An error occurred:

Check: ENS-EP-000004

Trellix ENS 10.x STIG: ENS-EP-000004 (in version v3 r5)

Title

(U) The DISA TECC Custom Content must be configured to report for 30 days while tuning and set to block no later than 30-day tuning period. (Cat II impact)

Discussion

(U) This is a manual check to confirm Trellix Custom Content is being used for Intrusion Prevention.

Check Content

(U) Note: If the installation is not purchasing support/services through the ESS 2025 contract, nor has access to the 2025 protected collections on the DISA patch repository, then this is not applicable. Note: The acronym EMCC changed to TECC. The DISA TECC documentation is located on the Patches Repository (patches.csd.disa.mil) under ESS (HBSS) >> Dynamic Content >> Trellix Endpoint Custom Content (formerly EMCC). This check involves use of the release notes document and the signature guide. Verify exploit prevention content is up to date. This ensures the custom content is present in the rule sets for all exploit prevention policies. 1. Using the ePO web interface, go to Menu >> Master/Main repository and view the version of Exploit Prevention content. 2. If the version of Exploit Prevention content does not match the version listed in the latest release notes document, this is a finding. Verify the custom content present in each exploit prevention policy is set to report for 30 days while tuning and set to block no later than 30-day tuning period. 1. Compare the signature IDs listed in the exploit prevention policy to the signature IDs listed in Appendix B of the TECC Signature Guide. 2. If the signature IDs are not configured as specified in the TECC Signature Guide, this is a finding.

Fix Text

(U) Review and reference DISA's TECC Signature Guide and update signature rules with custom content. Set designated rules to be configured to report for 30 days while tuning, and set to block no later than 30-day tuning period.

Additional Identifiers

Rule ID: SV-230208r1112446_rule

Vulnerability ID: V-230208

Group Title: SRG-APP-000272

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-001247

The information system automatically updates malicious code protection mechanisms.
CCI-004964

Automatically update malicious code protection mechanisms as new releases are available in accordance with organizational configuration management policy.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
SI-3(2)

Automatic Updates