Title

(U) The Trellix ENS Threat Prevention On-Access Process Settings must not be configured to exclude any files from being scanned unless exclusions have been documented with and approved by the ISSO/ISSM/AO. (Cat II impact)

Discussion

(U) When scanning for malware, excluding specific files will increase the risk of a malware-infected file going undetected. By configuring antivirus software without any exclusions, the scanner has a higher success rate at detecting and eradicating malware. Due to the "Let Trellix decide" configuration, exclusions are typically not necessary. Thoughtful vetting and testing should precede configuring exclusions.

Check Content

(U) Access the ePO server console. Select Menu >> Policy >> Policy Catalog From the "Product" list, select "Endpoint Security Threat Prevention". From the "Category" list, select "On-Access Scan". Select each configured On-Access Scan policy. Click the "Show Advanced" button. If Process Settings >> Process Types:Exclusions is populated with any exclusions, the configuration must be documented and risk analyzed and approved by the ISSO, ISSM, or AO. If Process Settings >> Process Types:Exclusions is populated with any exclusions and the configuration is not documented with risk analyzed and approved by the ISSO, ISSM, or AO, this is a finding.

Fix Text

(U) Access the ePO server console. Select Menu >> Policy >> Policy Catalog From the "Product" list, select "Endpoint Security Threat Prevention". From the "Category" list, select "On-Access Scan". Select each configured On-Access Scan policy. Click the "Show Advanced" button. Removed any exclusions under Process Settings >> Process Types:Exclusions or document the configuration with risk analyzed and approved by the ISSO, ISSM, or AO. Click "Save".

Additional Identifiers

Rule ID: SV-228277r944506_rule

Vulnerability ID: V-228277

Group Title: SRG-APP-000278

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.