| V-6453 | High | McAfee VirusScan On-Access General Policies must be configured to enable on-access scanning at system startup.
| For antivirus software to be effective, it must be running at all times, beginning from the point of the system's initial startup. Otherwise, the risk is greater for viruses, trojans, and other... |
| V-42516 | High | McAfee VirusScan Access Protection Policies must be configured to prevent McAfee services from being stopped.
| When the Prevent McAfee services from being stopped check box is selected under Access Protection, VSE will prevent anyone except the System account from terminating McAfee services. This protects... |
| V-19910 | High | The antivirus signature file age must not exceed 7 days.
| Antivirus signature files are updated almost daily by antivirus software vendors. These files are made available to antivirus clients as they are published. Keeping virus signature files as... |
| V-14618 | Medium | McAfee VirusScan On-Access General Policies must be configured to enable scanning of scripts.
| Interpreted viruses are executed by an application. Within this subcategory, macro viruses take advantage of the capabilities of applications' macro programming language to infect application... |
| V-14619 | Medium | McAfee VirusScan On-Access General Policies must be configured to block the connection when a threatened file is detected in a shared folder.
| Containment during a virus outbreak is crucial. Infected hosts may attempt to spread malware and will use every network path available to them when spreading that infection. By containing the... |
| V-6618 | Medium | McAfee VirusScan On-Demand scan must be configured to record scanning activity in a log file.
| Log management is essential to ensuring that computer security records are stored in sufficient detail for an appropriate period of time. Routine log analysis is beneficial for identifying... |
| V-6469 | Medium | McAfee VirusScan On-Access General Policies must be configured to notify local users when detections occur.
| "An effective awareness program explains proper rules of behavior for use of an organization's IT systems and information. Accordingly, awareness programs should include guidance to users on... |
| V-6468 | Medium | McAfee VirusScan On-Access General Policies must be configured to scan floppy during shutdown. | Computer viruses in the early days of personal computing were almost exclusively passed around by floppy disks. Floppy disks would be used to boot the computer and, if infected, would infect the... |
| V-6612 | Medium | McAfee VirusScan On-Demand scan must be configured to decode MIME encoded files.
| Multipurpose Internet Mail Extensions (MIME) encoded files can be crafted to hide a malicious payload. When the MIME encoded file is presented to software that decodes the MIME encoded files, such... |
| V-6467 | Medium | McAfee VirusScan On-Access General Policies must be configured to scan boot sectors.
| Boot sector viruses will install into the boot sector of a system, ensuring that they will execute when the user boots the system. This risk is mitigated by scanning boot sectors at each startup... |
| V-6611 | Medium | McAfee VirusScan On-Demand scan must be configured to scan inside archives.
| Malware is often packaged within an archive. In addition, archives might have other archives within. Not scanning archive files introduces the risk of infected files being introduced into the environment.
|
| V-6616 | Medium | McAfee VirusScan On-Demand scan actions, When a threat is found must be configured to clean files automatically as first action.
| Malware may have infected a file that is necessary to the user. By configuring the antivirus software to first attempt cleaning the infected file, availability to the file is not sacrificed. If a... |
| V-6617 | Medium | McAfee VirusScan On-Demand scan actions, When a threat is found must be configured to delete files automatically if first action fails.
| Malware may have infected a file that is necessary to the user. By configuring the antivirus software to first attempt cleaning the infected file, availability to the file is not sacrificed. If a... |
| V-6614 | Medium | McAfee VirusScan On-Demand scan must be configured to find unknown program threats.
| Due to the ability of malware to mutate after infection, standard antivirus signatures may not be able to catch new strains or variants of the malware. Typically, these strains and variants will... |
| V-6615 | Medium | McAfee VirusScan On-Demand scan must be configured to find unknown macro threats.
| Interpreted viruses are executed by an application. Within this subcategory, macro viruses take advantage of the capabilities of applications' macro programming language to infect application... |
| V-6588 | Medium | McAfee VirusScan On Delivery Email Scan Policies must be configured to find unknown macro threats.
| Email has become one of the most frequently used methods of spreading malware, through embedded HTML code and attachments. User awareness and training, warning users to not open suspicious emails... |
| V-6583 | Medium | McAfee VirusScan On-Access General Policies must be configured to log any failure to scan encrypted files.
