Title

(U) The Trellix ENS Threat Prevention Options must be configured to enable AMCore Content Reputation when performing Proactive Data Analysis. (Cat II impact)

Discussion

(U) Trellix GTI is a global Internet reputation intelligence system that determines what is good and bad behavior on the Internet. Trellix GTI uses real-time analysis of worldwide behavioral and sending patterns for email, web activity, malware, and system-to-system behavior. Using data collected from the analysis, GTI dynamically calculates reputation scores that represent the level of risk to a network. AMCore Content Reputation performs a Trellix GTI reputation lookup on the AMCore content file before updating the client system. If Trellix GTI allows the file, Endpoint Security updates AMCore content. If Trellix GTI does not allow the file, Endpoint Security does not update the AMCore content.

Check Content

(U) NOTE: For Classified networks, this requirement is Not Applicable. Access the ePO server console. Select Menu >> Policy >> Policy Catalog From the "Product" list, select "Endpoint Security Threat Prevention". From the "Category" list, select "Options". Select each configured Options policy. Click the "Show Advanced" button. Verify "Proactive Data Analysis:AMCore Content Reputation" is selected. If "Proactive Data Analysis:AMCore Content Reputation" is not selected, this is a finding.

Fix Text

(U) Access the ePO server console. Select Menu >> Policy >> Policy Catalog From the "Product" list, select "Endpoint Security Threat Prevention". From the "Category" list, select "Options". Select each configured Options policy. Click the "Show Advanced" button. Select the "Proactive Data Analysis:AMCore Content Reputation" option. Click "Save".

Additional Identifiers

Rule ID: SV-228236r944461_rule

Vulnerability ID: V-228236

Group Title: SRG-APP-000278

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.