Trellix ENS 10.x STIG
Trellix ENS 10.x Security Technical Implementation Guide. Version v2 r5, released Oct. 27, 2021.
ENS-TP-000221: (U) The Trellix ENS On-Demand Full Scan must be scheduled to be executed at least on a weekly basis.
(U) Access the ePO server console. Select "Assigned Client Tasks". From the list of available tasks in the "Task Name" column, with the assistance of the ePO SA, identify the weekly on-demand scan task with a Task Type of "Policy Based On-Demand Scan". Verify the status is "Enabled". Select "Edit Assignment" in the "Actions" column. In the "Task to Schedule:" area, verify the Product is "Endpoint Security Threat Prevention" and the Task Type is "Policy based on-demand scan". Select the "Summary" tab. Locate the "Schedule:" label. Ensure the Status is "Enabled" and the Type is at least "Weekly". If the "Scheduled Status:" is "Enabled" and the "Schedule Type:" is at least "Weekly", this is not a finding.
Discussion
(U) Antivirus software is the mostly commonly used technical control for malware threat mitigation. Antivirus software on hosts should be configured to scan all hard drives regularly to identify any file system infections and to scan any removable media, if applicable, before media is inserted into the system. Not scheduling a regular scan of a system's hard drives and/or not configuring the scan to scan all files and running processes introduces a higher risk of threats going undetected.
Fix
(U) Access the ePO server console. Select "Assigned Client Tasks". Create a Threat Prevention >> "On-Demand Scan" task configured to execute at least "weekly". Apply task to all managed assets.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
ENS-TP-000238: (U) The McAfee ENS Threat Prevention Access Protection Rules must be configured to block common programs from running from the Temp folder.
(U) NOTE: If the HIPS signatures 7010 and 7035 are enabled to provide this same protection, this check is Not Applicable. NOTE: This requirement is Not Applicable to Linux systems. Access the ePO server console. Select Menu >> Policy >> Policy Catalog From the "Product" list, select "Endpoint Security Threat Prevention". From the "Category" list, select "Access Protection". Select each configured "Access Protection" policy. Verify Access Protection >> Rules >> Running files from common user folders by common programs is configured to "block". If Access Protection >> Rules >> Running files from common user folders by common programs is not configured to "block", this is a finding.
Discussion
(U) This rule will block common programs from running from the Temp directory; however, this rule is much more restrictive in that it stops nearly all processes from launching in the Temp folder. Most viruses need to be run once by a person before infecting a computer. This can be done in many ways, such as opening an executable attachment in an email or downloading a program from the Internet. An executable needs to exist on the disk before Windows can run it. A common way for applications to achieve this is to save the file in the user's or system's Temp directory and then run it. One purpose of this rule is to enforce advice that is frequently given to users: Do not open attachments from email. The other purpose of this rule is to close security holes introduced by application bugs. Older versions of Outlook and Internet Explorer are notorious for automatically executing code without the user needing to do anything but preview an email or view a website.
Fix
(U) Access the ePO server console. Select Menu >> Policy >> Policy Catalog From the "Product" list, select "Endpoint Security Threat Prevention". From the "Category" list, select "Access Protection". Select each configured Access Protection policy. Verify Access Protection >> Rules >> Running files from common user folders by common programs is configured to "block". Click "Save".
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
ENS-TP-000233: (U) The Trellix ENS Threat Prevention On-Demand Scan Actions Threat detection If first response fails must be configured to delete files.
(U) Access the ePO server console. Select Menu >> Policy >> Policy Catalog From the "Product" list, select "Endpoint Security Threat Prevention". From the "Category" list, select "On-Demand Scan". Select each configured On-Demand Scan policy. Verify "Delete files" is selected for Actions >> "Threat detection If first response fails". If "Delete files" is not selected for the Action "Threat detection If first response fails", this is a finding.
Discussion
(U) Malware may have infected a file that is necessary to the user. By configuring the antivirus software to first attempt cleaning the infected file, availability to the file is not sacrificed. If a cleaning attempt is not successful, however, deleting the file is the only safe option to ensure the malware is not introduced onto the system or network.
Fix
(U) Access the ePO server console. Select Menu >> Policy >> Policy Catalog From the "Product" list, select "Endpoint Security Threat Prevention". From the "Category" list, select "On-Demand Scan". Select each configured On-Demand Scan policy. Select "Delete files" for Actions >> "Threat detection If first response fails". Click "Save".
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
ENS-CO-000101: (U) The McAfee ENS Common Options must be configured with Lock Client Interface or Standard Access with a password other than default.
(U) Access the ePO server console. Select Menu >> Policy >> Policy Catalog From the "Product" list, select "Endpoint Security Common". From the "Category" list, select "Options". Select each configured Options policy. Verify the Client Interface Mode >> "Standard Access (Windows & Mac only)" or "Lock Client Interface (Windows & Mac only)" is selected. Verify the password and confirm password fields have dots all the way across. If the default password was not changed, the dots would not appear in the password fields. If Client Interface Mode >> "Standard Access (Windows & Mac only)" or "Lock Client Interface (Windows & Mac only)" is not selected or the password fields do not show dots, this is a finding.
Discussion
(U) The client interface is a method for accessing and configuring McAfee ENS policies and configurations directly on the system. In "Standard" mode, most protection statuses and features are accessible to users with Administrators privileges and require a password to view or change settings. In "Standard" mode, users without Administrator privileges will have the ability to get information about the McAfee products installed, check for updates, view the event log, get help and access the FAQ and support pages. Non-administrators can't view or change configuration settings on the Settings page. The "Lock client interface" mode requires a password to access the client. Once password is entered, all users have access to the whole interface. If the client interface is not in the locked mode, users could potentially change the protection settings.
Fix
(U) Access the ePO server console. Select Menu >> Policy >> Policy Catalog From the "Product" list, select "Endpoint Security Common". From the "Category" list, select "Options". Select each configured Options policy. Select Client Interface Mode >> "Standard Access (Windows & Mac only)" or "Lock Client Interface (Windows & Mac only)" Click "Save".
Rating Info
DISA Cat I. NIST impact 4.
Expert Comment
None
ENS-TP-000217: (U) The Trellix ENS Threat Prevention On-Access Process Settings Actions must be configured to clean files as Threat detection first response.
(U) Access the ePO server console. Select Menu >> Policy >> Policy Catalog From the "Product" list, select "Endpoint Security Threat Prevention". From the "Category" list, select "On-Access Scan". Select each configured On-Access Scan policy. Click the "Show Advanced" button. Verify "Clean files" is selected for Process Settings >> Actions >> "Threat detection first response". If "Clean files" is not selected for the Action "Threat detection first response", this is a finding.
Discussion
(U) Malware may have infected a file that is necessary to the user. By configuring the antivirus software to first attempt cleaning the infected file, availability of the file is not sacrificed. If a cleaning attempt is not successful, however, deleting the file is the only safe option to ensure the malware is not introduced onto the system or network.
Fix
(U) Access the ePO server console. Select Menu >> Policy >> Policy Catalog From the "Product" list, select "Endpoint Security Threat Prevention". From the "Category" list, select "On-Access Scan". Select each configured On-Access Scan policy. Click the "Show Advanced" button. Select "Clean files" for Process Settings >> Actions >> "Threat detection first response". Click "Save".
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
ENS-TP-000245: (U) The McAfee ENS Threat Prevention On-Demand Scan Global Threat Intelligence (GTI) sensitivity level must be configured.
(U) NOTE: This requirement is Not Applicable on Classified/SIPRNet or otherwise closed networks. Access the ePO server console. From the ePO server console, select Menu >> Policy >> Policy Catalog. From the "Product" list, select "Endpoint Security Threat Prevention". From the "Category" list, select "On-Demand Scan". Select each configured On-Demand Scan policy. Verify McAfee GTI Sensitivity Level is set to Medium. If the McAfee GTI Sensitivity Level is not set to Medium, this is a finding.
Discussion
(U) The McAfee ENS Threat Prevention On-Demand Scan Global Threat Intelligence (GTI) sensitivity level must be configured.
Fix
(U) From the ePO server console, select Menu >> Policy >> Policy Catalog. From the "Product" list, select "Endpoint Security Threat Prevention". From the "Category" list, select "On-Demand Scan". Select each configured On-Demand Scan policy. Set the McAfee GTI Sensitivity Level to Medium. Click "Save".
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
ENS-TP-000203: (U) The Trellix ENS Threat Prevention On-Access Scan must be enabled.
(U) Access the ePO server console. Select Menu >> Policy >> Policy Catalog From the "Product" list, select "Endpoint Security Threat Prevention". From the "Category" list, select "On-Access Scan". Select each configured On-Access Scan policy. Verify the On-Access Scan >> "Enable On-Access Scan" check box is selected. If the On-Access Scan >> "Enable On-Access Scan" check box is not selected, this is a finding.
Discussion
(U) For antivirus software to be effective, it must be running at all times, beginning from the point of the system's initial startup. Otherwise, the risk is greater for viruses, trojans, and other malware to infect the system during that startup phase.
Fix
(U) Access the ePO server console. Select Menu >> Policy >> Policy Catalog From the "Product" list, select "Endpoint Security Threat Prevention". From the "Category" list, select "On-Access Scan". Select each configured On-Access Scan policy. Select the On-Access Scan >> "Enable On-Access Scan" check box. Click "Save".
Rating Info
DISA Cat I. NIST impact 4.
Expert Comment
None
ENS-TP-000244: (U) The Trellix ENS Threat Prevention On-Access Process Settings must not be configured to exclude any files from being scanned unless exclusions have been documented with and approved by the ISSO/ISSM/AO.
(U) Access the ePO server console. Select Menu >> Policy >> Policy Catalog From the "Product" list, select "Endpoint Security Threat Prevention". From the "Category" list, select "On-Access Scan". Select each configured On-Access Scan policy. Click the "Show Advanced" button. If Process Settings >> Process Types:Exclusions is populated with any exclusions, the configuration must be documented and risk analyzed and approved by the ISSO, ISSM, or AO. If Process Settings >> Process Types:Exclusions is populated with any exclusions and the configuration is not documented with risk analyzed and approved by the ISSO, ISSM, or AO, this is a finding.
Discussion
(U) When scanning for malware, excluding specific files will increase the risk of a malware-infected file going undetected. By configuring antivirus software without any exclusions, the scanner has a higher success rate at detecting and eradicating malware. Due to the "Let Trellix decide" configuration, exclusions are typically not necessary. Thoughtful vetting and testing should precede configuring exclusions.
Fix
(U) Access the ePO server console. Select Menu >> Policy >> Policy Catalog From the "Product" list, select "Endpoint Security Threat Prevention". From the "Category" list, select "On-Access Scan". Select each configured On-Access Scan policy. Click the "Show Advanced" button. Removed any exclusions under Process Settings >> Process Types:Exclusions or document the configuration with risk analyzed and approved by the ISSO, ISSM, or AO. Click "Save".
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
ENS-CO-000107: (U) The McAfee ENS Common Options must be configured to send events to McAfee ePO.
(U) Access the ePO server console. Select Menu >> Policy >> Policy Catalog From the "Product" list, select "Endpoint Security Common". From the "Category" list, select "Options". Select each configured Options policy. Click the "Show Advanced" button. Verify Client Logging >> Event Logging >> "Send events to McAfee ePO" is selected. If Client Logging >> Event Logging >> "Send events to McAfee ePO" is not selected, this is a finding.
Discussion
(U) Logging is imperative to forensic analysis. Logging directly to the local Windows or syslogs of managed clients allows for system-specific analysis. But in order to conduct forensic analysis from a site or enterprise perspective, the events must be sent to the ePO server for consolidation with events from other managed systems.
Fix
(U) Access the ePO server console. Select Menu >> Policy >> Policy Catalog From the "Product" list, select "Endpoint Security Common". From the "Category" list, select "Options". Select each configured Options policy. Click the "Show Advanced" button. Select the Client Logging >> Event Logging >> "Send events to McAfee ePO" option. Click "Save".
