Check: DTAM005
McAfee VirusScan 8.8 Local Client STIG:
DTAM005
(in versions v6 r1 through v5 r12)
Title
McAfee VirusScan On-Access Scanner General Settings must be configured to prevent users from removing messages from the list. (Cat II impact)
Discussion
Good incident response analysis includes reviewing all logs and alerts on the system reporting the infection. If users were permitted to remove alerts from the display, incident response forensic analysis would be inhibited.
Check Content
Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console. On the menu bar, click Task->On-Access Scanner Properties. Select the General Settings. Under the Messages tab, locate the "Actions available to user:" label. Ensure the "Remove messages from the list" option is NOT selected. Criteria: If the "Remove messages from the list" option is NOT selected, this is not a finding. On the client machine use the Windows Registry Editor to navigate to the following key: HKLM\Software\McAfee\ (32-bit) HKLM\Software\Wow6432Node\McAfee\ (64-bit) SystemCore\VSCore\On Access Scanner\McShield\Configuration Criteria: If the value of Alert_UsersCanRemove is 0, this is not a finding. If the value is 1, this is a finding.
Fix Text
Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console. On the menu bar, click on Task->On-Access Scanner Properties. Select the General Settings. Under the Messages tab, locate the "Actions available to user:" label. Uncheck the "Remove messages from the list" option. Click OK to Save.
Additional Identifiers
Rule ID: SV-243360r722419_rule
Vulnerability ID: V-243360
Group Title: SRG-APP-000278
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-001242 |
The organization configures malicious code protection mechanisms to perform real-time scans of files from external sources at endpoints as the files are downloaded, opened, or executed in accordance with organizational security policy. |
Controls
Number | Title |
---|---|
SI-3 |
Malicious Code Protection |