Title

(U) The Trellix ENS Threat Prevention On-Demand Scan must be configured so there are no exclusions from the scan unless exclusions have been documented with and approved by the ISSO, ISSM, or AO. (Cat II impact)

Discussion

(U) When scanning for malware, excluding specific files will increase the risk of a malware-infected file going undetected. By configuring antivirus software without any exclusions, the scanner has a higher success rate at detecting and eradicating malware. Due to the "Let Trellix decide" configuration, exclusions are typically not necessary. Thoughtful vetting and testing should precede configuring exclusions.

Check Content

(U) Access the ePO server console. Select Menu >> Policy >> Policy Catalog From the "Product" list, select "Endpoint Security Threat Prevention". From the "Category" list, select "On-Demand Scan". Select each configured On-Demand Scan policy. Verify whether there are any Exclusions configured. If Exclusions are configured, verify each exclusion has been documented and approved by the ISSO, ISSM, or AO. If Exclusions are configured and have not been documented and approved by the ISSO, ISSM, or AO, this is a finding.

Fix Text

(U) Access the ePO server console. Select Menu >> Policy >> Policy Catalog From the "Product" list, select "Endpoint Security Threat Prevention". From the "Category" list, select "On-Demand Scan". Select each configured On-Demand Scan policy. Remove any Exclusions not approved by the ISSO, ISSM, or AO. Document and obtain ISSO, ISSM, or AO approval for any Exclusions to remain configured.

Additional Identifiers

Rule ID: SV-228265r944495_rule

Vulnerability ID: V-228265

Group Title: SRG-APP-000277

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.