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
ENS-FW-000001: (CUI) The ENS Firewall must be enabled with intrusion alerts.
(CUI) NOTE: If McAfee ENS Firewall is being used for host-based Firewall protection, this requirement is applicable and must be met. If the OPORD 16-0080 FRAGO 6 has been released and it is still in the implementation period, this is Not a Finding if configured as per the FRAGO steps of implementation. If McAfee Host Intrusion Prevention Firewall is being used for host-based Firewall protection, this check is Not Applicable. Access the ePO server console. Select Menu >> Policy >> Policy Catalog and then select “Endpoint Security Firewall” from the Product list. From the Category list, select “Options”, select policy and then verify “Protection Options” is set to “Enable firewall intrusion alerts”. If the Protection Options is not set to “Enable firewall intrusion alerts”, this is a finding.
Discussion
(CUI) A host-based firewall scans all incoming and outgoing traffic. As it reviews arriving or departing traffic, the Firewall checks its list of rules, which is a set of criteria with associated actions. If the traffic matches all criteria in a rule, the Firewall acts according to the rule, blocking or allowing traffic through. A host-based firewall adds another layer of protection to prevent unauthorized traffic from reaching or leaving the system. To be effective, it must be enabled and properly configured.
Fix
(CUI) Access the ePO server console. Select Menu >> Policy >> Policy Catalog and then select "Endpoint Security Firewall" from the Product list. From the Category list, select "Options” and for "Protection Options" select “Enable firewall intrusion alerts”. Click "Save".
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
ENS-TP-000226: (U) The Trellix ENS Threat Prevention On-Demand Scan must be configured to detect unknown program threats.
(U) Access the ePO server console. Select Menu >> Policy >> Policy Catalog From the "Product" list, select "Endpoint Security Threat Prevention". From the "Category" list, select "On-Demand Scan". Select each configured On-Demand Scan policy. Verify Additional Scan Options >> "Detect unknown program threats" is selected. If Additional Scan Options >> "Detect unknown program threats" is not selected, this is a finding.
Discussion
(U) Due to the ability of malware to mutate after infection, standard antivirus signatures may not be able to catch new strains or variants of the malware. Typically, these strains and variants will share unique characteristics with others in their virus family. By using a generic signature to detect the shared characteristics, using wildcards where differences lie, the generic signature can detect viruses even if they are padded with extra meaningless code. This method of detection is heuristic detection.
Fix
(U) Access the ePO server console. Select Menu >> Policy >> Policy Catalog From the "Product" list, select "Endpoint Security Threat Prevention". From the "Category" list, select "On-Demand Scan". Select each configured On-Demand Scan policy. Select the Additional Scan Options >> "Detect unknown program threats" option. Click "Save".
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
ENS-TP-000242: (U) The Trellix ENS Threat Prevention Access Protection must be configured to enable access protection.
(U) Access the ePO server console. Select Menu >> Policy >> Policy Catalog From the "Product" list, select "Endpoint Security Threat Prevention". From the "Category" list, select "Access Protection". Select each configured Access Protection policy. Verify Access Protection >> "Enable Access Protection" is selected. If Access Protection >> "Enable Access Protection" is not selected, this is a finding.
Discussion
(U) Access Protection rules are configured to protect endpoint systems from unwanted changes. Rules can be configured to disallow browsers from launching files from the download location, changes made to registry keys, executable files, etc. Without Access Protection rules, malware has the opportunity to make changes to the system and take control.
Fix
(U) Access the ePO server console. Select Menu >> Policy >> Policy Catalog From the "Product" list, select "Endpoint Security Threat Prevention". From the "Category" list, select "Access Protection". Select each configured Access Protection policy. Select the Access Protection >> "Enable Access Protection" option. Click "Save".
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
ENS-TP-000232: (U) The Trellix ENS Threat Prevention On-Demand Scan Actions Threat detection first response must be configured to clean files.
(U) Access the ePO server console. Select Menu >> Policy >> Policy Catalog From the "Product" list, select "Endpoint Security Threat Prevention". From the "Category" list, select "On-Demand Scan". Select each configured On-Demand Scan policy. Verify "Clean files" is selected for Actions >> "Threat detection first response". If "Clean files" is not selected for the Action "Threat detection first response", this is a finding.
Discussion
(U) Malware may have infected a file that is necessary to the user. By configuring the antivirus software to first attempt cleaning the infected file, availability to the file is not sacrificed. If a cleaning attempt is not successful, however, deleting the file is the only safe option to ensure the malware is not introduced onto the system or network.
Fix
(U) Access the ePO server console. Select Menu >> Policy >> Policy Catalog From the "Product" list, select "Endpoint Security Threat Prevention". From the "Category" list, select "On-Demand Scan". Select each configured On-Demand Scan policy. Select "Clean files" for Actions >> "Threat detection first response". Click "Save".
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
ENS-TP-000207: (U) The Trellix ENS Threat Prevention On-Access Scan must be configured to disable the scan of trusted installers.
(U) Access the ePO server console. Select Menu >> Policy >> Policy Catalog From the "Product" list, select "Endpoint Security Threat Prevention". From the "Category" list, select "On-Access Scan". Select each configured On-Access Scan policy. Verify On-Access Scan >> "Scan trusted installers" is not selected. If On-Access Scan >> "Scan trusted installers" is selected, this is a finding.
Discussion
(U) Trusted installers are MSI files installed by msiexec.exe and signed by Trellix or Microsoft. Disabling the real-time scan of these files is a low risk and the performance gain is relatively great.
Fix
(U) Access the ePO server console. Select Menu >> Policy >> Policy Catalog From the "Product" list, select "Endpoint Security Threat Prevention". From the "Category" list, select "On-Access Scan". Select each configured On-Access Scan policy. Deselect the On-Access Scan >> "Scan trusted installers" option. Click "Save".
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
ENS-EP-000003: (U) The ENS Windows Data Execution Prevention must be enabled.
(U) NOTE: If McAfee ENS is being used for Host Intrusion Prevention, this requirement is applicable and must be met. If McAfee Host Intrusion Prevention is still being used for this protection, this check is Not Applicable. If the OPORD 16-0080 FRAGO 6 has been released and it is still in the implementation period, this is Not a Finding if configured per the FRAGO steps of implementation. Access the ePO server console. Select Menu >> Policy >> Policy Catalog and then select “Endpoint Protection Threat Prevention” from the Product list. From the Category list, select “Exploit Prevention”. Select each configured “Exploit Prevention” policy. Verify the Threat Prevention >> Exploit Prevention >> “Enable Windows Data Execution Prevention” check box is selected. If the Threat Prevention >> Exploit Prevention >> “Enable Windows Data Execution Prevention” check box is not selected, this is a finding.
Discussion
(U) For antivirus software to be effective it must be running at all times beginning from the point of the system's initial startup. Otherwise the risk is greater for viruses, trojans, and other malware infecting the system during that startup phase.
Fix
(U) Access the ePO server console. Select Menu >> Policy >> Policy Catalog and then select "Endpoint Protection Threat Prevention" from the Product list. From the Category list, select "Exploit Prevention". Select each configured "Exploit Prevention" policy. Select the check box for the Threat Prevention >> Exploit Prevention >> "Enable Windows Data Execution Prevention". Click "Save".
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
ENS-TP-000223: (U) The Trellix ENS Threat Prevention On-Demand Scan must be configured to decode Multipurpose Internet Mail Extensions (MIME) encoded files.
(U) Access the ePO server console. Select Menu >> Policy >> Policy Catalog From the "Product" list, select "Endpoint Security Threat Prevention". From the "Category" list, select "On-Demand Scan". Select each configured On-Demand Scan policy. Verify What to Scan >> "Compressed MIME-encoded files" is selected. If What to Scan >> "Compressed MIME-encoded files" is not selected, this is a finding.
Discussion
(U) MIME encoded files can be crafted to hide a malicious payload. When the MIME encoded file is presented to software that decodes MIME encoded files, such as an email client, the malware is released. Scanning these files as part of the regularly scheduled scan tasks will mitigate this risk.
Fix
(U) Access the ePO server console. Select Menu >> Policy >> Policy Catalog From the "Product" list, select "Endpoint Security Threat Prevention". From the "Category" list, select "On-Demand Scan". Select each configured On-Demand Scan policy. Select the What to Scan >> "Compressed MIME-encoded files" option. Click "Save".
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
ENS-TP-000200: (U) The McAfee ENS Threat Prevention Options must be configured to enable McAfee GTI feedback when performing Proactive Data Analysis.
(U) NOTE: For Classified networks, this requirement is Not Applicable. Access the ePO server console. Select Menu >> Policy >> Policy Catalog From the "Product" list, select "Endpoint Security Threat Prevention". From the "Category" list, select "Options". Select each configured Options policy. Click the "Show Advanced" button. Verify "Proactive Data Analysis:McAfee GTI feedback" is selected. If "Proactive Data Analysis:McAfee GTI feedback" is not selected, this is a finding.
Discussion
(U) McAfee GTI is a global Internet reputation intelligence system that determines what is good and bad behavior on the Internet. McAfee GTI uses real-time analysis of worldwide behavioral and sending patterns for email, web activity, malware, and system-to-system behavior. Using data collected from the analysis, GTI dynamically calculates reputation scores that represent the level of risk to a network. McAfee GTI Proactive Data Analysis sends anonymous diagnostic and usage data to McAfee. GTI feedback enables McAfee GTI-based telemetry feedback to collect anonymized data on files and processes executing on the endpoint system.
Fix
(U) Access the ePO server console. Select Menu >> Policy >> Policy Catalog From the "Product" list, select "Endpoint Security Threat Prevention". From the "Category" list, select "Options". Select each configured Options policy. Click the "Show Advanced" button. Select the "Proactive Data Analysis:McAfee GTI feedback" option. Click "Save".
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
ENS-TP-000220: (U) The Trellix ENS Threat Prevention On-Access Scan Actions must be configured to delete files for the action Unwanted program first response fails.
(U) Access the ePO server console. Select Menu >> Policy >> Policy Catalog From the "Product" list, select "Endpoint Security Threat Prevention". From the "Category" list, select "On-Access Scan". Select each configured On-Access Scan policy. Click the "Show Advanced" button. Verify "Delete files" is selected for Process Settings >> Actions >> "Unwanted program If first response fails". If "Delete files" is not selected for the Action "Unwanted program If first response fails", this is a finding.
Discussion
(U) Due to the ability of malware to mutate after infection, standard antivirus signatures may not be able to catch new strains or variants of the malware. Typically, these strains and variants will share unique characteristics with others in their virus family. By using a generic signature to detect the shared characteristics, using wildcards where differences lie, the generic signature can detect viruses even if they are padded with extra meaningless code. This method of detection is heuristic detection.
Fix
(U) Access the ePO server console. Select Menu >> Policy >> Policy Catalog From the "Product" list, select "Endpoint Security Threat Prevention". From the "Category" list, select "On-Access Scan". Select each configured On-Access Scan policy. Click the "Show Advanced" button. Select "Delete files" for Process Settings >> Actions >> "Unwanted program If first response fails". Click "Save".
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
ENS-TP-000208: (U) The Trellix ENS Threat Prevention On-Access Scan must be configured to scan when copying from network folders and removable drives.
(U) Access the ePO server console. Select Menu >> Policy >> Policy Catalog From the "Product" list, select "Endpoint Security Threat Prevention". From the "Category" list, select "On-Access Scan". Select each configured On-Access Scan policy. Verify On-Access Scan >> "Scan when copying from network folders and removable drives" is selected. If On-Access Scan >> "Scan when copying from network folders and removable drives" is not selected, this is a finding.
