Navigate

Check: ENS-TP-000248

Trellix ENS 10.x STIG: ENS-TP-000248 (in versions v3 r4 through v3 r3)

Title

(U) The Trellix ENS Threat Prevention Options must be configured to enable Anti-Malware Scan Interface (AMSI). (Cat II impact)

Discussion

(U) Malware and other threats can attempt to obfuscate or hide their malicious code in some script files. This rule prevents scripts that appear to be obfuscated from running. It uses the AMSI to determine if a script is potentially obfuscated and then blocks such a script or blocks scripts when an attempt is made to access them.

Check Content

(U) Access the ePO server console. Select Menu >> Policy >> Policy Catalog. From the "Product" list, select "Endpoint Security Threat Prevention". From the "Category" list, select "On-Access Scan". Select each configured On-Access Scan policy. Verify Antimalware Scan Interface (Windows only) >> "Enable AMSI (provides enhanced script scanning) (Windows only)" is selected. Verify Antimalware Scan Interface (Windows only) >> "Enable Observe mode (Events are generated but actions are not enforced)" is not selected. If Antimalware Scan Interface (Windows only) >> "Enable AMSI (provides enhanced script scanning) (Windows only)" is not selected, this is a finding. If Antimalware Scan Interface (Windows only) >> "Enable Observe mode (Events are generated but actions are not enforced)" is selected, this is a finding.

Fix Text

Additional Identifiers

Rule ID: SV-270891r1055822_rule

Vulnerability ID: V-270891

Group Title: SRG-APP-000210

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.

Number	Definition
CCI-001170	Prevents the automatic execution of mobile code in organization-defined software applications.

Controls

Controls tied to check. These are derived from the CCIs shown above.

Number	Title
SC-18(4)	Prevent Automatic Execution