Navigate

Trellix ENS 10.x STIG Version Comparison

Trellix ENS 10.x Security Technical Implementation Guide

Comparison

There are 5 differences between versions v3 r1 (July 24, 2024) (the "left" version) and v3 r3 (Jan. 30, 2025) (the "right" version).

Check ENS-TP-000248 was added to the benchmark in the "right" version.

This check's original form is available here.

Text Differences

Title

(U) The Trellix ENS Threat Prevention Options must be configured to enable Anti-Malware Scan Interface (AMSI).

Check Content

(U) Access the ePO server console. Select Menu >> Policy >> Policy Catalog. From the "Product" list, select "Endpoint Security Threat Prevention". From the "Category" list, select "On-Access Scan". Select each configured On-Access Scan policy. Verify Antimalware Scan Interface (Windows only) >> "Enable AMSI (provides enhanced script scanning) (Windows only)" is selected. Verify Antimalware Scan Interface (Windows only) >> "Enable Observe mode (Events are generated but actions are not enforced)" is not selected. If Antimalware Scan Interface (Windows only) >> "Enable AMSI (provides enhanced script scanning) (Windows only)" is not selected, this is a finding. If Antimalware Scan Interface (Windows only) >> "Enable Observe mode (Events are generated but actions are not enforced)" is selected, this is a finding.

Discussion

(U) Malware and other threats can attempt to obfuscate or hide their malicious code in some script files. This rule prevents scripts that appear to be obfuscated from running. It uses the AMSI to determine if a script is potentially obfuscated and then blocks such a script or blocks scripts when an attempt is made to access them.