| While logging is imperative to forensic analysis, logs could grow to the point of impacting disk space on the system. In order to avoid the risk of logs growing to the size of impacting the... |
| V-6586 | Medium | McAfee VirusScan On-Delivery Email Scan Policies must be configured to enable on-delivery email scanning.
| Email has become one of the most frequently used methods of spreading malware, through embedded HTML code and attachments. User awareness and training, warning users to not open suspicious emails... |
| V-6587 | Medium | McAfee VirusScan On-Delivery Email Scan Policies must be configured to find unknown program threats and Trojans.
| Email has become one of the most frequently used methods of spreading malware, through embedded HTML code and attachments. User awareness and training, warning users to not open suspicious emails... |
| V-6585 | Medium | McAfee VirusScan must be configured to receive DAT and Engine updates.
| Antivirus signature files are updated almost daily by antivirus software vendors. These files are made available to antivirus clients as they are published. Keeping virus signature files as... |
| V-14663 | Medium | McAfee VirusScan Unwanted Programs Policies must be configured to detect adware.
| Adware, like spyware, is, at best, an annoyance by presenting unwanted advertisement to the user of a computer, sometimes in the form of a popup. At worst, it redirects the user to malicious... |
| V-14662 | Medium | McAfee VirusScan Unwanted Programs Policies must be configured to detect spyware.
| Spyware is software that aids in gathering information about a person or organization without their knowledge, and that may send such information to another entity without the consumer's consent,... |
| V-14661 | Medium | McAfee VirusScan Buffer Overflow Protection Policies log file size must be restricted and be configured to at least 10MB.
| While logging is imperative to forensic analysis, logs could grow to the point of impacting disk space on the system. In order to avoid the risk of logs growing to the size of impacting the... |
| V-14660 | Medium | McAfee VirusScan Buffer Overflow Protection Policies must be configured to record scanning activity in a log file.
| Log management is essential to ensuring that computer security records are stored in sufficient detail for an appropriate period of time. Routine log analysis is beneficial for identifying... |
| V-42517 | Medium | McAfee VirusScan Access Protection Policies must be configured to record scanning activity in a log file.
| Log management is essential to ensuring that computer security records are stored in sufficient detail for an appropriate period of time. Routine log analysis is beneficial for identifying... |
| V-6601 | Medium | McAfee VirusScan On-Demand scan must be configured to scan boot sectors.
| Boot sector viruses will install into the boot sector of a system, ensuring that they will execute when the user boots the system. This risk is mitigated by scanning boot sectors at each startup... |
| V-6600 | Medium | McAfee VirusScan On-Demand scan must be configured to scan all subfolders.
| Antivirus software is the mostly commonly used technical control for malware threat mitigation. Antivirus software on hosts should be configured to scan all hard drives and folders regularly to... |
| V-6602 | Medium | McAfee VirusScan On-Demand scan must be configured to scan all files.
| When scanning for malware, excluding specific file types will increase the risk of a malware-infected file going undetected. By configuring antivirus software to scan all file types, the scanner... |
| V-6604 | Medium | McAfee VirusScan On-Demand scan must be configured so there are no exclusions from the scan unless exclusions have been documented with, and approved by, the ISSO/ISSM/DAA.
| When scanning for malware, excluding specific files will increase the risk of a malware-infected file going undetected. By configuring antivirus software without any exclusions, the scanner has a... |
| V-42518 | Medium | McAfee VirusScan Access Protection log file size must be restricted and be configured to at least 10MB.
| While logging is imperative to forensic analysis, logs could grow to the point of impacting disk space on the system. In order to avoid the risk of logs growing to the size of impacting the... |
| V-42519 | Medium | McAfee VirusScan Access Protection: Common Standard Protection must be set to prevent modification of McAfee files and settings.
| Many malicious programs have attempted to disable VirusScan by stopping services and processes and leaving the system vulnerable to attack. Self-protection is an important feature of VSE that... |
| V-6599 | Medium | McAfee VirusScan On-Demand scan must be configured to scan all fixed, or local, disks and running processes.
| Antivirus software is the mostly commonly used technical control for malware threat mitigation. Antivirus software on hosts should be configured to scan all hard drives regularly to identify any... |
| V-6591 | Medium | McAfee VirusScan On Delivery Email Scan Policies must be configured to scan email message body.