Discussion
(U) Antivirus software is the mostly commonly used technical control for malware threat mitigation. Antivirus software on hosts should be configured to scan all hard drives regularly to identify any file system infections and to scan any removable media, if applicable, before media is inserted into the system. Not scheduling a regular scan of a system's hard drives and/or not configuring the scan to scan all files and running processes introduces a higher risk of threats going undetected.
Fix
(U) Access the ePO server console. Select Menu >> Policy >> Policy Catalog From the "Product" list, select "Endpoint Security Threat Prevention". From the "Category" list, select "On-Access Scan". Select each configured On-Access Scan policy. Select the On-Access Scan >> "Scan when copying from network folders and removable drives" option. Click "Save".
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
ENS-TP-000210: (U) The Trellix ENS Threat Prevention On-Access Scan Threat Detection User Messaging must be configured to notify local users when detections occur.
(U) NOTE: For non-Windows systems, this is Not Applicable Access the ePO server console. Select Menu >> Policy >> Policy Catalog From the "Product" list, select "Endpoint Security Threat Prevention". From the "Category" list, select "On-Access Scan". Select each configured On-Access Scan policy. Click the "Show Advanced" button. Verify Threat Detection User Messaging >> "Display the On-Access Scan window to users when a threat is detected" check box is selected. If Threat Detection User Messaging >> "Display the On-Access Scan window to users when a threat is detected" check box is not selected, this is a finding.
Discussion
(U) An effective awareness program explains proper rules of behavior for use of an organization's IT systems and information. Accordingly, awareness programs should include guidance to users on malware incident prevention, which can help reduce the frequency and severity of malware incidents. Organizations should also make users aware of policies and procedures that apply to malware incident handling, such as how to identify if a host may be infected, how to report a suspected incident, and what users need to do to assist with incident handling. Ensuring the antivirus software alerts the users when malware is detected will ensure the user is informed of the incident and be able to more closely relate the incident to actions being performed by the user at the time of the detection.
Fix
(U) Access the ePO server console. Select Menu >> Policy >> Policy Catalog From the "Product" list, select "Endpoint Security Threat Prevention". From the "Category" list, select "On-Access Scan". Select each configured On-Access Scan policy. Click the "Show Advanced" button. Select the Threat Detection User Messaging >> "Display the On-Access Scan window to users when a threat is detected" check box. Click "Save".
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
ENS-CO-000103: (U) The Trellix ENS Common Options must be configured to disable the time-based client interface password.
(U) Access the ePO server console. Select Menu >> Policy >> Policy Catalog From the "Product" list, select "Endpoint Security Common". From the "Category" list, select "Options". Select each configured Options policy. Click the "Show Advanced" button. Verify the Client Interface Mode >> "Time-Based Administrator Password" option is not selected. If the Client Interface Mode >> "Time-Based Administrator Password" option is selected, this is a finding.
Discussion
(U) The client interface is a method for accessing and configuring Trellix ENS policies and configurations directly on the system. Passwords unlock the client console and access troubleshooting control on Windows and non-Windows clients. When this policy is enabled on the client, the time-based password is activated and remains unlocked until it is closed. The client interface time-based password has an expiration date and time. The password is automatically generated and can be applied to a single system or all systems. Should this randomly generated password not be known or expired after it is deployed to clients and should the client become non-responsive to the ePO server, the client will not be able to be managed.
Fix
(U) Access the ePO server console. Select Menu >> Policy >> Policy Catalog From the "Product" list, select "Endpoint Security Common". From the "Category" list, select "Options". Select each configured Options policy. Click the "Show Advanced" button. Deselect the Client Interface Mode >> "Time-Based Administrator Password" option. Click "Save".
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
ENS-TP-000214: (U) The Trellix ENS Threat Prevention On-Access Process Settings must be configured to detect unwanted programs.
(U) Access the ePO server console. Select Menu >> Policy >> Policy Catalog From the "Product" list, select "Endpoint Security Threat Prevention". From the "Category" list, select "On-Access Scan". Select each configured On-Access Scan policy. Click the "Show Advanced" button. Verify Process Settings >> "Additional scan options:Detect unwanted programs" is selected. If Process Settings >> "Additional scan options:Detect unwanted programs" is not selected, this is a finding.
Discussion
(U) Due to the ability of malware to mutate after infection, standard antivirus signatures may not be able to catch new strains or variants of the malware. Typically, these strains and variants will share unique characteristics with others in their virus family. By using a generic signature to detect the shared characteristics, using wildcards where differences lie, the generic signature can detect viruses even if they are padded with extra meaningless code. This method of detection is heuristic detection.
Fix
(U) Access the ePO server console. Select Menu >> Policy >> Policy Catalog From the "Product" list, select "Endpoint Security Threat Prevention". From the "Category" list, select "On-Access Scan". Select each configured On-Access Scan policy. Click the "Show Advanced" button. Select the Process Settings >> "Additional scan options:Detect unwanted programs" option. Click "Save".
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
ENS-TP-000224: (U) The Trellix ENS Threat Prevention On-Demand Scan must be configured to scan inside archives.
(U) Access the ePO server console. Select Menu >> Policy >> Policy Catalog From the "Product" list, select "Endpoint Security Threat Prevention". From the "Category" list, select "On-Demand Scan". Select each configured On-Demand Scan policy. Verify What to Scan >> "Compressed archive files" is selected. If What to Scan >> "Compressed archive files" is not selected, this is a finding.
Discussion
(U) Malware is often packaged within an archive. In addition, archives might have other archives within them. Not scanning archive files introduces the risk of infected files being introduced into the environment.
Fix
(U) Access the ePO server console. Select Menu >> Policy >> Policy Catalog From the "Product" list, select "Endpoint Security Threat Prevention". From the "Category" list, select "On-Demand Scan". Select each configured On-Demand Scan policy. Select the What to Scan >> "Compressed archive files" option. Click "Save".
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
ENS-TP-000230: (U) The Trellix ENS Threat Prevention On-Demand Scan must be configured to scan all files.
(U) Access the ePO server console. Select Menu >> Policy >> Policy Catalog From the "Product" list, select "Endpoint Security Threat Prevention". From the "Category" list, select "On-Demand Scan". Select each configured On-Demand Scan policy. Verify File Types to Scan >> "All Files" is selected. If File Types to Scan >> "All Files" is not selected, this is a finding.
Discussion
(U) When scanning for malware, excluding specific file types will increase the risk of a malware-infected file going undetected. By configuring antivirus software to scan all file types, the scanner has a higher success rate at detecting and eradicating malware.
Fix
(U) Access the ePO server console. Select Menu >> Policy >> Policy Catalog From the "Product" list, select "Endpoint Security Threat Prevention". From the "Category" list, select "On-Demand Scan". Select each configured On-Demand Scan policy. Select the File Types to Scan >> "All Files" option. Click "Save".
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
ENS-FW-000007: (CUI) The McAfee ENS Firewall (FW) Connection Aware Group (CAG) rule group must be configured to prevent cross-domain traffic.
(CUI) NOTE: If McAfee ENS Firewall is being used for host-based Firewall protection, this requirement is applicable and must be met. If the OPORD 16-0080 FRAGO 6 has been released and it is still in the implementation period, this is Not a Finding if configured per the FRAGO steps of implementation. If McAfee Host Intrusion Prevention Firewall is being used for host-based Firewall protection, this check is Not Applicable. Access the ePO server console. Select Menu >> Policy >> Policy Catalog and then select "Endpoint Security Firewall" from the Product list. From the Category list, select "Firewall Rules". Select each configured Firewall Rules policy. Verify a Connection Aware Group/Location Aware Group has been created with rules added to prevent cross-domain traffic. If an allow all rule is configured in the Firewall Rules, this is a finding. If a Connection Aware Group/Location Aware Group has not been created with rules added to prevent cross-domain traffic, this is a finding.
Discussion
(CUI) A host-based firewall scans all incoming and outgoing traffic. As it reviews arriving or departing traffic, the Firewall checks its list of rules, which is a set of criteria with associated actions. If the traffic matches all criteria in a rule, the Firewall acts according to the rule, blocking or allowing traffic through. A host-based firewall adds another layer of protection to prevent unauthorized traffic from reaching or leaving the system. To be effective, it must be enabled and properly configured. Operation across different classification levels or across mixed DoD and non-DoD networks could cause cross-contamination of data, loss of data, data leakage, or unauthorized access. Configuring a CAG/LAG firewall rule will prevent cross-domain traffic.
Fix
(CUI) Access the ePO server console. Access the ePO server console. Select Menu >> Policy >> Policy Catalog and then select "Endpoint Security Firewall" from the Product list. From the Category list, select "Firewall Rules". Select each configured Firewall Rules policy. Configure a Connection Aware Group/Location Aware Group with rules added to prevent cross-domain traffic. Click "Save".
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
ENS-CO-000111: (U) The Proxy Server (Windows Only) settings must be configured to no proxy.
(U) From the ePO server console, select “Policy Catalog”. From the “Product:” drop-down list, select “Endpoint Security Common” and verify the Proxy Server (Windows Only) settings are configured to “No Proxy”. If a proxy server is configured to anything but “No Proxy”, this is a finding.
Discussion
(U) Antivirus signature files are updated almost daily by antivirus software vendors. These files are made available to antivirus clients as they are published. Keeping virus signature files as current as possible is vital to the security of any system. The antivirus software product must be configured to receive those updates automatically in order to afford the expected protection.
Fix
(U) From the ePO server console, select “Policy Catalog”. From the “Product:” drop-down list, select “Endpoint Security Common”. Configure the Proxy Server (Windows Only) settings to “No Proxy”. Click “Save”.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
ENS-TP-000239: (U) The McAfee ENS Threat Prevention Access Protection must be configured to prevent launching of files from the Downloaded Program Files folder.
(U) NOTE: If HIPS signature 3910 is enabled to provide this same protection, this check is Not Applicable. Access the ePO server console. Select Menu >> Policy >> Policy Catalog From the "Product" list, select "Endpoint Security Threat Prevention". From the "Category" list, select "Access Protection". Select each configured "Access Protection" policy. Verify Access Protection >> Rules >> Browsers launching files from the "Downloaded Program Files" folder is configured to "block". If Access Protection >> Rules >> Browsers launching files from the "Downloaded Program Files" folder is not configured to "block", this is a finding.
Discussion
(U) A common distribution method for adware and spyware is to have the user download an executable file and run it automatically from the "Downloaded Program Files" folder. This rule is specific to browsers and prevents software installations through the web browser. Browsers run code from the "Downloaded Program Files" directory, notably ActiveX controls. Viruses will place an .exe file into this directory and run it. This rule closes that attack vector.
Fix
(U) Access the ePO server console. Select Menu >> Policy >> Policy Catalog From the "Product" list, select "Endpoint Security Threat Prevention". From the "Category" list, select "Access Protection". Select each configured Access Protection policy. Configure Access Protection >> Rules >> Browsers launching files from the "Downloaded Program Files" folder to "block". Click "Save".
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
ENS-TP-000235: (U) The Trellix ENS Threat Prevention On-Demand Scan Actions Unwanted program if first action fails must be configured to delete files when an unwanted program is found.
(U) Access the ePO server console. Select Menu >> Policy >> Policy Catalog From the "Product" list, select "Endpoint Security Threat Prevention". From the "Category" list, select "On-Demand Scan". Select each configured On-Demand Scan policy. Verify "Delete files" is selected for Actions >> "Unwanted program If first response fails". If "Delete files" is not selected for the Action "Unwanted program If first response fails", this is a finding.
Discussion
(U) Potentially Unwanted Programs (PUPs) include spyware, adware, remote administration tools, dialers, password crackers, jokes, and key loggers. While PUPs do not typically have any infection capability on their own, they rely on malware or other attach mechanisms to be installed onto target hosts, after which they will collect and transfer data from the host to an external host and/or will be used as attach mechanisms. Configuring the antivirus software to attempt to clean the file first will allow for the possibility of a false positive. In most cases, however, the secondary action of delete will be used, mitigating the risk of the PUPs being installed and used maliciously. By configuring the antivirus software to first attempt cleaning the infected file, availability to the file is not sacrificed. If a cleaning attempt is not successful, however, deleting the file is the only safe option to ensure the malware is not introduced onto the system or network.
