Title

(U) The Trellix ENS Threat Prevention On-Demand Scan Actions Threat detection If first response fails must be configured to delete files. (Cat II impact)

Discussion

(U) Malware may have infected a file that is necessary to the user. By configuring the antivirus software to first attempt cleaning the infected file, availability to the file is not sacrificed. If a cleaning attempt is not successful, however, deleting the file is the only safe option to ensure the malware is not introduced onto the system or network.

Check Content

(U) Access the ePO server console. Select Menu >> Policy >> Policy Catalog From the "Product" list, select "Endpoint Security Threat Prevention". From the "Category" list, select "On-Demand Scan". Select each configured On-Demand Scan policy. Verify "Delete files" is selected for Actions >> "Threat detection If first response fails". If "Delete files" is not selected for the Action "Threat detection If first response fails", this is a finding.

Fix Text

(U) Access the ePO server console. Select Menu >> Policy >> Policy Catalog From the "Product" list, select "Endpoint Security Threat Prevention". From the "Category" list, select "On-Demand Scan". Select each configured On-Demand Scan policy. Select "Delete files" for Actions >> "Threat detection If first response fails". Click "Save".

Additional Identifiers

Rule ID: SV-228267r944497_rule

Vulnerability ID: V-228267

Group Title: SRG-APP-000279

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.