Title

(U//FOUO) The HIP policy must include the signature to block users from executing Anonymizer applications (signature 7005). (Cat II impact)

Discussion

Check Content

(U//FOUO) This check should be completed on all systems. From the ePO server console, select Menu > Systems > System Tree. Select the asset to be checked, then select "Assigned Policies", followed by "Host Intrusion Prevention 8:IPS" from the product list. From the "IPS Rules" category, select the "View Effective Policy" hyperlink. Select the "Signatures" tab. Verify the signature “DISA - McAfee - Prevent Anonymizer Programs” is present. In addition to the signature being present, the “Severity level” must be set to “High”, “Log status” must be set to "Enable logging", and the “Allow creation of client rules” setting must be disabled. If the signature is not present or the properties are set incorrectly, this is a finding. Additional information on the signature can be found at: https://www.cybercom.smil.mil/J3/HBSS/default.aspx Note: If H36400 is a finding, this is check should also be considered a finding.

Fix Text

(U//FOUO) Install the "DISA - McAfee - Prevent Anonymizer Programs" signature and set it as follows: “Severity level” set to “High”, “Log status” set to "Enable logging", and the “Allow creation of client rules” setting is disabled.

Additional Identifiers

Rule ID: SV-69917r2_rule

Vulnerability ID: V-55663

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.