Fix
(U) Access the ePO server console. Select Menu >> Policy >> Policy Catalog From the "Product" list, select "Endpoint Security Threat Prevention". From the "Category" list, select "On-Demand Scan". Select each configured On-Demand Scan policy. Select "Delete files" for Actions >> "Unwanted program If first response fails". Click "Save".
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
ENS-TP-000234: (U) The Trellix ENS Threat Prevention On-Demand scan Actions Unwanted program first response must be configured to clean files when an unwanted program is found.
(U) Access the ePO server console. Select Menu >> Policy >> Policy Catalog From the "Product" list, select "Endpoint Security Threat Prevention". From the "Category" list, select "On-Demand Scan". Select each configured On-Demand Scan policy. Verify "Clean files" is selected for Actions >> "Unwanted program first response". If "Clean files" is not selected for the Action "Unwanted program first response", this is a finding.
Discussion
(U) Potentially Unwanted Programs (PUPs) include spyware, adware, remote administration tools, dialers, password crackers, jokes, and key loggers. While PUPs do not typically have any infection capability on their own, they rely on malware or other attach mechanisms to be installed onto target hosts, after which they will collect and transfer data from the host to an external host and/or will be used as attach mechanisms. Configuring the antivirus software to attempt to clean the file first will allow for the possibility of a false positive. In most cases, however, the secondary action of delete will be used, mitigating the risk of the PUPs being installed and used maliciously. By configuring the antivirus software to first attempt cleaning the infected file, availability to the file is not sacrificed. If a cleaning attempt is not successful, however, deleting the file is the only safe option to ensure the malware is not introduced onto the system or network.
Fix
(U) Access the ePO server console. Select Menu >> Policy >> Policy Catalog From the "Product" list, select "Endpoint Security Threat Prevention". From the "Category" list, select "On-Demand Scan". Select each configured On-Demand Scan policy. Select "Clean files" for Actions >> "Unwanted program first response". Click "Save".
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
ENS-TP-000216: (U) The Trellix ENS Threat Prevention On-Access Process Settings must be configured to detect unknown macro threats.
(U) Access the ePO server console. Select Menu >> Policy >> Policy Catalog From the "Product" list, select "Endpoint Security Threat Prevention". From the "Category" list, select "On-Access Scan". Select each configured On-Access Scan policy. Click the "Show Advanced" button. Verify Process Settings >> "Additional scan options:Detect unknown macro threats" is selected. If Process Settings >> "Additional scan options:Detect unknown macro threats" is not selected, this is a finding.
Discussion
(U) Interpreted viruses are executed by an application. Within this subcategory, macro viruses take advantage of the capabilities of applications' macro programming language to infect application documents and document templates, while scripting viruses infect scripts that are understood by scripting languages processed by services on the operating system. Many attackers use toolkits containing several different types of utilities and scripts that can be used to probe and attack hosts. Scanning for unknown macro viruses will mitigate zero-day attacks.
Fix
(U) Access the ePO server console. Select Menu >> Policy >> Policy Catalog From the "Product" list, select "Endpoint Security Threat Prevention". From the "Category" list, select "On-Access Scan". Select each configured On-Access Scan policy. Click the "Show Advanced" button. Select the Process Settings >> "Additional scan options:Detect unknown macro threats" option. Click "Save".
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
ENS-TP-000231: (U) The Trellix ENS Threat Prevention On-Demand Scan must be configured so there are no exclusions from the scan unless exclusions have been documented with and approved by the ISSO, ISSM, or AO.
(U) Access the ePO server console. Select Menu >> Policy >> Policy Catalog From the "Product" list, select "Endpoint Security Threat Prevention". From the "Category" list, select "On-Demand Scan". Select each configured On-Demand Scan policy. Verify whether there are any Exclusions configured. If Exclusions are configured, verify each exclusion has been documented and approved by the ISSO, ISSM, or AO. If Exclusions are configured and have not been documented and approved by the ISSO, ISSM, or AO, this is a finding.
Discussion
(U) When scanning for malware, excluding specific files will increase the risk of a malware-infected file going undetected. By configuring antivirus software without any exclusions, the scanner has a higher success rate at detecting and eradicating malware. Due to the "Let Trellix decide" configuration, exclusions are typically not necessary. Thoughtful vetting and testing should precede configuring exclusions.
Fix
(U) Access the ePO server console. Select Menu >> Policy >> Policy Catalog From the "Product" list, select "Endpoint Security Threat Prevention". From the "Category" list, select "On-Demand Scan". Select each configured On-Demand Scan policy. Remove any Exclusions not approved by the ISSO, ISSM, or AO. Document and obtain ISSO, ISSM, or AO approval for any Exclusions to remain configured.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
ENS-FW-000009: (CUI) The ENS Firewall must be configured to use FTP protocol inspection.
(CUI) NOTE: If McAfee ENS Firewall is being used for host-based Firewall protection, this requirement is applicable and must be met. If the OPORD 16-0080 FRAGO 6 has been released and it is still in the implementation period, this is Not a Finding if configured per the FRAGO steps of implementation. If McAfee Host Intrusion Prevention Firewall is being used for host-based Firewall protection, this check is Not Applicable. Access the ePO server console. Select Menu >> Policy >> Policy Catalog and then select “Endpoint Security Firewall” from the Product list. From the Category list, select “Options”. Select each configured Options policy. Verify the Options >> Stateful Firewall >> Use FTP Protocol is selected. If the Options >> Stateful Firewall >> Use FTP Protocol is not selected, this is a finding.
Discussion
(CUI) A host-based firewall scans all incoming and outgoing traffic. As it reviews arriving or departing traffic, the Firewall checks its list of rules, which is a set of criteria with associated actions. If the traffic matches all criteria in a rule, the Firewall acts according to the rule, blocking or allowing traffic through. A host-based firewall adds another layer of protection to prevent unauthorized traffic from reaching or leaving the system. To be effective, it must be enabled and properly configured. Operation across different classification levels or across mixed DoD and non-DoD networks could cause cross-contamination of data, loss of data, data leakage, or unauthorized access. Configuring a CAG/LAG firewall rule will prevent cross-domain traffic.
Fix
(CUI) Access the ePO server console. Select Menu >> Policy >> Policy Catalog and then select "Endpoint Security Firewall" from the Product list. From the Category list, select "Options". Select each configured Options policy. Select the Options >> Stateful Firewall. Select the Use FTP Protocol option. Click "Save".
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
ENS-EP-000002: (U) The ENS Generic Privilege Escalation Prevention must be enabled.
(U) NOTE: If McAfee ENS is being used for Host Intrusion Prevention, this requirement is applicable and must be met. If McAfee Host Intrusion Prevention is still being used for this protection, this check is Not Applicable. If the OPORD 16-0080 FRAGO 6 has been released and it is still in the implementation period, this is Not a Finding if configured per the FRAGO steps of implementation. Access the ePO server console. Select Menu >> Policy >> Policy Catalog and then select “Endpoint Protection Threat Prevention” from the Product list. From the Category list, select “Exploit Prevention”. Select each configured “Exploit Prevention” policy. Verify the Threat Prevention >> Exploit Prevention >> “Enable Generic Privilege Escalation Prevention” check box is selected. If the Threat Prevention >> Exploit Prevention >> “Enable Generic Privilege Escalation Prevention” check box is not selected, this is a finding.
Discussion
(U) For antivirus software to be effective it must be running at all times beginning from the point of the system's initial startup. Otherwise the risk is greater for viruses, trojans, and other malware infecting the system during that startup phase.
Fix
(U) Access the ePO server console. Select Menu >> Policy >> Policy Catalog and then select "Endpoint Protection Threat Prevention" from the Product list. From the Category list, select "Exploit Prevention". Select each configured "Exploit Prevention" policy. Select the Threat Prevention >> Exploit Prevention >> "Enable Generic Privilege Escalation Prevention" check box. Click "Save".
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
ENS-TP-000211: (U) The Trellix ENS Threat Prevention On-Access Scan Process Settings must be configured to use only one scanning policy for all processes.
(U) Access the ePO server console. Select Menu >> Policy >> Policy Catalog From the "Product" list, select "Endpoint Security Threat Prevention". From the "Category" list, select "On-Access Scan". Select each configured On-Access Scan policy. Click the "Show Advanced" button. Verify Process Settings >> "Use Standard settings for all processes" is selected. If Process Settings >> "Configure different settings for High Risk and Low Risk processes" is selected, the configuration must be documented and risk analyzed and approved by the ISSO, ISSM, or AO. If Process Settings >> "Use Standard settings for all processes" is not selected, this is a finding. If Process Settings >> "Configure different settings for High Risk and Low Risk processes" is selected but is not documented, analyzed, and approved by the ISSO, ISSM, or AO, this is a finding.
Discussion
(U) Organizations should use centrally managed antivirus software that is controlled and monitored regularly by antivirus administrators, who are also typically responsible for acquiring, testing, approving, and delivering antivirus signature and software updates through the organizations. Some processes are known to be higher risk, while others are low risk. By restricting policy configuration to the Default Processes policy, all processes will be interpreted equally when applying the policy settings and will provide the highest level of protection. Best practice dictates configuring Low-Risk and/or High-Risk policies only when it is necessary to improve system performance and will focus the scanning where it is most likely to detect malware. There is risk associated with configuring the Low-Risk and/or High-Risk policies for the purpose of specifically excluding processes from scanning, and this should only be done after evaluating other policy settings and determining risk.
Fix
(U) Access the ePO server console. Select Menu >> Policy >> Policy Catalog From the "Product" list, select "Endpoint Security Threat Prevention". From the "Category" list, select "On-Access Scan". Select each configured On-Access Scan policy. Click the "Show Advanced" button. Select the Process Settings >> "Use Standard settings for all processes" option. Click "Save".
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
ENS-TP-000228: (U) The Trellix ENS Threat Prevention On-Demand Scan must be configured to scan all subfolders.
(U) Access the ePO server console. Select Menu >> Policy >> Policy Catalog From the "Product" list, select "Endpoint Security Threat Prevention". From the "Category" list, select "On-Demand Scan". Select each configured On-Demand Scan policy. Verify Scan Locations >> Scan subfolders >> What to scan >> "Subfolders" is selected. If Scan Locations >> Scan subfolders >> What to scan >> "Subfolders" is not selected, this is a finding.
Discussion
(U) Antivirus software is the most commonly used technical control for malware threat mitigation. Antivirus software on hosts should be configured to scan all hard drives and folders regularly to identify any file system infections and to scan any removable media, if applicable, before media is inserted into the system. Not scheduling a regular scan of a system's hard drives and/or not configuring the scan to scan all files and running processes introduces a higher risk of threats going undetected.
Fix
(U) Access the ePO server console. Select Menu >> Policy >> Policy Catalog From the "Product" list, select "Endpoint Security Threat Prevention". From the "Category" list, select "On-Demand Scan". Select each configured On-Demand Scan policy. Select the Scan Locations >> Scan subfolders >> What to scan >> "Subfolders" option. Click "Save".
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
ENS-TP-000209: (U) The McAfee ENS Threat Prevention On-Access Scan Global Threat Intelligence (GTI) sensitivity level must be configured to medium or higher.
(U) NOTE: This requirement is Not Applicable on Classified/SIPRNet or otherwise closed networks. Access the ePO server console. Select Menu >> Policy >> Policy Catalog From the "Product" list, select "Endpoint Security Threat Prevention". From the "Category" list, select "On-Access Scan". Select each configured On-Access Scan policy. Verify On-Access Scan >> McAfee GTI >> "Enable McAfee GTI" is selected and the "Sensitivity level" is configured to "medium" or higher. If On-Access Scan >> McAfee GTI >> "Enable McAfee GTI" is not selected with a "Sensitivity level" of "medium" or higher, this is a finding.
