An error occurred:

Check: ENS-TP-000202

Trellix ENS 10.x Local Client STIG: ENS-TP-000202 (in versions v2 r3 through v1 r6)

Title

(U) The Trellix ENS Threat Prevention Options must be configured to enable AMCore Content Reputation when performing Proactive Data Analysis. (Cat II impact)

Discussion

(U) Trellix Global Threat Intelligence (GTI) is a global internet reputation intelligence system that determines what is good and bad behavior on the internet. Trellix GTI uses real-time analysis of worldwide behavioral and sending patterns for email, web activity, malware, and system-to-system behavior. Using data collected from the analysis, GTI dynamically calculates reputation scores that represent the level of risk to a network. AMCore Content Reputation performs a Trellix GTI reputation lookup on the AMCore content file before updating the client system. If Trellix GTI allows the file, Endpoint Security updates AMCore content. If Trellix GTI does not allow the file, Endpoint Security does not update the AMCore content.

Check Content

(U) Note: For standalone systems not connected to a network, this check can be marked Not Applicable. For Classified networks, this requirement is Not Applicable. In the system tray, right-click the Trellix icon and select "Trellix Endpoint Security". Click the drop-down in the upper right corner of the "Trellix Endpoint Security" window and select "Settings". (This may require Administrator logon.) In the "Settings" pop-up, click "Threat Prevention" on the left side. Click the "Show Advanced" button. Verify "Proactive Data Analysis: AMCore Content Reputation" is selected. If "Proactive Data Analysis: AMCore Content Reputation" is not selected, this is a finding.

Fix Text

(U) In the system tray, right-click the Trellix icon and select "Trellix Endpoint Security". Click the drop-down in the upper right corner of the "Trellix Endpoint Security" window and select "Settings". (This may require Administrator logon.) In the "Settings" pop-up, click "Threat Prevention" on the left side. Click the "Show Advanced" button. Enable "Proactive Data Analysis: AMCore Content Reputation".

Additional Identifiers

Rule ID: SV-252786r1026124_rule

Vulnerability ID: V-252786

Group Title: SRG-APP-000278

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-001242

The organization configures malicious code protection mechanisms to perform real-time scans of files from external sources at endpoints as the files are downloaded, opened, or executed in accordance with organizational security policy.
CCI-002624

Configure malicious code protection mechanisms to perform real-time scans of files from external sources at endpoint; and/or network entry and exit points as the files are downloaded, opened, or executed in accordance with organizational policy.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
SI-3

Malicious Code Protection