Title

(U) The Trellix ENS Threat Prevention On-Demand Scan must be configured to decode Multipurpose Internet Mail Extensions (MIME) encoded files. (Cat II impact)

Discussion

(U) MIME encoded files can be crafted to hide a malicious payload. When the MIME encoded file is presented to software that decodes MIME encoded files, such as an email client, the malware is released. Scanning these files as part of the regularly scheduled scan tasks will mitigate this risk.

Check Content

(U) Access the ePO server console. Select Menu >> Policy >> Policy Catalog From the "Product" list, select "Endpoint Security Threat Prevention". From the "Category" list, select "On-Demand Scan". Select each configured On-Demand Scan policy. Verify What to Scan >> "Compressed MIME-encoded files" is selected. If What to Scan >> "Compressed MIME-encoded files" is not selected, this is a finding.

Fix Text

(U) Access the ePO server console. Select Menu >> Policy >> Policy Catalog From the "Product" list, select "Endpoint Security Threat Prevention". From the "Category" list, select "On-Demand Scan". Select each configured On-Demand Scan policy. Select the What to Scan >> "Compressed MIME-encoded files" option. Click "Save".

Additional Identifiers

Rule ID: SV-228257r944486_rule

Vulnerability ID: V-228257

Group Title: SRG-APP-000277

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.