Discussion
(U) Antivirus software vendors use collective intelligence from sensors and cross-vector intelligence from web, email, and network threats to compile scores that reflect the likelihood of whether a file in question is malware. The collective intelligence is constantly being updated -- more frequently than the typical daily antivirus signature files. With File Reputation lookup, a more real-time response to potential malicious code is realized than with the local-running antivirus software since by querying the cloud-based database when a file appears to be suspicious, up-to-the-minute intelligence is provided. This type of protection reduces the threat protection time period from days to milliseconds, increases malware detection rates, and reduces downtime and remediation costs associated with malware attacks. Using File Reputation lookup is mandated by USCYBERCOM on DoD systems.
Fix
(U) Access the ePO server console. Select Menu >> Policy >> Policy Catalog From the "Product" list, select "Endpoint Security Threat Prevention". From the "Category" list, select "On-Access Scan". Select each configured On-Access Scan policy. Select the On-Access Scan >> McAfee GTI >> "Enable McAfee GTI" option. Select "Sensitivity level" of "medium" or higher. Click "Save".
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
ENS-TP-000229: (U) The Trellix ENS Threat Prevention On-Demand Scan must be configured to scan all fixed or local disks, running processes, and memory for rootkits.
(U) Access the ePO server console. Select Menu >> Policy >> Policy Catalog From the "Product" list, select "Endpoint Security Threat Prevention". From the "Category" list, select "On-Demand Scan". Select each configured On-Demand Scan policy. Verify the following are selected under Scan Locations >> Specify locations. Either "All local drives" and/or "All fixed drives" "Running processes" "Memory for rootkits" If "All fixed drives" and/or "All local drives", "Running processes" and "Memory for rootkits" are not configured under "Scan Locations", this is a finding.
Discussion
(U) Antivirus software is the most commonly used technical control for malware threat mitigation. Antivirus software on hosts should be configured to scan all hard drives regularly to identify any file system infections and to scan any removable media, if applicable, before media is inserted into the system. Not scheduling a regular scan of a system's hard drives and/or not configuring the scan to scan all files and running processes introduces a higher risk of threats going undetected.
Fix
(U) Access the ePO server console. Select Menu >> Policy >> Policy Catalog. From the "Product" list, select "Endpoint Security Threat Prevention". From the "Category" list, select "On-Demand Scan". Select each configured On-Demand Scan policy. Select the following under Scan Locations >> Specify locations. "All local drives" and/or "All fixed drives" "Running processes" "Memory for rootkits" Click "Save".
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
ENS-EP-000001: (CUI) The ENS Exploit Prevention for IPS must be enabled.
(CUI) NOTE: If HIPs is still be used for this protection, this check is Not Applicable. If the OPORD 16-0080 FRAGO 6 has not been released, this check is Not Applicable. If the OPORD 16-0080 FRAGO 6 has been released and it is still in the implementation period, this is Not a Finding if configured per the FRAGO steps of implementation. Access the ePO server console. Select Menu >> Policy >> Policy Catalog Select “Endpoint Security Threat Prevention” from the Product list. From the Category list, select “Exploit Prevention”. Verify “Enable Exploit Prevention” is selected. If the “Enable Exploit Prevention” is not selected, this is a finding. Under Options, Advanced, verify “Enable Adaptive Mode” is not selected. If the “Enable Adaptive Mode” is selected, this is a finding. Verify “Enable Network Intrusion Prevention” and “Automatically block network intruders” are selected. If either the “Enable Network intrusion Prevention” or “Automatically block network intruders” are not selected, this is a finding.
Discussion
(CUI) Exploit Prevention content is updated monthly, This content not only provides protection against zero-day exploits, but also offers some flexibility in the way that patches can be applied.
Fix
(CUI) Access the ePO server console. Select Menu >> Policy >> Policy Catalog. Select “Endpoint Protection Threat Prevention” from the Product list. From the Category list, select “Exploit Prevention”. Select “Enable Exploit Prevention”. Under Options, Advanced, de-select “Enable Adaptive Mode”. Select “Enable Network Intrusion Prevention” and “Automatically block network intruders”. Click “Save”.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
ENS-TP-000219: (U) The Trellix ENS Threat Prevention On-Access Scan Process Settings Actions must be configured to clean files as unwanted program first response.
(U) Access the ePO server console. Select Menu >> Policy >> Policy Catalog From the "Product" list, select "Endpoint Security Threat Prevention". From the "Category" list, select "On-Access Scan". Select each configured On-Access Scan policy. Click the "Show Advanced" button. Verify "Clean files" is selected for Process Settings >> Actions >> "Unwanted programs first response". If "Clean files" is not selected for the Action "Unwanted programs first response", this is a finding.
Discussion
(U) Due to the ability of malware to mutate after infection, standard antivirus signatures may not be able to catch new strains or variants of the malware. Typically, these strains and variants will share unique characteristics with others in their virus family. By using a generic signature to detect the shared characteristics, using wildcards where differences lie, the generic signature can detect viruses even if they are padded with extra meaningless code. This method of detection is heuristic detection.
Fix
(U) Access the ePO server console. Select Menu >> Policy >> Policy Catalog From the "Product" list, select "Endpoint Security Threat Prevention". From the "Category" list, select "On-Access Scan". Select each configured On-Access Scan policy. Click the "Show Advanced" button. Select "Clean files" for Process Settings >> Actions >> "Unwanted programs first response". Click "Save".
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
ENS-TP-000218: (U) The Trellix ENS Threat Prevention On-Access Process Settings Actions must be configured to delete files if Threat detection first action fails.
(U) Access the ePO server console. Select Menu >> Policy >> Policy Catalog From the "Product" list, select "Endpoint Security Threat Prevention". From the "Category" list, select "On-Access Scan". Select each configured On-Access Scan policy. Click the "Show Advanced" button. Verify "Delete files" is selected for Process Settings >> Actions >> "Threat detection If first response fails". If "Delete files" is not selected for the Action "Threat detection If first response fails", this is a finding.
Discussion
(U) Malware may have infected a file that is necessary to the user. By configuring the antivirus software to first attempt cleaning the infected file, availability of the file is not sacrificed. If a cleaning attempt is not successful, however, deleting the file is the only safe option to ensure the malware is not introduced onto the system or network.
Fix
(U) Access the ePO server console. Select Menu >> Policy >> Policy Catalog From the "Product" list, select "Endpoint Security Threat Prevention". From the "Category" list, select "On-Access Scan". Select each configured On-Access Scan policy. Click the "Show Advanced" button. Select "Delete files" for Process Settings >> Actions >> "Threat detection If first response fails". Click "Save".
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
ENS-CO-000109: (U) The Trellix ENS Common Options must be configured to log Critical and Alert Threat Prevention events.
(U) Access the ePO server console. Select Menu >> Policy >> Policy Catalog From the "Product" list, select "Endpoint Security Common". From the "Category" list, select "Options". Select each configured Options policy. Click the "Show Advanced" button. Verify Client Logging >> Event Logging >> Threat Prevention events to log >> Access Protection is configured for "Critical and Alert" events. Verify Client Logging >> Event Logging >> Threat Prevention events to log >> On-Access Scan is configured for "Critical and Alert" events. Verify Client Logging >> Event Logging >> Threat Prevention events to log >> On-Demand Scan is configured for "Critical and Alert" events. If Client Logging >> Event Logging >> Threat Prevention events to log is not configured for "Critical and Alert" events for "Access Protection", "On-Access Scan", and "On-Demand Scan", this is a finding.
Discussion
(U) Logging is imperative to forensic analysis and must be configured to capture the most severe events, at a minimum. Events with a severity of Critical and Alert are the two highest events and should be analyzed for risk to the managed system as well as the site and enterprise.
Fix
(U) Access the ePO server console. Select Menu >> Policy >> Policy Catalog From the "Product" list, select "Endpoint Security Common". From the "Category" list, select "Options". Select each configured Options policy. Click the "Show Advanced" button. Configure Client Logging >> Event Logging >> Threat Prevention events to log >> Access Protection for "Critical and Alert" events. Configure Client Logging >> Event Logging >> Threat Prevention events to log >> On-Access Scan for "Critical and Alert" events. Configure Client Logging >> Event Logging >> Threat Prevention events to log >> On-Demand Scan for "Critical and Alert" events. Click "Save".
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
ENS-CO-000106: (U) The Trellix ENS Common Options Client Logging scan log file size must be configured to be between 10-100MB.
(U) Access the ePO server console. Select Menu >> Policy >> Policy Catalog From the "Product" list, select "Endpoint Security Common". From the "Category" list, select "Options". Select each configured Options policy. Click the "Show Advanced" button. Verify Client Logging >> Enable Activity Logging >> Limit size (MB) of each activity log file is configured to between "10" and "100" MB. If Client Logging >> Enable Activity Logging >> Limit size (MB) of each activity log file is configured for less than "10" MB or more than "100" MB, this is a finding.
Discussion
(U) While logging is imperative to forensic analysis, logs could grow to the point of impacting disk space on the system. To avoid the risk of logs growing to the size of impacting the operating system, the log size will be restricted but must also be large enough to retain forensic value.
Fix
(U) Access the ePO server console. Select Menu >> Policy >> Policy Catalog From the "Product" list, select "Endpoint Security Common". From the "Category" list, select "Options". Select each configured Options policy. Click the "Show Advanced" button. Configure Client Logging >> Enable Activity Logging >> Limit size (MB) of each activity log file to between "10" and "100" MB. Click "Save".
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
ENS-TP-000201: (U) The Trellix ENS Threat Prevention Options must be configured to enable Safety Pulse when performing Proactive Data Analysis.
(U) NOTE: For Classified networks, this requirement is Not Applicable. Access the ePO server console. Select Menu >> Policy >> Policy Catalog From the "Product" list, select "Endpoint Security Threat Prevention". From the "Category" list, select "Options". Select each configured Options policy. Click the "Show Advanced" button. Verify "Proactive Data Analysis:Safety Pulse" is selected. If "Proactive Data Analysis:Safety Pulse" is not selected, this is a finding.
Discussion
(U) Trellix GTI is a global Internet reputation intelligence system that determines what is good and bad behavior on the Internet. Trellix GTI uses real-time analysis of worldwide behavioral and sending patterns for email, web activity, malware, and system-to-system behavior. Using data collected from the analysis, GTI dynamically calculates reputation scores that represent the level of risk to a network. Safety Pulse performs a health check on the client system before and after AMCore content file updates, and at regular intervals, and sends results to Trellix.
Fix
(U) Access the ePO server console. Select Menu >> Policy >> Policy Catalog From the "Product" list, select "Endpoint Security Threat Prevention". From the "Category" list, select "Options". Select each configured Options policy. Click the "Show Advanced" button. Select the "Proactive Data Analysis:Safety Pulse" option. Click "Save".
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
ENS-CO-000105: (U) The Trellix ENS Common Options Client Logging must be enabled.
(U) Access the ePO server console. Select Menu >> Policy >> Policy Catalog From the "Product" list, select "Endpoint Security Common". From the "Category" list, select "Options". Select each configured Options policy. Click the "Show Advanced" button. Verify Client Logging >> "Enable Activity Logging" is selected. If Client Logging >> "Enable Activity Logging" is not selected, this is a finding.
Discussion
(U) Log management is essential to ensuring that computer security records are stored in sufficient detail for an appropriate period of time. Routine log analysis is beneficial for identifying security incidents, policy violations, fraudulent activity, and operational problems. Logs are also useful when performing auditing and forensic analysis, supporting internal investigations, establishing baselines, and identifying operational trends and long-term problems.
Fix
(U) Access the ePO server console. Select Menu >> Policy >> Policy Catalog From the "Product" list, select "Endpoint Security Common". From the "Category" list, select "Options". Select each configured Options policy. Click the "Show Advanced" button. Select the Client Logging >> "Enable Activity Logging" option. Click "Save".
