An error occurred:

Check: ENS-TP-000234

Trellix ENS 10.x STIG: ENS-TP-000234 (in versions v2 r14 through v2 r5)

Title

(U) The Trellix ENS Threat Prevention On-Demand scan Actions Unwanted program first response must be configured to clean files when an unwanted program is found. (Cat II impact)

Discussion

(U) Potentially Unwanted Programs (PUPs) include spyware, adware, remote administration tools, dialers, password crackers, jokes, and key loggers. While PUPs do not typically have any infection capability on their own, they rely on malware or other attach mechanisms to be installed onto target hosts, after which they will collect and transfer data from the host to an external host and/or will be used as attach mechanisms. Configuring the antivirus software to attempt to clean the file first will allow for the possibility of a false positive. In most cases, however, the secondary action of delete will be used, mitigating the risk of the PUPs being installed and used maliciously. By configuring the antivirus software to first attempt cleaning the infected file, availability to the file is not sacrificed. If a cleaning attempt is not successful, however, deleting the file is the only safe option to ensure the malware is not introduced onto the system or network.

Check Content

(U) Access the ePO server console. Select Menu >> Policy >> Policy Catalog From the "Product" list, select "Endpoint Security Threat Prevention". From the "Category" list, select "On-Demand Scan". Select each configured On-Demand Scan policy. Verify "Clean files" is selected for Actions >> "Unwanted program first response". If "Clean files" is not selected for the Action "Unwanted program first response", this is a finding.

Fix Text

(U) Access the ePO server console. Select Menu >> Policy >> Policy Catalog From the "Product" list, select "Endpoint Security Threat Prevention". From the "Category" list, select "On-Demand Scan". Select each configured On-Demand Scan policy. Select "Clean files" for Actions >> "Unwanted program first response". Click "Save".

Additional Identifiers

Rule ID: SV-228268r944498_rule

Vulnerability ID: V-228268

Group Title: SRG-APP-000279

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-001243

The organization configures malicious code protection mechanisms to perform organization-defined action(s) in response to malicious code detection.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
SI-3

Malicious Code Protection