An error occurred:

Check: ENS-TP-000235

Trellix ENS 10.x STIG: ENS-TP-000235 (in versions v2 r14 through v2 r5)

Title

(U) The Trellix ENS Threat Prevention On-Demand Scan Actions Unwanted program if first action fails must be configured to delete files when an unwanted program is found. (Cat II impact)

Discussion

(U) Potentially Unwanted Programs (PUPs) include spyware, adware, remote administration tools, dialers, password crackers, jokes, and key loggers. While PUPs do not typically have any infection capability on their own, they rely on malware or other attach mechanisms to be installed onto target hosts, after which they will collect and transfer data from the host to an external host and/or will be used as attach mechanisms. Configuring the antivirus software to attempt to clean the file first will allow for the possibility of a false positive. In most cases, however, the secondary action of delete will be used, mitigating the risk of the PUPs being installed and used maliciously. By configuring the antivirus software to first attempt cleaning the infected file, availability to the file is not sacrificed. If a cleaning attempt is not successful, however, deleting the file is the only safe option to ensure the malware is not introduced onto the system or network.

Check Content

(U) Access the ePO server console. Select Menu >> Policy >> Policy Catalog From the "Product" list, select "Endpoint Security Threat Prevention". From the "Category" list, select "On-Demand Scan". Select each configured On-Demand Scan policy. Verify "Delete files" is selected for Actions >> "Unwanted program If first response fails". If "Delete files" is not selected for the Action "Unwanted program If first response fails", this is a finding.

Fix Text

(U) Access the ePO server console. Select Menu >> Policy >> Policy Catalog From the "Product" list, select "Endpoint Security Threat Prevention". From the "Category" list, select "On-Demand Scan". Select each configured On-Demand Scan policy. Select "Delete files" for Actions >> "Unwanted program If first response fails". Click "Save".

Additional Identifiers

Rule ID: SV-228269r944499_rule

Vulnerability ID: V-228269

Group Title: SRG-APP-000279

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-001243

The organization configures malicious code protection mechanisms to perform organization-defined action(s) in response to malicious code detection.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
SI-3

Malicious Code Protection