An error occurred:

Check: ENS-TP-000243

Trellix ENS 10.x STIG: ENS-TP-000243 (in versions v2 r14 through v2 r6)

Title

(U) The Trellix ENS Threat Prevention Access Protection must be configured to block all programs from running from the Temp folder. (Cat II impact)

Discussion

(U) This rule will block all programs from running from the Temp directory; however, this rule is much more restrictive in that it stops nearly all processes from launching in the Temp folder. Most viruses need to be run once by a person before infecting a computer. This can be done in many ways, such as opening an executable attachment in an email or downloading a program from the Internet. An executable needs to exist on the disk before Windows can run it. A common way for applications to achieve this is to save the file in the user's or system's Temp directory and then run it. One purpose of this rule is to enforce advice that is frequently given to users: Do not open attachments from email. The other purpose of this rule is to close security holes introduced by application bugs. Older versions of Outlook and Internet Explorer are notorious for automatically executing code without the user needing to do anything but preview an email or view a website.

Check Content

(U) NOTE: This requirement is Not Applicable to Linux systems. Access the ePO server console. Select Menu >> Policy >> Policy Catalog From the "Product" list, select "Endpoint Security Threat Prevention". From the "Category" list, select "Access Protection". Select each configured Access Protection policy. Verify Access Protection >> Rules >> Running files from common user folders is configured to "block". If Access Protection >> Rules >> Running files from common user folders is not configured to "block", this is a finding.

Fix Text

(U) Access the ePO server console. Select Menu >> Policy >> Policy Catalog From the "Product" list, select "Endpoint Security Threat Prevention". From the "Category" list, select "Access Protection". Select each configured Access Protection policy. Verify Access Protection >> Rules >> Running files from common user folders is configured to "block". Click "Save".

Additional Identifiers

Rule ID: SV-228276r944505_rule

Vulnerability ID: V-228276

Group Title: SRG-APP-000279

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-001243

The organization configures malicious code protection mechanisms to perform organization-defined action(s) in response to malicious code detection.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
SI-3

Malicious Code Protection