DTAM144 - McAfee VirusScan Access Protection: Common Standard Protection must be set to prevent termination of McAfee processes.

Information

Many malicious programs have attempted to disable VirusScan by stopping services and processes and leaving the system vulnerable to attack. Self-protection is an important feature of VSE that prevents malicious programs from disabling VirusScan or any of its services or processes. Many trojans and viruses will attempt to terminate or even delete security products. VSE's self-protection features protect VirusScan registry values and processes from being altered or deleted by malicious code. This rule protects the McAfee security product from modification by any process not listed in the policy's exclusion list.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Policies on a Single System. From the product pull down list, select VirusScan Enterprise 8.8.0. Select the policy associated with the Access Protection Policies. Under the Access Protection tab, locate the 'Access protection rules:' label. In the 'Categories' box, select 'Common Standard Protection'. Select both 'Prevent termination of McAfee processes' (Block and Report) options. Select Save.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_McAfee_VirusScan88_Managed_Client_V6R1_STIG.zip

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-3, CAT|II, CCI|CCI-000213, Rule-ID|SV-216954r395499_rule, STIG-ID|DTAM144, STIG-Legacy|SV-55250, STIG-Legacy|V-42522, Vuln-ID|V-216954

Plugin: Windows

Control ID: ee94770c2a975bec643a5529d42f9d19b465107f3a08e8ee15dc456fc8a54e6f