Title

(U) The DISA TECC Custom Content must be configured to report for 30 days while tuning and set to block no later than 30-day tuning period. (Cat II impact)

Discussion

(U) This is a manual check to confirm Trellix Custom Content is being used for Intrusion Prevention.

Check Content

(U) Note: This requirement is Not Applicable if the capability is unavailable. Note: The acronym EMCC changed to TECC. The DISA TECC documentation is located on the Patches Repository (patches.csd.disa.mil) under ESS (HBSS) >> Dynamic Content >> Trellix Endpoint Custom Content (formerly EMCC). This check involves use of the release notes document and the signature guide. Verify exploit prevention content is up to date. This ensure the custom content is present in the rule sets for all exploit prevention policies. 1. Using the ePO web interface, go to menu >> master/main repository and view the version of Exploit Prevention content. 2. If the version of Exploit Prevention content does not match the version listed in the latest release notes document, this is a finding. Verify the custom content present in each exploit prevention policy is set to report for 30 days while tuning and set to block no later than 30-day tuning period. 1. Compare the signature IDs listed in the exploit prevention policy to the signature IDs listed in Appendix B of the TECC Signature Guide. 2. If the signature IDs are not configured as specified in the TECC Signature Guide, this is a finding.

Fix Text

(U) Review and reference DISA's TECC Signature Guide and update signature rules with custom content. Set designated rules to be configured to report for 30 days while tuning, and set to block no later than 30-day tuning period.

Additional Identifiers

Rule ID: SV-230208r1055796_rule

Vulnerability ID: V-230208

Group Title: SRG-APP-000272

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.