Title

(U) The Trellix ENS Threat Prevention On-Access Scan Process Settings Actions must be configured to clean files as unwanted program first response. (Cat II impact)

Discussion

(U) Due to the ability of malware to mutate after infection, standard antivirus signatures may not be able to catch new strains or variants of the malware. Typically, these strains and variants will share unique characteristics with others in their virus family. By using a generic signature to detect the shared characteristics, using wildcards where differences lie, the generic signature can detect viruses even if they are padded with extra meaningless code. This method of detection is heuristic detection.

Check Content

(U) Access the ePO server console. Select Menu >> Policy >> Policy Catalog From the "Product" list, select "Endpoint Security Threat Prevention". From the "Category" list, select "On-Access Scan". Select each configured On-Access Scan policy. Click the "Show Advanced" button. Verify "Clean files" is selected for Process Settings >> Actions >> "Unwanted programs first response". If "Clean files" is not selected for the Action "Unwanted programs first response", this is a finding.

Fix Text

(U) Access the ePO server console. Select Menu >> Policy >> Policy Catalog From the "Product" list, select "Endpoint Security Threat Prevention". From the "Category" list, select "On-Access Scan". Select each configured On-Access Scan policy. Click the "Show Advanced" button. Select "Clean files" for Process Settings >> Actions >> "Unwanted programs first response". Click "Save".

Additional Identifiers

Rule ID: SV-228253r944482_rule

Vulnerability ID: V-228253

Group Title: SRG-APP-000278

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.