An error occurred:

McAfee ENS 10.x STIG Version Comparison

McAfee ENS 10.x Security Technical Implementation Guide

Comparison

There are 6 differences between versions v2 r10 (Jan. 26, 2023) (the "left" version) and v2 r12 (Oct. 25, 2023) (the "right" version).

Check ENS-TP-000247 was added to the benchmark in the "right" version.

This check's original form is available here.

Text Differences

Title

Buffer Overflow and Illegal API Use Signatures must be enabled.

Check Content

1. Access the ePO server console. 2. Select Menu >> Systems >> System Tree. 3. Click the "Assigned Policies" tab. 4. Select "Endpoint Security Threat Prevention" from the Product drop down list. 5. From the Category list, select "Exploit Prevention". 6. Click "Show Advanced," and then scroll down to "Signatures". 7. Filter for Type: “Buffer Overflow” and “Illegal API Use” and Severity: "High," "Medium," and "Low." 8. Verify High/Medium signatures are set to "Block" and "Report". 9. Verify Low signatures are set to "Report". 10. Scroll down to "Application Protection Rules." 11. Verify the applications listed have all been checked. Any unchecked applications must be documented and approved by the ISSO, ISSM, or AO. If Buffer Overflow and Illegal API Use signatures are not checked, this is a finding. If Buffer Overflow and Illegal API Use signatures are not configured as indicated above, this is a finding. If any Application Protection Rules have been disabled and have not been documented and approved, this is a finding.

Discussion

Buffer overflow signatures report or block malicious programs inserted into the memory space exploited by an attack. Illegal API use signatures report or block API calls that might result in malicious activity. Buffer Overflow and Illegal API Use signatures protect specific processes, which are defined in the Application Protection Rules. By default, all Application Protection Rules are enabled and must only be disabled for troubleshooting. Disabling buffer overflow and illegal API use signatures or disabling Application Protection Rules decreases the efficacy of the Endpoint Security Threat Prevention module by 40 percent.

Fix

1. Access the ePO server console. 2. Select Menu >> Systems >> System Tree. 3. Click the "Assigned Policies" tab. 4. Select "Endpoint Security Threat Prevention" from the Product drop down list. 5. From the Category list, select "Exploit Prevention". 6. Click "Show Advanced, " and then scroll down to "Signatures". 7. Filter for Type: "Buffer Overflow" and "Illegal API Use" and Severity: "High," "Medium," and "Low." 8. Set High/Medium signatures to "Block" and "Report". 9. Set Low signatures to "Report". 10. Scroll down to "Application Protection Rules." 11. Enable the applications listed in Application Protection Rules. 12. Disabled applications must be documented and approved by the ISSO, ISSM, or AO.