differences lie, the generic signature can detect viruses even if they are padded with extra, meaningless code. This method of detection is Heuristic detection.", "severity": "medium" }, { "id": "V-42976", "title": "The McAfee MOVE AV [Multi-Platform] Offload Scan Server General policy Scan Settings must be configured to scan for MIME-encoded files.", "description": "Multipurpose Internet Mail Extensions (MIME) encoded files can be crafted to hide a malicious payload. When the MIME encoded file is presented to software that decodes the MIME encoded files, such as an email client, the malware is released. Scanning these files as part of the regularly scheduled scans tasks will mitigate this risk.", "severity": "medium" }, { "id": "V-42977", "title": "The McAfee MOVE AV [Multi-Platform] Offload Scan Server General policy Scan Settings must be configured to use McAfee Global Threat Intelligence file reputation, with a sensitivity level of Medium or higher.", "description": "Anti-virus software vendors use collective intelligence from sensors and cross-vector intelligence from web, email, and network threats to compile scores that reflect the likelihood of whether a file in question is malware. The collective intelligence is constantly being updated, more frequently than the typical daily anti-virus signature files. With File Reputation lookup, a more real-time response to potential malicious code is realized than with the local-running anti-virus software, since by querying the cloud-based database when a file appears to be suspicious, up-to-the-minute intelligence is provided. This type of protection reduces the threat protection time period from days to milliseconds, increases malware detection rates, and reduces downtime and remediation costs associated with malware attacks. Using File Reputation lookup is mandated by US CYBERCOM on DoD systems.", "severity": "medium" }, { "id": "V-42978", "title": "The McAfee MOVE AV [Multi-Platform] Offload Scan Server General policy alerts must be configured to report all events to the Windows Event Log.", "description": "Forensic identification is the practice of identifying infected hosts by looking for evidence of recent infections. The evidence may be very recent (only a few minutes old) or not so recent (hours or days old); the older the information is, the less accurate it is likely to be. The most obvious sources of evidence are those that are designed to identify malware activity, such as anti-virus software, content filtering (e.g., anti-spam measures), IPS, and SIEM technologies. The logs of security applications might contain detailed records of suspicious activity, and might also indicate whether a security compromise occurred or was prevented.", "severity": "medium" }, { "id": "V-42979", "title": "The McAfee MOVE AV [Multi-Platform] Offload Scan Server General policy alerts must be configured to send all events to the HBSS ePO server.", "description": "Organizations should strive to detect and validate malware incidents rapidly to minimize the number of infected hosts and the amount of damage the organization sustains. Recommended actions include analyzing any suspected malware incident and validating that malware is the cause. This includes identifying characteristics of the malware activity by examining detection sources, such as anti-virus software, intrusion prevention systems, and security information and event management (SIEM) technologies and identifying which hosts are infected by the malware, so the hosts can undergo the appropriate containment, eradication, and recovery actions. By sending all events to a central location, the events can be correlated to determine extent of infection.", "severity": "medium" }, { "id": "V-42981", "title": "The McAfee MOVE AV [Multi-Platform] Offload Scan Server General policy On-Demand Scan must be configured with On-Demand scanning enabled.", "description": "Anti-virus software is the most commonly used technical control for malware threat mitigation. Anti-virus software on hosts should be configured to scan all hard drives and folders regularly to identify any file system infections and to scan any removable media, if applicable, before media is inserted into the system. Not scheduling a regular scan of the hard drives of a system and/or not configuring the scan to scan all files and running processes introduces a higher risk of threats going undetected.", "severity": "medium" }, { "id": "V-42982", "title": "The McAfee MOVE AV [Multi-Platform] Offload Scan Server General policy On-Demand Scan Client Scan interval must be set to no more than every seven days.", "description": "Anti-virus software is the mostly commonly used technical control for malware threat mitigation. Anti-virus software on hosts should be configured to scan all hard drives and folders regularly to identify any file system infections and to scan any removable media, if applicable, before media is inserted into the system. Not scheduling a regular scan of the hard drives of a system and/or not configuring the scan to scan all files and running processes introduces a higher risk of threats going undetected.", "severity": "medium" }, { "id": "V-42983", "title": "The McAfee VirusScan Enterprise Access Protection rules must be used for self-protection of the files and folder of Offload Scan Server configuration.", "description": "The VirusScan Enterprise Access Protection rules will defend files, services, and registry keys on the Offload Scan Server.", "severity": "high" }, { "id": "V-42986", "title": "The McAfee VirusScan Enterprise Access Protection rules must be used for self-protection of the registry keys of Offload Scan Server configuration.", "description": "The VirusScan Enterprise Access Protection rules will defend files, services, and registry keys on the Offload Scan Server.", "severity": "high" } ] }