Title

(U) The McAfee ENS Threat Prevention Access Protection must be configured to prevent launching of files from the Downloaded Program Files folder. (Cat II impact)

Discussion

(U) A common distribution method for adware and spyware is to have the user download an executable file and run it automatically from the "Downloaded Program Files" folder. This rule is specific to browsers and prevents software installations through the web browser. Browsers run code from the "Downloaded Program Files" directory, notably ActiveX controls. Viruses will place an .exe file into this directory and run it. This rule closes that attack vector.

Check Content

(U) NOTE: If HIPS signature 3910 is enabled to provide this same protection, this check is Not Applicable. Access the ePO server console. Select Menu >> Policy >> Policy Catalog From the "Product" list, select "Endpoint Security Threat Prevention". From the "Category" list, select "Access Protection". Select each configured "Access Protection" policy. Verify Access Protection >> Rules >> Browsers launching files from the "Downloaded Program Files" folder is configured to "block". If Access Protection >> Rules >> Browsers launching files from the "Downloaded Program Files" folder is not configured to "block", this is a finding.

Fix Text

(U) Access the ePO server console. Select Menu >> Policy >> Policy Catalog From the "Product" list, select "Endpoint Security Threat Prevention". From the "Category" list, select "Access Protection". Select each configured Access Protection policy. Configure Access Protection >> Rules >> Browsers launching files from the "Downloaded Program Files" folder to "block". Click "Save".

Additional Identifiers

Rule ID: SV-228273r772319_rule

Vulnerability ID: V-228273

Group Title: SRG-APP-000279

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.