Title

(U) The Trellix ENS Threat Prevention On-Demand Scan Global Threat Intelligence (GTI) sensitivity level must be configured. (Cat II impact)

Discussion

(U) GTI is a global internet reputation intelligence system that determines what is good and bad behavior on the internet. GTI uses real-time analysis of worldwide behavioral and sending patterns for email, web activity, malware, and system-to-system behavior. Using data collected from the analysis, GTI dynamically calculates reputation scores that represent the level of risk to a network. The sensitivity level that GTI uses when it determines if a detected sample is malware can be configured. The higher the sensitivity level, the higher the number of malware detections. However, allowing more detections can result in more false positives.

Check Content

(U) Note: This requirement is Not Applicable on Classified/SIPRNet or otherwise closed networks. Access the ePO server console. From the ePO server console, select Menu >> Policy >> Policy Catalog. From the "Product" list, select "Endpoint Security Threat Prevention". From the "Category" list, select "On-Demand Scan". Select each configured On-Demand Scan policy. Verify Trellix GTI Sensitivity Level is set to Medium. If the Trellix GTI Sensitivity Level is not set to Medium, this is a finding.

Fix Text

(U) From the ePO server console, select Menu >> Policy >> Policy Catalog. From the "Product" list, select "Endpoint Security Threat Prevention". From the "Category" list, select "On-Demand Scan". Select each configured On-Demand Scan policy. Set the Trellix GTI Sensitivity Level to Medium. Click "Save".

Additional Identifiers

Rule ID: SV-230191r1022731_rule

Vulnerability ID: V-230191

Group Title: SRG-APP-000278

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.