Title

(U//FOUO) The HIP policy must include the signature to prevent common programs from running files from the Temp folder (signature 2297). (Cat II impact)

Discussion

Check Content

(U//FOUO) Note: If a McAfee VirusScan Access Protection rule (DTAM145) is enabled to provide this same protection, this check is Not Applicable. This check should be completed on all systems. From the ePO server console, select Menu > Systems > System Tree. Select the asset to be checked, then select "Assigned Policies", followed by "Host Intrusion Prevention 8: IPS" from the product list. From the "IPS Rules" category, select the "View Effective Policy" hyperlink. Select the "Signatures" tab. Verify the signature “Access Protection – Prevent common programs from running files from the Temp folder” is present. In addition to the signature being present, the “Severity level” must be set to “High” and the signature action must be set to “Block”. If the signature is not present or the properties are set incorrectly, this is a finding.

Fix Text

(U//FOUO) Install the “Access Protection – Prevent common programs from running files from the Temp folder” signature and set it as follows: “Severity level” must be set to “High” and the signature action must be set to “Block”.

Additional Identifiers

Rule ID: SV-75107r1_rule

Vulnerability ID: V-60665

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.