Title

McAfee VirusScan Access Protection Rules must be configured to prevent McAfee services from being stopped. (Cat I impact)

Discussion

When the "Prevent McAfee services from being stopped" check box is selected under Access Protection, VSE will prevent anyone except the System account from terminating McAfee services. This protects VirusScan from being disabled by malicious programs that seek to circumvent virus protection programs by terminating their services.

Check Content

Note: If the HIPS signature 3892 is enabled to provide the "Prevent termination of McAfee processes" protection, this check is not applicable. Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console. Under the Task column, select Access Protection, right-click, and select Properties. Under the Access Protection tab, ensure the "Prevent McAfee services from being stopped" option is selected. Criteria: If the "Prevent McAfee services from being stopped" option is selected, this is not a finding. On the client machine, use the Windows Registry Editor to navigate to the following key: HKLM\Software\McAfee\ (32-bit) HKLM\Software\Wow6432Node\McAfee\ (64-bit) SystemCore\VSCore\On Access Scanner\BehaviourBlocking Criteria: If the value of PVSPTEnabled is REG_DWORD = 1, this is not a finding.

Fix Text

Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console. Under the Task column, select Access Protection, right-click, and select Properties. Under the Access Protection tab, select the "Prevent McAfee services from being stopped" option. Click OK to save.

Additional Identifiers

Rule ID: SV-243412r722575_rule

Vulnerability ID: V-243412

Group Title: SRG-APP-000278

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.