Title

(U) The Trellix ENS Threat Prevention On-Access Process Settings must be configured to detect unknown macro threats. (Cat II impact)

Discussion

(U) Interpreted viruses are executed by an application. Within this subcategory, macro viruses take advantage of the capabilities of applications' macro programming language to infect application documents and document templates, while scripting viruses infect scripts that are understood by scripting languages processed by services on the operating system. Many attackers use toolkits containing several different types of utilities and scripts that can be used to probe and attack hosts. Scanning for unknown macro viruses will mitigate zero-day attacks.

Check Content

(U) Access the ePO server console. Select Menu >> Policy >> Policy Catalog From the "Product" list, select "Endpoint Security Threat Prevention". From the "Category" list, select "On-Access Scan". Select each configured On-Access Scan policy. Click the "Show Advanced" button. Verify Process Settings >> "Additional scan options:Detect unknown macro threats" is selected. If Process Settings >> "Additional scan options:Detect unknown macro threats" is not selected, this is a finding.

Fix Text

(U) Access the ePO server console. Select Menu >> Policy >> Policy Catalog From the "Product" list, select "Endpoint Security Threat Prevention". From the "Category" list, select "On-Access Scan". Select each configured On-Access Scan policy. Click the "Show Advanced" button. Select the Process Settings >> "Additional scan options:Detect unknown macro threats" option. Click "Save".

Additional Identifiers

Rule ID: SV-228250r944479_rule

Vulnerability ID: V-228250

Group Title: SRG-APP-000278

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.