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
ENS-CO-000108: (U) The Trellix ENS Common Options must be configured to log events to the Windows Application Event Log.
(U) NOTE: This requirement allows for logging to an external syslog instead of the Windows Application Log but Windows events must still be logged. Access the ePO server console. Select Menu >> Policy >> Policy Catalog From the "Product" list, select "Endpoint Security Common". From the "Category" list, select "Options". Select each configured Options policy. Click the "Show Advanced" button. Verify Client Logging >> Event Logging >> "Log events to Windows Application Event Log" is selected. If Client Logging >> Event Logging >> "Log events to Windows Application Event Log" is not selected, this is a finding.
Discussion
(U) Logging is imperative to forensic analysis. Logging directly to the local Windows or syslogs of managed clients allows for system-specific analysis. By using the Windows Application Event Log to capture log events, the logs are easily accessible to auditors for forensics and troubleshooting.
Fix
(U) Access the ePO server console. Select Menu >> Policy >> Policy Catalog From the "Product" list, select "Endpoint Security Common". From the "Category" list, select "Options". Select each configured Options policy. Click the "Show Advanced" button. Select the Client Logging >> Event Logging >> "Log events to Windows Application Event Log" option. Click "Save".
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
ENS-CO-000102: (U) The McAfee ENS Common Options must be configured to require a password to uninstall the client.
(U) Access the ePO server console. Select Menu >> Policy >> Policy Catalog From the "Product" list, select "Endpoint Security Common". From the "Category" list, select "Options". Select each configured Options policy. Verify Client Interface Mode >> Uninstallation >> "Require password to uninstall the client" is selected. If Client Interface Mode >> Uninstallation >> "Require password to uninstall the client" is not selected, this is a finding.
Discussion
(U) The client interface is a method for accessing and configuring McAfee ENS policies and configurations directly on the system. In "Standard" mode, most protection statuses and features are accessible and require a password to view or change settings. The "Lock client interface" mode requires a password to even access the client. If the client interface is not in the locked mode, users could potentially change the protection settings.
Fix
(U) Access the ePO server console. Select Menu >> Policy >> Policy Catalog From the "Product" list, select "Endpoint Security Common". From the "Category" list, select "Options". Select each configured Options policy. Select Client Interface Mode >> Uninstallation >> "Require password to uninstall the client" option. Click "Save".
Rating Info
DISA Cat I. NIST impact 4.
Expert Comment
None
ENS-TP-000212: (U) The McAfee ENS Threat Prevention On-Access Scan must be configured with McAfee Decide trust logic.
(U) Access the ePO server console. Select Menu >> Policy >> Policy Catalog From the "Product" list, select "Endpoint Security Threat Prevention". From the "Category" list, select "On-Access Scan". Select each configured On-Access Scan policy. Click the "Show Advanced" button. Verify Process Settings >> Process Types >> Standard >> "When to scan:Let McAfee decide" is selected. If Process Settings >> Process Types >> Standard >> "When to scan:Let McAfee decide" is not selected, this is a finding.
Discussion
(U) Antivirus software is the most commonly used technical control for malware threat mitigation. Real-time scanning of files as they are written to disk is a crucial first line of defense from malware attacks. "Let McAfee Decide" trust logic improves security and boosts performance by avoiding unnecessary scans.
Fix
(U) Access the ePO server console. Select Menu >> Policy >> Policy Catalog From the "Product" list, select "Endpoint Security Threat Prevention". From the "Category" list, select "On-Access Scan". Select each configured On-Access Scan policy. Click the "Show Advanced" button. Select the Process Settings >> Process Types >> Standard >> "When to scan:Let McAfee decide" option. Click "Save".
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
ENS-CO-000100: (U) The McAfee ENS module enforcement status must be enabled.
(U) Note: If HIPs 8 Firewall is being used and is being enforced, the requirement for Endpoint Security Firewall is Not Applicable. From the ePO server console, select "Policy Catalog". From the "Product:" drop-down list, select "Endpoint Security Common" and verify the Policy Enforcement Status is "All enforce". From the "Product:" drop-down list, select "Endpoint Security Threat Prevention" and verify the Product Enforcement Status is "All enforce". From the "Product:" drop-down list, select "Endpoint Security Firewall" and verify the Product Enforcement Status is "All enforce". If the Product Enforcement Status is not "All enforce" for "Endpoint Security Common", "Endpoint Security Threat Prevention", or "Endpoint Security Firewall", this is a finding.
Discussion
(U) When the McAfee ENS module is not enforcing policies, the resulting set of policies configured and deployed to endpoints will not be applied. The endpoint system will not be protected.
Fix
(U) Access the ePO server console. Select "My Organization". Select System Tree >> Assigned Policies. From the "Product:" drop-down list, select the product(s) for which "Enforcement status:" is "Not enforcing". Click on "Not enforcing" to open the "Enforcement" screen. For "Enforcement Status:", click the "Enforcing" button. Click "Save".
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
ENS-TP-000222: (U) The Trellix ENS Threat Prevention On-Demand Scan must be configured to scan boot sectors.
(U) Access the ePO server console. Select Menu >> Policy >> Policy Catalog From the "Product" list, select "Endpoint Security Threat Prevention". From the "Category" list, select "On-Demand Scan". Select each configured On-Demand Scan policy. Verify What to Scan >> "Boot sectors" is selected. If What to Scan >> "Boot sectors" is not selected, this is a finding.
Discussion
(U) Boot sector viruses will install into the boot sector of a system, ensuring that they will execute when the user boots the system. This risk is mitigated by scanning boot sectors at each startup of the system.
Fix
(U) Access the ePO server console. Select Menu >> Policy >> Policy Catalog From the "Product" list, select "Endpoint Security Threat Prevention". From the "Category" list, select "On-Demand Scan". Select each configured On-Demand Scan policy. Select the What to Scan >> "Boot sectors" option. Click "Save".
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
ENS-CO-000104: (U) The McAfee ENS Common Options must be configured to enable Self Protection.
(U) Access the ePO server console. Select Menu >> Policy >> Policy Catalog From the "Product" list, select "Endpoint Security Common". From the "Category" list, select "Options". Select each configured Options policy. Click the "Show Advanced" button. Verify Self Protection >> "Set Enable Self Protection" is selected. If Self Protection >> "Set Enable Self Protection" is not selected, this is a finding. Verify "Files and Folders", "Registry", and "Processes" are all selected and configured with an "Action:" of "Block and report". If the "Files and Folders", "Registry", and "Processes" are not all selected and configured with an "Action:" of "Block and report", this is a finding.
Discussion
(U) McAfee ENS Self Protection protects the Endpoint Security system resources from malicious activity. It protects the McAfee system files and folders and registry keys and prevents McAfee services from being stopped. Without this self-protection, malicious misconfiguration would occur.
Fix
(U) Access the ePO server console. Select Menu >> Policy >> Policy Catalog From the "Product" list, select "Endpoint Security Common". From the "Category" list, select "Options". Select each configured Options policy. Click the "Show Advanced" button. Select the Self Protection >> "Set Enable Self Protection" option. Select "Files and Folders", "Registry", and "Processes" and configure with an "Action:" of "Block and report". Click "Save".
Rating Info
DISA Cat I. NIST impact 4.
Expert Comment
None
ENS-EP-000004: (U) The McAfee Custom Content must be configured to report or block within 30 days of tuning.
(U) NOTE: The DISA EMCC Signature Guide will be located on the Patches Repository (patches.csd.disa.mil) under ESS (HBSS) >> Dynamic Content >> ENS Custom Content (EMCC) once the OPORD 16-0080 FRAGO 6 is released. If OPORD 16-0080 FRAGO 6 has not been released yet, this is Not Applicable. Review and reference DISA's EMCC Signature Guide. Compare the installed rule set to DISA’s EMCC Signature Guide to verify the Custom Content is in the rules sets of all IPS policies. If Custom Content specified in the EMCC Signature Guide is not present, this is a finding. If Custom Content is present but is not configured to block or report as specified in the Signature Guide after 30 days of tuning, this is a finding.
Discussion
(U) This is a manual check to confirm McAfee Custom Content is being using for Intrusion Prevention.
Fix
(U) Review and reference DISA's EMCC Signature Guide and update signature rules with custom content. Set designated rules to report, tune, and then block within 30 days of tuning.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
ENS-TP-000202: (U) The Trellix ENS Threat Prevention Options must be configured to enable AMCore Content Reputation when performing Proactive Data Analysis.
(U) NOTE: For Classified networks, this requirement is Not Applicable. Access the ePO server console. Select Menu >> Policy >> Policy Catalog From the "Product" list, select "Endpoint Security Threat Prevention". From the "Category" list, select "Options". Select each configured Options policy. Click the "Show Advanced" button. Verify "Proactive Data Analysis:AMCore Content Reputation" is selected. If "Proactive Data Analysis:AMCore Content Reputation" is not selected, this is a finding.
Discussion
(U) Trellix GTI is a global Internet reputation intelligence system that determines what is good and bad behavior on the Internet. Trellix GTI uses real-time analysis of worldwide behavioral and sending patterns for email, web activity, malware, and system-to-system behavior. Using data collected from the analysis, GTI dynamically calculates reputation scores that represent the level of risk to a network. AMCore Content Reputation performs a Trellix GTI reputation lookup on the AMCore content file before updating the client system. If Trellix GTI allows the file, Endpoint Security updates AMCore content. If Trellix GTI does not allow the file, Endpoint Security does not update the AMCore content.
Fix
(U) Access the ePO server console. Select Menu >> Policy >> Policy Catalog From the "Product" list, select "Endpoint Security Threat Prevention". From the "Category" list, select "Options". Select each configured Options policy. Click the "Show Advanced" button. Select the "Proactive Data Analysis:AMCore Content Reputation" option. Click "Save".
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
ENS-TP-000204: (U) The Trellix ENS Threat Prevention On-Access Scan must be enabled on system startup.
(U) Access the ePO server console. Select Menu >> Policy >> Policy Catalog From the "Product" list, select "Endpoint Security Threat Prevention". From the "Category" list, select "On-Access Scan". Select each configured On-Access Scan policy. Verify the On-Access Scan >> "Enable On-Access Scan on system startup" check box is selected. If the On-Access Scan >> "Enable On-Access Scan on system startup" check box is not selected, this is a finding.
Discussion
(U) For antivirus software to be effective, it must be running at all times, beginning from the point of the system's initial startup. Otherwise, the risk is greater for viruses, trojans, and other malware to infect the system during that startup phase.
Fix
(U) Access the ePO server console. Select Menu >> Policy >> Policy Catalog From the "Product" list, select "Endpoint Security Threat Prevention". From the "Category" list, select "On-Access Scan". Select each configured On-Access Scan policy. Select the On-Access Scan >> "Enable On-Access Scan on system startup" check box. Click "Save".
Rating Info
DISA Cat I. NIST impact 4.
Expert Comment
None
ENS-FW-000003: (CUI) The ENS Firewall must be enabled.
(CUI) NOTE: If McAfee ENS Firewall is being used for host-based Firewall protection, this requirement is applicable and must be met. If the OPORD 16-0080 FRAGO 6 has been released and it is still in the implementation period, this is Not a Finding if configured per the FRAGO steps of implementation. If McAfee Host Intrusion Prevention Firewall is being used for host-based Firewall protection, this check is Not Applicable. Access the ePO server console. Select Menu >> Policy >> Policy Catalog and then select “Endpoint Security Firewall” from the Product list. From the Category list, select “Options”. Select each configured Options policy. Select “Show Advanced” Verify Options >> Enable Firewall is selected. Under Advanced, in “Tuning Options” section, verify “Enable Adaptive Mode” is not selected. Verify “Retain existing user-added rules and Adaptive mode rules when this policy is enforced” is not selected. If “Options” is not set to “Enable Firewall”, this is a finding. If either the “Adaptive Mode” or the “Retain existing user-added rules” options are selected, this is a finding.
