Title

(U) The Trellix ENS Common Options must be configured to enable Self Protection. (Cat I impact)

Discussion

(U) Trellix ENS Self Protection protects the Endpoint Security system resources from malicious activity. It protects the Trellix system files and folders and registry keys and prevents Trellix services from being stopped. Without this self-protection, malicious misconfiguration would occur.

Check Content

(U) Access the ePO server console. Select Menu >> Policy >> Policy Catalog. From the "Product" list, select "Endpoint Security Common". From the "Category" list, select "Options". Select each configured Options policy. Click the "Show Advanced" button. Verify Self Protection >> "Set Enable Self Protection" is selected. If Self Protection >> "Set Enable Self Protection" is not selected, this is a finding. Verify "Files and Folders", "Registry", and "Processes" are all selected and configured with an "Action:" of "Block and report". If the "Files and Folders", "Registry", and "Processes" are not all selected and configured with an "Action:" of "Block and report", this is a finding. Inspect Self Protection >> "Exclude these processes:". If any exclusions exist to bypass the "Files and Folders", "Registry", and "Processes" self protection settings, this is a finding.

Fix Text

(U) Access the ePO server console. Select Menu >> Policy >> Policy Catalog. From the "Product" list, select "Endpoint Security Common". From the "Category" list, select "Options". Select each configured Options policy. Click the "Show Advanced" button. Select the Self Protection >> "Set Enable Self Protection" option. Select "Files and Folders", "Registry", and "Processes" and configure with an "Action:" of "Block and report". Click "Save".

Additional Identifiers

Rule ID: SV-228227r944441_rule

Vulnerability ID: V-228227

Group Title: SRG-APP-000516

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.