Title

(U) The Trellix ENS Threat Prevention On-Demand Scan must be configured to scan all fixed or local disks, running processes, and memory for rootkits. (Cat II impact)

Discussion

(U) Antivirus software is the most commonly used technical control for malware threat mitigation. Antivirus software on hosts should be configured to scan all hard drives regularly to identify any file system infections and to scan any removable media, if applicable, before media is inserted into the system. Not scheduling a regular scan of a system's hard drives and/or not configuring the scan to scan all files and running processes introduces a higher risk of threats going undetected.

Check Content

(U) Access the ePO server console. Select Menu >> Policy >> Policy Catalog From the "Product" list, select "Endpoint Security Threat Prevention". From the "Category" list, select "On-Demand Scan". Select each configured On-Demand Scan policy. Verify the following are selected under Scan Locations >> Specify locations. Either "All local drives" and/or "All fixed drives" "Running processes" "Memory for rootkits" If "All fixed drives" and/or "All local drives", "Running processes" and "Memory for rootkits" are not configured under "Scan Locations", this is a finding.

Fix Text

(U) Access the ePO server console. Select Menu >> Policy >> Policy Catalog. From the "Product" list, select "Endpoint Security Threat Prevention". From the "Category" list, select "On-Demand Scan". Select each configured On-Demand Scan policy. Select the following under Scan Locations >> Specify locations. "All local drives" and/or "All fixed drives" "Running processes" "Memory for rootkits" Click "Save".

Additional Identifiers

Rule ID: SV-228263r944966_rule

Vulnerability ID: V-228263

Group Title: SRG-APP-000277

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.