Title

(U) The McAfee Custom Content must be configured to report or block within 30 days of tuning. (Cat II impact)

Discussion

(U) This is a manual check to confirm McAfee Custom Content is being using for Intrusion Prevention.

Check Content

(U) NOTE: The DISA EMCC Signature Guide will be located on the Patches Repository (patches.csd.disa.mil) under ESS (HBSS) >> Dynamic Content >> ENS Custom Content (EMCC) once the OPORD 16-0080 FRAGO 6 is released. If OPORD 16-0080 FRAGO 6 has not been released yet, this is Not Applicable. Review and reference DISA's EMCC Signature Guide. Compare the installed rule set to DISA’s EMCC Signature Guide to verify the Custom Content is in the rules sets of all IPS policies. If Custom Content specified in the EMCC Signature Guide is not present, this is a finding. If Custom Content is present but is not configured to block or report as specified in the Signature Guide after 30 days of tuning, this is a finding.

Fix Text

(U) Review and reference DISA's EMCC Signature Guide and update signature rules with custom content. Set designated rules to report, tune, and then block within 30 days of tuning.

Additional Identifiers

Rule ID: SV-230208r772382_rule

Vulnerability ID: V-230208

Group Title: SRG-APP-000272

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.