| Email has become one of the most frequently used methods of spreading malware, through embedded HTML code and attachments. User awareness and training, warning users to not open suspicious emails... |
| V-6590 | Medium | McAfee VirusScan On Delivery Email Scan Policies must be configured to decode MIME encoded files.
| Email has become one of the most frequently used methods of spreading malware, through embedded HTML code and attachments. User awareness and training, warning users to not open suspicious emails... |
| V-6592 | Medium | McAfee VirusScan On Delivery Email Scan Policies, when a threat is found, must be configured to clean attachments as the first action.
| Email has become one of the most frequently used methods of spreading malware, through embedded HTML code and attachments. User awareness and training, warning users to not open suspicious emails... |
| V-6597 | Medium | McAfee VirusScan On-Delivery Email Scan Policies log file size must be restricted and be configured to be at least 10MB.
| While logging is imperative to forensic analysis, logs could grow to the point of impacting disk space on the system. In order to avoid the risk of logs growing to the size of impacting the... |
| V-6596 | Medium | McAfee VirusScan On-Delivery Email Scan Policies must be configured to record scanning activity in a log file.
| Log management is essential to ensuring that computer security records are stored in sufficient detail for an appropriate period of time. Routine log analysis is beneficial for identifying... |
| V-59363 | Medium | McAfee VirusScan Access Protection Rules Anti-Spyware Maximum Protection must be set to block and report when common all programs are run from the Temp folder. | This rule prevents all program from running files from the Temp directory. This would protect against a large number of trojans and questionable web installation mechanisms that are used by many... |
| V-35027 | Medium | McAfee VirusScan On-Access General Policies Artemis sensitivity level must be configured to medium or higher.
| Antivirus software vendors use collective intelligence from sensors and cross-vector intelligence from web, email, and network threats to compile scores that reflect the likelihood of whether a... |
| V-6620 | Medium | McAfee VirusScan On-Demand scan log file size must be restricted and be configured to at least 10MB.
| While logging is imperative to forensic analysis, logs could grow to the point of impacting disk space on the system. In order to avoid the risk of logs growing to the size of impacting the... |
| V-6627 | Medium | McAfee VirusScan On-Demand scan must be scheduled to be executed at least on a weekly basis.
| Antivirus software is the mostly commonly used technical control for malware threat mitigation. Antivirus software on hosts should be configured to scan all hard drives regularly to identify any... |
| V-6625 | Medium | McAfee VirusScan On-Demand scan must be configured to log any failure to scan encrypted files.
| Log management is essential to ensuring that computer security records are stored in sufficient detail for an appropriate period of time. Routine log analysis is beneficial for identifying... |
| V-42500 | Medium | McAfee VirusScan On Delivery Email Scan Policies must be configured to delete attachments if the first action fails for when an unwanted program is found.
| Email has become one of the most frequently used methods of spreading malware, through embedded HTML code and attachments. User awareness and training, warning users to not open suspicious emails... |
| V-42541 | Medium | McAfee VirusScan On-Access Default Processes Policies must be configured to detect unwanted programs.
| Potentially Unwanted Programs (PUPs) include Spyware, Adware, Remote Administration Tools, Dialers, Password Crackers, Jokes, and Key Loggers. While PUPs do not typically have any infections... |
| V-42540 | Medium | McAfee VirusScan Access Protection Policies must be configured to enable access protection.
| Access Protection prevents unwanted changes to a computer by restricting access to specified ports, files and folders, shares, and registry keys and values. It prevents users from stopping McAfee... |
| V-42543 | Medium | McAfee VirusScan On-Access Default Processes Policies actions, When an unwanted program is found must be configured to delete files automatically if first action fails.
| Potentially Unwanted Programs (PUPs) include Spyware, Adware, Remote Administration Tools, Dialers, Password Crackers, Jokes, and Key Loggers. While PUPs do not typically have any infections... |
| V-42542 | Medium | McAfee VirusScan On-Access Default Processes Policies actions, When an unwanted program is found must be configured to clean files automatically as first action.
| Potentially Unwanted Programs (PUPs) include Spyware, Adware, Remote Administration Tools, Dialers, Password Crackers, Jokes, and Key Loggers. While PUPs do not typically have any infections... |
| V-14627 | Medium | McAfee VirusScan On-Access Default Processes Policies must be configured to find unknown macro viruses.