Discussion
(CUI) A host-based firewall scans all incoming and outgoing traffic. As it reviews arriving or departing traffic, the Firewall checks its list of rules, which is a set of criteria with associated actions. If the traffic matches all criteria in a rule, the Firewall acts according to the rule, blocking or allowing traffic through. A host-based firewall adds another layer of protection to prevent unauthorized traffic from reaching or leaving the system. To be effective, it must be enabled and properly configured.
Fix
(CUI) Access the ePO server console. Select Menu >> Policy >> Policy Catalog and then select "Endpoint Security Firewall" from the Product list. From the Category list, select "Options". Select each configured Options policy. Select “Show Advanced”. Under "Options", select "Enable Firewall". Under "Advanced", in “Tuning Options” section, de-select “Enable Adaptive Mode”. Under "Advanced", de-select "Retain existing user-added rules and Adaptive mode rules when this policy is enforced".
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
ENS-TP-000206: (U) The Trellix ENS Threat Prevention On-Access Scan must be configured to scan boot sectors.
(U) Access the ePO server console. Select Menu >> Policy >> Policy Catalog From the "Product" list, select "Endpoint Security Threat Prevention". From the "Category" list, select "On-Access Scan". Select each configured On-Access Scan policy. Verify the On-Access Scan >> "Scan boot sectors" check box is selected. If the On-Access Scan >> "Scan boot sectors" check box is not selected, this is a finding.
Discussion
(U) Boot sector viruses will install into the boot sector of a system, ensuring that they will execute when the user boots the system. This risk is mitigated by scanning boot sectors at each startup of the system.
Fix
(U) Access the ePO server console. Select Menu >> Policy >> Policy Catalog From the "Product" list, select "Endpoint Security Threat Prevention". From the "Category" list, select "On-Access Scan". Select each configured On-Access Scan policy. Select the On-Access Scan >> "Scan boot sectors" check box. Click "Save".
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
ENS-FW-000002: (CUI) The ENS Firewall Status Control setting must be configured to prevent users from disabling Firewall from system tray.
(CUI) NOTE: If McAfee ENS Firewall is being used for host-based Firewall protection, this requirement is applicable and must be met. If the OPORD 16-0080 FRAGO 6 has been released and it is still in the implementation period, this is Not a Finding if configured per the FRAGO steps of implementation. If McAfee Host Intrusion Prevention Firewall is being used for host-based Firewall protection, this check is Not Applicable. Access the ePO server console. Select Menu >> Policy >> Policy Catalog. Select “Endpoint Security Firewall” from the Product list. From the Category list, select Options >> Firewall Status Control. Verify the “Allow users to disable Firewall from the McAfee system icon tray” is UNselected. If the “Allow users to disable Firewall from the McAfee system icon tray” is selected, this is a finding.
Discussion
(CUI) A host-based firewall scans all incoming and outgoing traffic. As it reviews arriving or departing traffic, the Firewall checks its list of rules, which is a set of criteria with associated actions. If the traffic matches all criteria in a rule, the Firewall acts according to the rule, blocking or allowing traffic through. Allowing an end user to disable the Firewall from the system tray introduces vulnerabilities.
Fix
(CUI) Select Menu >> Policy >> Policy Catalog. Select "Endpoint Security Firewall" from the Product list. From the Category list, select Options >> Firewall Status Control. De-select “Allow users to disable Firewall from the McAfee system icon tray”. Click "Save".
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
ENS-TP-000227: (U) The Trellix ENS Threat Prevention On-Demand Scan must be configured to detect unknown macro threats.
(U) Access the ePO server console. Select Menu >> Policy >> Policy Catalog From the "Product" list, select "Endpoint Security Threat Prevention". From the "Category" list, select "On-Demand Scan". Select each configured On-Demand Scan policy. Verify Additional Scan Options >> "Detect unknown macro threats" is selected. If Additional Scan Options >> "Detect unknown macro threats" is not selected, this is a finding.
Discussion
(U) Interpreted viruses are executed by an application. Within this subcategory, macro viruses take advantage of the capabilities of applications' macro programming language to infect application documents and document templates, while scripting viruses infect scripts that are understood by scripting languages processed by services on the operating system. Many attackers use toolkits containing several different types of utilities and scripts that can be used to probe and attack hosts. Scanning for unknown macro viruses will mitigate zero-day attacks.
Fix
(U) Access the ePO server console. Select Menu >> Policy >> Policy Catalog From the "Product" list, select "Endpoint Security Threat Prevention". From the "Category" list, select "On-Demand Scan". Select each configured On-Demand Scan policy. Select the Additional Scan Options >> "Detect unknown macro threats" option. Click "Save".
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
ENS-TP-000241: (U) The McAfee ENS Threat Prevention Access Protection must be configured to prevent remote creation of autorun files.
(U) NOTE: If HIPS signature 3886 is enabled to provide this same protection, this check is Not Applicable. Access the ePO server console. Select Menu >> Policy >> Policy Catalog From the "Product" list, select "Endpoint Security Threat Prevention". From the "Category" list, select "Access Protection". Select each configured Access Protection policy. Verify Access Protection >> Rules >> Remotely creating autorun files is configured to "block". If Access Protection >> Rules >> Remotely creating autorun files is not configured to "block", this is a finding.
Discussion
(U) Autorun files are used to automatically launch program files, typically setup files from CDs. Preventing other computers from making a connection and creating or altering autorun.inf files can prevent spyware and adware from being executed. Many spyware and virus programs are distributed on CDs.
Fix
(U) Access the ePO server console. Select Menu >> Policy >> Policy Catalog From the "Product" list, select "Endpoint Security Threat Prevention". From the "Category" list, select "Access Protection". Select each configured Access Protection policy. Configure Access Protection >> Rules >> Remotely creating autorun files to "block". Click "Save".
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
SRG-APP-000276,ENS-TP-000246: The anti-virus signature file age must not exceed seven days.
(U) From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the system being reviewed. Click on the system to open the System Information page. On the System Information page, select the "Products" tab. Under the "Product" section, select "Endpoint Security Threat Protection". Scroll down and inspect the "AMcore content version" and "AMcore content date." Verify the "AMcore content Date:" is within the last 7 days. If the "AMcore content Date:" is not within the last 7 days, this is a finding.
Discussion
(U) Antivirus signature files are updated almost daily by antivirus software vendors. These files are made available to antivirus clients as they are published. Keeping virus signature files as current as possible is vital to the security of any system. By configuring a system to attempt an antivirus update on a daily basis, the system is ensured of maintaining an antivirus signature age of seven days or less. If the update attempt were to be configured for only once a week, and that attempt failed, the system would be immediately out of date.
Fix
(U) From the ePO server console System Tree, select "My Organization". Select the "Systems" tab. To show all systems in the System Tree, select "This Group and All Subgroups" from the "Preset:" drop-down list. From the list of systems, locate the asset representing the system being reviewed. Click on the system to open the System Information page. Click Actions >> Agent >> Edit Tasks on a Single System. On the Client Tasks page, click Actions >> New Client Task Assignment. On the Client Task Assignment Builder page, under the "Product" section, select "McAfee Agent". Under the "Task Type" section, select "Product Update". Under the "Task Name" section, click on "Create New Task". Type a unique name for the "Task Name". For "Package selection:", select the "All packages" radio button. Click "Save". Or Select the "Selected packages" radio button. For the "Package types:" section, select the "AMcore Content Package" check box and the "Engine" check box under the "Signatures and engines:" section. Click "Save". On the Client Task Assignment Builder page, under the "Task Name" section, select the task just created. Click "Next" to schedule the task. For "Schedule status:", select the radio button for "Enabled". For "Schedule type:", choose "Daily". Schedule the "Effective period:", "Start time:" and other options according to best practices. Click "Save".
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
ENS-TP-000225: (U) The Trellix ENS Threat Prevention On-Demand Scan must be configured to detect unwanted programs.
(U) Access the ePO server console. Select Menu >> Policy >> Policy Catalog From the "Product" list, select "Endpoint Security Threat Prevention". From the "Category" list, select "On-Demand Scan". Select each configured On-Demand Scan policy. Verify Additional scan Option >> "Detect unwanted programs" is selected. If Additional scan Option >> "Detect unwanted programs" is not selected, this is a finding.
Discussion
(U) Due to the ability of malware to mutate after infection, standard antivirus signatures may not be able to catch new strains or variants of the malware. Typically, these strains and variants will share unique characteristics with others in their virus family. By using a generic signature to detect the shared characteristics, using wildcards where differences lie, the generic signature can detect viruses even if they are padded with extra meaningless code. This method of detection is heuristic detection.
Fix
(U) Access the ePO server console. Select Menu >> Policy >> Policy Catalog From the "Product" list, select "Endpoint Security Threat Prevention". From the "Category" list, select "On-Demand Scan". Select each configured On-Demand Scan policy. Select the Additional scan Option >> "Detect unwanted programs" option. Click "Save".
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
ENS-CO-000115: (U) ENS must have the latest version from the DISA Patch Repository.
(U) From the ePO server console, select Menu and access Software Library. Verify the ENS version level is the latest as is posted on the DISA Patches Repository. If the version is not the most current, this is a finding.
Discussion
(U) Software not running the latest tested and approved versions of software are vulnerable to network attacks. Running the most current, approved version of system and device software helps the site maintain a stable base of security fixes and patches, as well as enhancements to IP security. Viruses, denial-of-service attacks, system weaknesses, back doors, and other potentially harmful situations could render a system vulnerable, allowing unauthorized access to DoD assets.
Fix
(U) Download the latest software and extension version for ENS from the DISA Patches Repository and install into the ePO Software Library.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
ENS-TP-000243: (U) The McAfee ENS Threat Prevention Access Protection must be configured to block all programs from running from the Temp folder.
(U) NOTE: If HIPS signatures 7010, 7011, 7020 and 7035 are enabled to provide this same protection, this check is Not Applicable. NOTE: This requirement is Not Applicable to Linux systems. Access the ePO server console. Select Menu >> Policy >> Policy Catalog From the "Product" list, select "Endpoint Security Threat Prevention". From the "Category" list, select "Access Protection". Select each configured Access Protection policy. Verify Access Protection >> Rules >> Running files from common user folders is configured to "block". If Access Protection >> Rules >> Running files from common user folders is not configured to "block", this is a finding.
Discussion
(U) This rule will block all programs from running from the Temp directory; however, this rule is much more restrictive in that it stops nearly all processes from launching in the Temp folder. Most viruses need to be run once by a person before infecting a computer. This can be done in many ways, such as opening an executable attachment in an email or downloading a program from the Internet. An executable needs to exist on the disk before Windows can run it. A common way for applications to achieve this is to save the file in the user's or system's Temp directory and then run it. One purpose of this rule is to enforce advice that is frequently given to users: Do not open attachments from email. The other purpose of this rule is to close security holes introduced by application bugs. Older versions of Outlook and Internet Explorer are notorious for automatically executing code without the user needing to do anything but preview an email or view a website.
Fix
(U) Access the ePO server console. Select Menu >> Policy >> Policy Catalog From the "Product" list, select "Endpoint Security Threat Prevention". From the "Category" list, select "Access Protection". Select each configured Access Protection policy. Verify Access Protection >> Rules >> Running files from common user folders is configured to "block". Click "Save".
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
ENS-FW-000008: (CUI) The ENS Firewall rules must use McAfee GTI Network Reputation.
(CUI) NOTE: If McAfee ENS Firewall is being used for host-based Firewall protection, this requirement is applicable and must be met. If the OPORD 16-0080 FRAGO 6 has been released and it is still in the implementation period, this is Not a Finding if configured per the FRAGO steps of implementation. If McAfee Host Intrusion Prevention Firewall is being used for host-based Firewall protection, this check is Not Applicable. This requirement is Not Applicable for disconnected or classified networks. Access the ePO server console. Select Menu >> Policy >> Policy Catalog and then select “Endpoint Security Firewall” from the Product list. From the Category list, select “Options”. Select each configured Options policy. Verify the McAfee GTI Network Reputation: Check “Treat McAfee GTI match as intrusion” is selected with “Log matching traffic” and “Block all untrusted executables” not selected. If the McAfee GTI Network Reputation: Check “Treat McAfee GTI match as intrusion” is not selected, this is a finding.
