An error occurred:

Check: ENS-TP-000244

Trellix ENS 10.x STIG: ENS-TP-000244 (in versions v3 r2 through v3 r1)

Title

(U) The Trellix ENS Threat Prevention On-Access Process Settings must not be configured to exclude any files from being scanned unless exclusions have been documented with and approved by the information security system officer (ISSO)/information system security manager (ISSM0/authorizing official (AO). (Cat II impact)

Discussion

(U) When scanning for malware, excluding specific files will increase the risk of a malware-infected file going undetected. By configuring antivirus software without any exclusions, the scanner has a higher success rate at detecting and eradicating malware. Due to the "Let Trellix decide" configuration, exclusions are typically not necessary. Thoughtful vetting and testing should precede configuring exclusions.

Check Content

(U) Access the ePO server console. Select Menu >> Policy >> Policy Catalog. From the "Product" list, select "Endpoint Security Threat Prevention". From the "Category" list, select "On-Access Scan". Select each configured On-Access Scan policy. Click the "Show Advanced" button. If Process Settings >> Process Types:Exclusions is populated with any exclusions, the configuration must be documented and risk analyzed and approved by the ISSO, ISSM, or AO. If Process Settings >> Process Types:Exclusions is populated with any exclusions and the configuration is not documented with risk analyzed and approved by the ISSO, ISSM, or AO, this is a finding.

Fix Text

(U) Access the ePO server console. Select Menu >> Policy >> Policy Catalog. From the "Product" list, select "Endpoint Security Threat Prevention". From the "Category" list, select "On-Access Scan". Select each configured On-Access Scan policy. Click the "Show Advanced" button. Removed any exclusions under Process Settings >> Process Types:Exclusions or document the configuration with risk analyzed and approved by the ISSO, ISSM, or AO. Click "Save".

Additional Identifiers

Rule ID: SV-228277r1022730_rule

Vulnerability ID: V-228277

Group Title: SRG-APP-000278

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-001242

The organization configures malicious code protection mechanisms to perform real-time scans of files from external sources at endpoints as the files are downloaded, opened, or executed in accordance with organizational security policy.
CCI-002624

Configure malicious code protection mechanisms to perform real-time scans of files from external sources at endpoint; and/or network entry and exit points as the files are downloaded, opened, or executed in accordance with organizational policy.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
SI-3

Malicious Code Protection