Title

(U) The DISA TECC Custom Content must be configured to report or block within 30 days of tuning. (Cat II impact)

Discussion

(U) This is a manual check to confirm Trellix Custom Content is being using for Intrusion Prevention.

Check Content

(U) Note: The acronym EMCC changed to TECC. The DISA TECC documentation is located on the Patches Repository (patches.csd.disa.mil) under ESS (HBSS) >> Dynamic Content >> Trellix Endpoint Custom Content (formerly EMCC). This check involves use of the release notes document and the signature guide. Verify exploit prevention content is up to date. This ensure the custom content is present in the rule sets for all exploit prevention policies. 1. Using the ePO web interface, go to menu >> master/main repository and view the version of Exploit Prevention content. 2. If the version of Exploit Prevention content does not match the version listed in the latest release notes document, this is a finding. Verify the custom content present in each exploit prevention policy is set to block or report. 1. Compare the signature IDs listed in the exploit prevention policy to the signature IDs listed in Appendix B of the TECC Signature Guide. 2. If the signature IDs are not configured as specified in the TECC Signature Guide, this is a finding.

Fix Text

(U) Review and reference DISA's TECC Signature Guide and update signature rules with custom content. Set designated rules to report, tune, and then block within 30 days of tuning.

Additional Identifiers

Rule ID: SV-230208r944450_rule

Vulnerability ID: V-230208

Group Title: SRG-APP-000272

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.