An error occurred:

Check: ENS-TP-000247

Trellix ENS 10.x STIG: ENS-TP-000247 (in versions v2 r14 through v2 r12)

Title

Buffer Overflow and Illegal API Use Signatures must be enabled. (Cat II impact)

Discussion

Buffer overflow signatures report or block malicious programs inserted into the memory space exploited by an attack. Illegal API use signatures report or block API calls that might result in malicious activity. Buffer Overflow and Illegal API Use signatures protect specific processes, which are defined in the Application Protection Rules. By default, all Application Protection Rules are enabled and must only be disabled for troubleshooting. Disabling buffer overflow and illegal API use signatures or disabling Application Protection Rules decreases the efficacy of the Endpoint Security Threat Prevention module by 40 percent.

Check Content

1. Access the ePO server console. 2. Select Menu >> Systems >> System Tree. 3. Click the "Assigned Policies" tab. 4. Select "Endpoint Security Threat Prevention" from the Product drop down list. 5. From the Category list, select "Exploit Prevention". 6. Click "Show Advanced," and then scroll down to "Signatures". 7. Filter for Type: “Buffer Overflow” and “Illegal API Use” and Severity: "High," "Medium," and "Low." 8. Verify High/Medium signatures are set to "Block" and "Report". 9. Verify Low signatures are set to "Report". 10. Scroll down to "Application Protection Rules." 11. Verify the applications listed have all been checked. Any unchecked applications must be documented and approved by the ISSO, ISSM, or AO. If Buffer Overflow and Illegal API Use signatures are not checked, this is a finding. If Buffer Overflow and Illegal API Use signatures are not configured as indicated above, this is a finding. If any Application Protection Rules have been disabled and have not been documented and approved, this is a finding.

Fix Text

1. Access the ePO server console. 2. Select Menu >> Systems >> System Tree. 3. Click the "Assigned Policies" tab. 4. Select "Endpoint Security Threat Prevention" from the Product drop down list. 5. From the Category list, select "Exploit Prevention". 6. Click "Show Advanced, " and then scroll down to "Signatures". 7. Filter for Type: "Buffer Overflow" and "Illegal API Use" and Severity: "High," "Medium," and "Low." 8. Set High/Medium signatures to "Block" and "Report". 9. Set Low signatures to "Report". 10. Scroll down to "Application Protection Rules." 11. Enable the applications listed in Application Protection Rules. 12. Disabled applications must be documented and approved by the ISSO, ISSM, or AO.

Additional Identifiers

Rule ID: SV-258460r928988_rule

Vulnerability ID: V-258460

Group Title: SRG-APP-000278

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-001242

The organization configures malicious code protection mechanisms to perform real-time scans of files from external sources at endpoints as the files are downloaded, opened, or executed in accordance with organizational security policy.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
SI-3

Malicious Code Protection