Check: ENS-TP-000214
Trellix ENS 10.x STIG:
ENS-TP-000214
(in versions v2 r14 through v2 r5)
Title
(U) The Trellix ENS Threat Prevention On-Access Process Settings must be configured to detect unwanted programs. (Cat II impact)
Discussion
(U) Due to the ability of malware to mutate after infection, standard antivirus signatures may not be able to catch new strains or variants of the malware. Typically, these strains and variants will share unique characteristics with others in their virus family. By using a generic signature to detect the shared characteristics, using wildcards where differences lie, the generic signature can detect viruses even if they are padded with extra meaningless code. This method of detection is heuristic detection.
Check Content
(U) Access the ePO server console. Select Menu >> Policy >> Policy Catalog From the "Product" list, select "Endpoint Security Threat Prevention". From the "Category" list, select "On-Access Scan". Select each configured On-Access Scan policy. Click the "Show Advanced" button. Verify Process Settings >> "Additional scan options:Detect unwanted programs" is selected. If Process Settings >> "Additional scan options:Detect unwanted programs" is not selected, this is a finding.
Fix Text
(U) Access the ePO server console. Select Menu >> Policy >> Policy Catalog From the "Product" list, select "Endpoint Security Threat Prevention". From the "Category" list, select "On-Access Scan". Select each configured On-Access Scan policy. Click the "Show Advanced" button. Select the Process Settings >> "Additional scan options:Detect unwanted programs" option. Click "Save".
Additional Identifiers
Rule ID: SV-228248r944477_rule
Vulnerability ID: V-228248
Group Title: SRG-APP-000278
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-001242 |
The organization configures malicious code protection mechanisms to perform real-time scans of files from external sources at endpoints as the files are downloaded, opened, or executed in accordance with organizational security policy. |
Controls
Number | Title |
---|---|
SI-3 |
Malicious Code Protection |