Discussion
(CUI) Global Threat Intelligence (GTI) is a collective intelligence from sensors and cross-vector intelligence from web, email, and network threats to compile scores that reflect the likelihood of whether a file in question is malware. The collective intelligence is constantly being updated, more frequently than the typical daily antivirus signature files. With File Reputation lookup, a more real-time response to potential malicious code is realized than with the local-running antivirus software, since by querying the cloud-based database when a file appears to be suspicious, up-to-the-minute intelligence is provided. This type of protection reduces the threat protection time period from days to milliseconds, increases malware detection rates, and reduces downtime and remediation costs associated with malware attacks. Using File Reputation lookup is mandated by US CYBERCOM on DoD systems.
Fix
(CUI) Access the ePO server console. Select Menu >> Policy >> Policy Catalog and then select "Endpoint Security Firewall" from the Product list. From the Category list, select "Options". Select each configured Options policy. Select the McAfee GTI Network Reputation: Check "Treat McAfee GTI match as intrusion" option. Uncheck Log matching traffic. Uncheck Block all untrusted executables. Click "Save".
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
ENS-TP-000213: (U) The Trellix ENS Threat Prevention On-Access Process Settings must be configured to scan all files.
(U) Access the ePO server console. Select Menu >> Policy >> Policy Catalog From the "Product" list, select "Endpoint Security Threat Prevention". From the "Category" list, select "On-Access Scan". Select each configured On-Access Scan policy. Click the "Show Advanced" button. Verify Process Settings >> Scanning >> Standard >> "What to scan:All files" is selected. If Process Settings >> Scanning >> Standard >> "What to scan:All files" is not selected, this is a finding.
Discussion
(U) When scanning for malware, excluding specific file types will increase the risk of a malware-infected file going undetected. By configuring antivirus software to scan all file types, the scanner has a higher success rate at detecting and eradicating malware.
Fix
(U) Access the ePO server console. Select Menu >> Policy >> Policy Catalog From the "Product" list, select "Endpoint Security Threat Prevention". From the "Category" list, select "On-Access Scan". Select each configured On-Access Scan policy. Click the "Show Advanced" button. Select the Process Settings >> Scanning >> Standard >> "What to scan:All files" option. Click "Save".
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
ENS-CO-000110: (CUI) The Trellix ENS Common Options must be configured to log Critical and Alert Firewall events.
(CUI) Access the ePO server console. Select Menu >> Policy >> Policy Catalog From the "Product" list, select "Endpoint Security Common". From the "Category" list, select "Options". Select each configured Options policy. Click the "Show Advanced" button. Verify Client Logging >> Event Logging >> Firewall events to log >> Access Protection is configured for "Critical and Alert" events. If Client Logging >> Event Logging >> Firewall events to log is not configured for "Critical and Alert" events, this is a finding.
Discussion
(CUI) Logging is imperative to forensic analysis and must be configured to capture the most severe events, at a minimum. Events with a severity of Critical and Alert are the two highest events and should be analyzed for risk to the managed system as well as the site and enterprise.
Fix
(CUI) Access the ePO server console. Select Menu >> Policy >> Policy Catalog From the "Product" list, select "Endpoint Security Common". From the "Category" list, select "Options". Select each configured Options policy. Click the "Show Advanced" button. Configure Client Logging >> Event Logging >> Firewall events to log for "Critical and Alert" events. Click "Save".
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
ENS-TP-000205: (U) The Trellix ENS Threat Prevention On-Access Scan must be configured to specify 45 as the maximum number of seconds for each file scan.
(U) Access the ePO server console. Select Menu >> Policy >> Policy Catalog From the "Product" list, select "Endpoint Security Threat Prevention". From the "Category" list, select "On-Access Scan". Select each configured On-Access Scan policy. Verify On-Access Scan >> Specify maximum number of seconds for each file scan is configured to "45" seconds or less. If On-Access Scan >> Specify maximum number of seconds for each file scan is not configured to "45" seconds or less, this is a finding.
Discussion
(U) When antivirus software is not configured to limit the amount of time spent trying to scan a file, the total effectiveness of the antivirus software and performance on the system being scanned will be degraded. By limiting the amount of time the antivirus software uses when scanning a file, the scan will be able to complete in a timely manner.
Fix
(U) Access the ePO server console. Select Menu >> Policy >> Policy Catalog From the "Product" list, select "Endpoint Security Threat Prevention". From the "Category" list, select "On-Access Scan". Select each configured On-Access Scan policy. Set On-Access Scan >> Specify maximum number of seconds for each file scan to "45" seconds or less. Click "Save".
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
ENS-CO-000112: (U) The Default Client Update Settings must be configured.
(U) From the ePO server console, select "Policy Catalog". From the "Product:" drop-down list, select "Endpoint Security Common" From the "Category" list, look for "Options" Select each configured policy (example: DISA Global: ENS Common) Select "Show Advanced" Look for section named "Default Client Update" If under "What to update” the “Security content, hotfixes and patches" option is not selected, this is a finding.
Discussion
(U) Antivirus signature files are updated almost daily by antivirus software vendors. These files are made available to antivirus clients as they are published. Keeping virus signature files as current as possible is vital to the security of any system. The antivirus software product must be configured to receive those updates automatically in order to afford the expected protection.
Fix
(U) From the ePO server console, select "Policy Catalog". From the "Product:" drop-down list, select "Endpoint Security Common" and configure the "Default Client Update”. Configure the Default Client Update task schedule for updates. Under “What to update”, select “Security content, hotfixes, and patches”. Click "Save".
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
ENS-FW-000005: (CUI) The ENS Firewall rules must allow all outbound TCP traffic.
(CUI) NOTE: If McAfee ENS Firewall is being used for host-based Firewall protection, this requirement is applicable and must be met. If the OPORD 16-0080 FRAGO 6 has been released and it is still in the implementation period, this is Not a Finding if configured per the FRAGO steps of implementation. If McAfee Host Intrusion Prevention Firewall is being used for host-based Firewall protection, this check is Not Applicable. Access the ePO server console. Select Menu >> Policy >> Policy Catalog and then select “Endpoint Security Firewall” from the Product list. From the Category list, select “Firewall Rules”. Select each configured Firewall Rules policy. Verify a rule is explicitly configured to allow all outbound TCP traffic. If a rule is not configured to explicitly allow all outbound TCP traffic, this is a finding.
Discussion
(CUI) Outbound connections are imperative for the operation of the McAfee Agent to communicate with the ePO server, Agent Handlers, and repositories. To ensure that connectivity is maintained, all outbound connections must be allowed with an explicit rule.
Fix
(CUI) Access the ePO server console. Select Menu >> Policy >> Policy Catalog and then select "Endpoint Security Firewall" from the Product list. From the Category list, select "Firewall Rules". Select each configured Firewall Rules policy. Configure a rule to explicitly allow all outbound TCP traffic. Click "Save".
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
ENS-TP-000215: (U) The Trellix ENS Threat Prevention On-Access Process Settings must be configured to detect unknown program threats.
(U) Access the ePO server console. Select Menu >> Policy >> Policy Catalog From the "Product" list, select "Endpoint Security Threat Prevention". From the "Category" list, select "On-Access Scan". Select each configured On-Access Scan policy. Click the "Show Advanced" button. Verify Process Settings >> "Additional scan options:Detect unknown program threats" is selected. If Process Settings >> "Additional scan options:Detect unknown program threats" is not selected, this is a finding.
Discussion
(U) Due to the ability of malware to mutate after infection, standard antivirus signatures may not be able to catch new strains or variants of the malware. Typically, these strains and variants will share unique characteristics with others in their virus family. By using a generic signature to detect the shared characteristics, using wildcards where differences lie, the generic signature can detect viruses even if they are padded with extra meaningless code. This method of detection is heuristic detection.
Fix
(U) Access the ePO server console. Select Menu >> Policy >> Policy Catalog From the "Product" list, select "Endpoint Security Threat Prevention". From the "Category" list, select "On-Access Scan". Select each configured On-Access Scan policy. Click the "Show Advanced" button. Select the Process Settings >> "Additional scan options:Detect unknown program threats" option. Click "Save".
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
ENS-FW-000006: (CUI) The ENS Firewall rules must disable IP protocol 41.
(CUI) NOTE: If McAfee ENS Firewall is being used for host-based Firewall protection, this requirement is applicable and must be met. If the OPORD 16-0080 FRAGO 6 has been released and it is still in the implementation period, this is Not a Finding if configured per the FRAGO steps of implementation. If McAfee Host Intrusion Prevention Firewall is being used for host-based Firewall protection, this check is Not Applicable. Access the ePO server console. Select Menu >> Policy >> Policy Catalog and then select "Endpoint Security Firewall" from the Product list. From the Category list, select "Firewall Rules". Select each configured Firewall Rules policy. Verify a rule is explicitly configured to block protocol 41. If an allow all rule is configured in the Firewall Rules, this is a finding. If an explicit rule does not exist for blocking protocol 41, this is a finding.
Discussion
(CUI) A host-based firewall scans all incoming and outgoing traffic. As it reviews arriving or departing traffic, the Firewall checks its list of rules, which is a set of criteria with associated actions. If the traffic matches all criteria in a rule, the Firewall acts according to the rule, blocking or allowing traffic through. The Internet transition mechanism for migrating from Internet Protocol version 4 (IPv4) to Internet Protocol version 6 (IPv6) uses tunneling to encapsulate IPv6 traffic over explicitly configured IPv4 links. This traffic is sent over IP protocol 41. The tunneled packets do not provide visibility so blocking Protocols 41 with the firewall aids in preventing unknown traffic.
Fix
(CUI) Access the ePO server console. Select Menu >> Policy >> Policy Catalog and then select "Endpoint Security Firewall" from the Product list. From the Category list, select "Firewall Rules". Select each configured Firewall Rules policy. Add a rule to explicitly block protocol 41. Click "Save".
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
ENS-CO-000114: (U) ENS must be configured to display managed custom tasks.
(U) From the ePO server console, select "Policy Catalog". From the "Product:" drop-down list, select "Endpoint Security Common" and verify the "Managed Tasks" is set to "Display managed custom tasks". If the "Managed Tasks" is not set to "Display managed custom tasks", this is a finding.
Discussion
(U) In order to ensure custom tasks are running, they must be able to be displayed on the endpoint. This setting will ensure custom tasks are displayed.
Fix
(U) From the ePO server console, select "Policy Catalog". From the "Product:" drop-down list, select "Endpoint Security Common" and set the "Managed Tasks" to "Display managed custom tasks".
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
ENS-TP-000236: (U) The Trellix ENS Threat Prevention On-Demand Scan must be enabled to use scan cache.
(U) Access the ePO server console. Select Menu >> Policy >> Policy Catalog From the "Product" list, select "Endpoint Security Threat Prevention". From the "Category" list, select "On-Demand Scan". Select each configured On-Demand Scan policy. Verify Performance >> "Use the Scan Cache" is selected. If Performance >> "Use the Scan Cache" is not selected, this is a finding.
Discussion
(U) Using the scan cache will prevent duplicate scanning of files while also improving performance. In addition, the ENS module will check the local reputation cache for the file hash. If the file hash is found, the module gets the reputation data for the file from the cache.
Fix
(U) Access the ePO server console. Select Menu >> Policy >> Policy Catalog From the "Product" list, select "Endpoint Security Threat Prevention". From the "Category" list, select "On-Demand Scan". Select each configured On-Demand Scan policy. Select the Performance >> "Use the Scan Cache" option. Click "Save".
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None