Title

(U) The Trellix ENS Threat Prevention On-Demand Scan must be configured to detect unknown macro threats. (Cat II impact)

Discussion

(U) Interpreted viruses are executed by an application. Within this subcategory, macro viruses take advantage of the capabilities of applications' macro programming language to infect application documents and document templates, while scripting viruses infect scripts that are understood by scripting languages processed by services on the operating system. Many attackers use toolkits containing several different types of utilities and scripts that can be used to probe and attack hosts. Scanning for unknown macro viruses will mitigate zero-day attacks.

Check Content

(U) Access the ePO server console. Select Menu >> Policy >> Policy Catalog From the "Product" list, select "Endpoint Security Threat Prevention". From the "Category" list, select "On-Demand Scan". Select each configured On-Demand Scan policy. Verify Additional Scan Options >> "Detect unknown macro threats" is selected. If Additional Scan Options >> "Detect unknown macro threats" is not selected, this is a finding.

Fix Text

(U) Access the ePO server console. Select Menu >> Policy >> Policy Catalog From the "Product" list, select "Endpoint Security Threat Prevention". From the "Category" list, select "On-Demand Scan". Select each configured On-Demand Scan policy. Select the Additional Scan Options >> "Detect unknown macro threats" option. Click "Save".

Additional Identifiers

Rule ID: SV-228261r944490_rule

Vulnerability ID: V-228261

Group Title: SRG-APP-000277

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.