Title

(U) The Trellix ENS Threat Prevention On-Access Scan Actions must be configured to delete files for the action Unwanted program first response fails. (Cat II impact)

Discussion

(U) Due to the ability of malware to mutate after infection, standard antivirus signatures may not be able to catch new strains or variants of the malware. Typically, these strains and variants will share unique characteristics with others in their virus family. By using a generic signature to detect the shared characteristics, using wildcards where differences lie, the generic signature can detect viruses even if they are padded with extra meaningless code. This method of detection is heuristic detection.

Check Content

(U) Access the ePO server console. Select Menu >> Policy >> Policy Catalog From the "Product" list, select "Endpoint Security Threat Prevention". From the "Category" list, select "On-Access Scan". Select each configured On-Access Scan policy. Click the "Show Advanced" button. Verify "Delete files" is selected for Process Settings >> Actions >> "Unwanted program If first response fails". If "Delete files" is not selected for the Action "Unwanted program If first response fails", this is a finding.

Fix Text

(U) Access the ePO server console. Select Menu >> Policy >> Policy Catalog From the "Product" list, select "Endpoint Security Threat Prevention". From the "Category" list, select "On-Access Scan". Select each configured On-Access Scan policy. Click the "Show Advanced" button. Select "Delete files" for Process Settings >> Actions >> "Unwanted program If first response fails". Click "Save".

Additional Identifiers

Rule ID: SV-228254r944483_rule

Vulnerability ID: V-228254

Group Title: SRG-APP-000278

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.