Title

The McAfee VirusScan exclusions parameter is not configured as required. (Cat II impact)

Discussion

This parameter ensures that there are no unapproved exclusions from the virus scanning.

Check Content

From the ePO server console, select Systems tab, select the asset to be checked, select Client Tasks tab. From the list of available tasks in the Task Name column, with the assistance of the ePO SA, identify the weekly on demand client scan task. A daily or weekly on demand client scan may also be identified by reviewing the Product Name, Status, and Schedule of each Task Name in the Client Tasks window. In the same row as the on demand client scan task under review, ensure that the Product Name column contains VirusScan Enterprise 8.7.0 and in the Status column, ensure that the status is Enabled. Select Edit from the Actions column. In the Description tab, ensure that for “Type:” “On Demand Scan (VirusScan Enterprise 8.7.0)” is selected. Select the Configuration tab. Under the Exclusions tab, “What not to scan:” area, ensure that no items are listed in this area. Criteria: If no items are listed in the “What not to scan:” area, this is not a finding. Criteria: If items exist, ensure the justification for exclusions have been documented with the IAO/IAM. If exclusions are documented with the IAO/IAM, this is not a finding. If exclusions have not been documented, this is a finding. On the client machine, use the Windows Explorer to navigate to the following folder: %SystemDrive%:\Document and Settings\All Users\Application Data\McAfee\Common Framework\Task\. Multiple .ini files will be stored in this folder one for each task defined on the ePO server for this client. The name for each task is identified in the first section of the file under the [Task] section on the TaskName= “” line. Additionally, a TaskType= line in the [General] section of the file is provided to describe the type of scan. In this case, TaskType=VSC700_Scan_Task is expected. Information for this check is determined by examining the contents of this file. Criteria: If [Exclusions] dwExclusionCount=0, this is not a finding. Criteria: If not set to 0, ensure the justification for exclusions found have been documented with the IAO/IAM. If exclusions are documented with the IAO/IAM, this is not a finding. If exclusions have not been documented, this is a finding.

Fix Text

From the ePO server console, select Systems tab, select the asset to be checked, select Client Tasks tab. From the list of available tasks in the Task Name column, with the assistance of the ePO SA, identify the weekly on demand client scan task. In the same row as the on demand client scan task, ensure that the Product Name column contains VirusScan Enterprise 8.7.0 and in the Status column, ensure that the status is Enabled. Select Edit from the Actions column. In the Description tab, ensure that for “Type:” “On Demand Scan (VirusScan Enterprise 8.7.0)” is selected. Select the Configuration tab. Under the Exclusions tab, “What not to scan:” area, no items should be entered into this area. Select Save. If exclusions do exist, these must be documented and approved by the IAO/IAM.

Additional Identifiers

Rule ID:

Vulnerability ID: V-6604

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.