McAfee VirusScan General Options Policies must be configured to not allow On-Demand scans to utilize the scan cache.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-42535	DTAM156	SV-55263r1_rule		Medium

Description
The cache is a list of scanned files that have been determined to be clean. The scanner will use this list to reduce duplicate file scanning. While disabling the cache persistence may result in performance degradation, the risk of enabling it may allow malware to go undetected.

STIG	Date
McAfee VirusScan 8.8 Managed Client STIG	2014-04-03

Details

Check Text ( C-48853r2_chk )
NOTE: If the system being configured/reviewed is a server, this setting is Not Applicable. This setting is required for workstations. From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Policies on a Single System. From the product pull down list, select VirusScan Enterprise 8.8.0. Select from the Policy column the policy associated with the General Options Policies. Under the Global Scan Settings tab, locate the "Scan Cache:" label. Ensure the "Allow On-Demand Scans to utilize the scan cache" option is NOT selected. Criteria: If the "Allow On-Demand Scans to utilize the scan cache" option is selected, this is a finding. On the client machine, use the Windows Registry Editor to navigate to the following key: HKLM\Software\McAfee\ (32-bit) HKLM\Software\Wow6432Node\McAfee\ (64-bit) SystemCore\VSCore\On Access Scanner\McShield\Configuration Criteria: If the value of bODSUseCache is REG_DWORD = 0, this is not a finding. If the value is 1, this is a finding.

Check Text ( C-48853r2_chk )

NOTE: If the system being configured/reviewed is a server, this setting is Not Applicable. This setting is required for workstations.

From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Policies on a Single System. From the product pull down list, select VirusScan Enterprise 8.8.0. Select from the Policy column the policy associated with the General Options Policies. Under the Global Scan Settings tab, locate the "Scan Cache:" label. Ensure the "Allow On-Demand Scans to utilize the scan cache" option is NOT selected.

Criteria: If the "Allow On-Demand Scans to utilize the scan cache" option is selected, this is a finding.

On the client machine, use the Windows Registry Editor to navigate to the following key:
HKLM\Software\McAfee\ (32-bit)
HKLM\Software\Wow6432Node\McAfee\ (64-bit)
SystemCore\VSCore\On Access Scanner\McShield\Configuration

Criteria: If the value of bODSUseCache is REG_DWORD = 0, this is not a finding. If the value is 1, this is a finding.

Fix Text (F-48117r2_fix)
From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Policies on a Single System. From the product pull down list, select VirusScan Enterprise 8.8.0. Select from the Policy column the policy associated with the General Options Policies. Under the Global Scan Settings tab, locate the "Scan cache:" label. Ensure the "Allow On-Demand Scans to utilize the scan cache" option is NOT selected. Select Save.

Fix Text (F-48117r2_fix)

From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Policies on a Single System. From the product pull down list, select VirusScan Enterprise 8.8.0. Select from the Policy column the policy associated with the General Options Policies. Under the Global Scan Settings tab, locate the "Scan cache:" label. Ensure the "Allow On-Demand Scans to utilize the scan cache" option is NOT selected. Select Save.