Title

(U) The Trellix ENS Threat Prevention On-Access Process Settings Actions must be configured to delete files if Threat detection first action fails. (Cat II impact)

Discussion

(U) Malware may have infected a file that is necessary to the user. By configuring the antivirus software to first attempt cleaning the infected file, availability of the file is not sacrificed. If a cleaning attempt is not successful; however, deleting the file is the only safe option to ensure the malware is not introduced onto the system or network.

Check Content

(U) Access the ePO server console. Select Menu >> Policy >> Policy Catalog. From the "Product" list, select "Endpoint Security Threat Prevention". From the "Category" list, select "On-Access Scan". Select each configured On-Access Scan policy. Click the "Show Advanced" button. Verify "Delete files" is selected for Process Settings >> Actions >> "Threat detection If first response fails". If "Delete files" is not selected for the Action "Threat detection If first response fails", this is a finding.

Fix Text

(U) Access the ePO server console. Select Menu >> Policy >> Policy Catalog. From the "Product" list, select "Endpoint Security Threat Prevention". From the "Category" list, select "On-Access Scan". Select each configured On-Access Scan policy. Click the "Show Advanced" button. Select "Delete files" for Process Settings >> Actions >> "Threat detection If first response fails". Click "Save".

Additional Identifiers

Rule ID: SV-228252r1022725_rule

Vulnerability ID: V-228252

Group Title: SRG-APP-000278

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.