An error occurred:

Trellix ENS 10.x STIG Version Comparison

Trellix ENS 10.x Security Technical Implementation Guide

Comparison

There are 29 differences between versions v2 r14 (April 24, 2024) (the "left" version) and v3 r2 (Oct. 24, 2024) (the "right" version).

Check ENS-CO-000109 was changed between these two versions. Green, underlined text was added, red, struck-out text was removed.

The regular view of the left check and right check may be easier to read.

Text Differences

Title

(U) The Trellix ENS Common Options must be configured to log Critical and Alert Threat Prevention events.

Check Content

(U) Access the ePO server console. Select Menu >> Policy >> Policy Catalog From Catalog. From the "Product" list, select "Endpoint Security Common". From the "Category" list, select "Options". Select each configured Options policy. Click the "Show Advanced" button. Verify Client Logging >> Event Logging >> Threat Prevention events to log >> Access Protection is configured for "Critical and Alert" events. Verify Client Logging >> Event Logging >> Threat Prevention events to log >> On-Access Scan is configured for "Critical and Alert" events. Verify Client Logging >> Event Logging >> Threat Prevention events to log >> On-Demand Scan is configured for "Critical and Alert" events. If Client Logging >> Event Logging >> Threat Prevention events to log is not configured for "Critical and Alert" events for "Access Protection", "On-Access Scan", and "On-Demand Scan", this is a finding. If Client Logging >> Event Logging >> Threat Prevention events to log is configured for "All Except Informational" or "All" events for "Access Protection", "On-Access Scan", and "On-Demand Scan", this is not a finding.

Discussion

(U) Logging is imperative to forensic analysis and must be configured to capture the most severe events, at a minimum. Events with a severity of Critical and Alert are the two highest events and should be analyzed for risk to the managed system as well as the site and enterprise.

Fix

(U) Access the ePO server console. Select Menu >> Policy >> Policy Catalog From the "Product" list, select "Endpoint Security Common". From the "Category" list, select "Options". Select each configured Options policy. Click the "Show Advanced" button. Configure Client Logging >> Event Logging >> Threat Prevention events to log >> Access Protection for "Critical and Alert" events. Configure Client Logging >> Event Logging >> Threat Prevention events to log >> On-Access Scan for "Critical and Alert" events. Configure Client Logging >> Event Logging >> Threat Prevention events to log >> On-Demand Scan for "Critical and Alert" events. Click "Save".