Title

(U) The Trellix ENS Threat Prevention On-Access Process Settings Actions must be configured to clean files as Threat detection first response. (Cat II impact)

Discussion

(U) Malware may have infected a file that is necessary to the user. By configuring the antivirus software to first attempt cleaning the infected file, availability of the file is not sacrificed. If a cleaning attempt is not successful, however, deleting the file is the only safe option to ensure the malware is not introduced onto the system or network.

Check Content

(U) Access the ePO server console. Select Menu >> Policy >> Policy Catalog From the "Product" list, select "Endpoint Security Threat Prevention". From the "Category" list, select "On-Access Scan". Select each configured On-Access Scan policy. Click the "Show Advanced" button. Verify "Clean files" is selected for Process Settings >> Actions >> "Threat detection first response". If "Clean files" is not selected for the Action "Threat detection first response", this is a finding.

Fix Text

(U) Access the ePO server console. Select Menu >> Policy >> Policy Catalog From the "Product" list, select "Endpoint Security Threat Prevention". From the "Category" list, select "On-Access Scan". Select each configured On-Access Scan policy. Click the "Show Advanced" button. Select "Clean files" for Process Settings >> Actions >> "Threat detection first response". Click "Save".

Additional Identifiers

Rule ID: SV-228251r944480_rule

Vulnerability ID: V-228251

Group Title: SRG-APP-000278

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.