Title

(U) The Trellix ENS Threat Prevention On-Access Scan Process Settings must be configured to use only one scanning policy for all processes. (Cat II impact)

Discussion

(U) Organizations should use centrally managed antivirus software that is controlled and monitored regularly by antivirus administrators, who are also typically responsible for acquiring, testing, approving, and delivering antivirus signature and software updates through the organizations. Some processes are known to be higher risk, while others are low risk. By restricting policy configuration to the Default Processes policy, all processes will be interpreted equally when applying the policy settings and will provide the highest level of protection. Best practice dictates configuring Low-Risk and/or High-Risk policies only when it is necessary to improve system performance and will focus the scanning where it is most likely to detect malware. There is risk associated with configuring the Low-Risk and/or High-Risk policies for the purpose of specifically excluding processes from scanning, and this should only be done after evaluating other policy settings and determining risk.

Check Content

(U) Access the ePO server console. Select Menu >> Policy >> Policy Catalog From the "Product" list, select "Endpoint Security Threat Prevention". From the "Category" list, select "On-Access Scan". Select each configured On-Access Scan policy. Click the "Show Advanced" button. Verify Process Settings >> "Use Standard settings for all processes" is selected. If Process Settings >> "Configure different settings for High Risk and Low Risk processes" is selected, the configuration must be documented and risk analyzed and approved by the ISSO, ISSM, or AO. If Process Settings >> "Use Standard settings for all processes" is not selected, this is a finding. If Process Settings >> "Configure different settings for High Risk and Low Risk processes" is selected but is not documented, analyzed, and approved by the ISSO, ISSM, or AO, this is a finding.

Fix Text

(U) Access the ePO server console. Select Menu >> Policy >> Policy Catalog From the "Product" list, select "Endpoint Security Threat Prevention". From the "Category" list, select "On-Access Scan". Select each configured On-Access Scan policy. Click the "Show Advanced" button. Select the Process Settings >> "Use Standard settings for all processes" option. Click "Save".

Additional Identifiers

Rule ID: SV-228245r944472_rule

Vulnerability ID: V-228245

Group Title: SRG-APP-000278

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.