| Due to the ability of malware to mutate after infection, standard antivirus signatures may not be able to catch new strains or variants of the malware. Typically, these strains and variants will... |
| V-14626 | Medium | McAfee VirusScan On-Access Default Processes Policies must be configured to find unknown unwanted programs and trojans.
| Due to the ability of malware to mutate after infection, standard antivirus signatures may not be able to catch new strains or variants of the malware. Typically, these strains and variants will... |
| V-14625 | Medium | McAfee VirusScan On-Access Default Processes Policies must be configured to scan all files.
| When scanning for malware, excluding specific file types will increase the risk of a malware-infected file going undetected. By configuring antivirus software to scan all file types, the scanner... |
| V-14624 | Medium | McAfee VirusScan On-Access Default Processes Policies must be configured to scan when reading from disk.
| Antivirus software is the most commonly used technical control for malware threat mitigation. Real-time scanning of files as they are read from disk is a crucial first line of defense from malware... |
| V-14623 | Medium | McAfee VirusScan On-Access Default Processes Policies must be configured to scan when writing to disk.
| Antivirus software is the most commonly used technical control for malware threat mitigation. Real-time scanning of files as they are written to disk is a crucial first line of defense from... |
| V-14622 | Medium | McAfee VirusScan On-Access Default Processes Policies must be configured to use only one scanning policy for all processes, unless the use of Low-Risk Processes/High-Risk Processes has been documented with, and approved by, the IAO/IAM.
| Organizations should use centrally managed antivirus software that is controlled and monitored regularly by antivirus administrators, who are also typically responsible for acquiring, testing,... |
| V-14621 | Medium | McAfee VirusScan On-Access General Policies must be configured to block the connection when a file with a potentially unwanted program is detected in a shared folder.
| Containment during a virus outbreak is crucial. Infected hosts may attempt to spread malware and will use every network path available to them when spreading that infection. By containing the... |
| V-14620 | Medium | McAfee VirusScan On-Access General Policies must be configured to unblock connections after a minimum of 30 minutes.
| Containment during a virus outbreak is crucial. Infected hosts may attempt to spread malware and will use every network path available to them when spreading that infection. By containing the... |
| V-14628 | Medium | McAfee VirusScan On-Access Default Processes Policies must be configured to scan inside archives.
| Malware is often packaged within an archive. In addition, archives might have other archives within. Not scanning archive files introduces the risk of infected files being introduced into the environment.
|
| V-14652 | Medium | McAfee VirusScan On Delivery Email Scan Policies must be configured to clean attachments as the first action for when an unwanted program is found.
| Email has become one of the most frequently used methods of spreading malware, through embedded HTML code and attachments. User awareness and training, warning users to not open suspicious emails... |
| V-14657 | Medium | McAfee VirusScan Buffer Overflow Protection Policies must be configured to enable Buffer Overflow Protection.
| Buffer overflow is an anomaly where a program, while writing data to a buffer, overruns the buffer's boundary and overwrites adjacent memory. This anomaly has been used maliciously, explicitly to... |
| V-14654 | Medium | McAfee VirusScan On-Demand scan must be configured to detect for unwanted programs.
| Potentially Unwanted Programs (PUPs) include Spyware, Adware, Remote Administration Tools, Dialers, Password Crackers, Jokes, and Key Loggers. While PUPs do not typically have any infections... |
| V-42493 | Medium | McAfee VirusScan On Delivery Email Scan Policies, When a threat is found, must be configured to clean attachments as the first action and delete attachments if the first action fails.
| Email has become one of the most frequently used methods of spreading malware, through embedded HTML code and attachments. User awareness and training, warning users to not open suspicious emails... |
| V-14658 | Medium | McAfee VirusScan Buffer Overflow Protection Policies must be configured for Protection mode.
| Buffer overflow is an anomaly where a program, while writing data to a buffer, overruns the buffer's boundary and overwrites adjacent memory. This anomaly has been used maliciously, explicitly to... |
| V-14659 | Medium | McAfee VirusScan Buffer Overflow Protection Policies must be configured to display a dialog box when a buffer overflow is detected.
| An effective awareness program explains proper rules of behavior for use of an organization's IT systems and information. Accordingly, awareness programs should include guidance to users on... |
| V-14630 | Medium | McAfee VirusScan On-Access Default Processes Policies Actions for When a threat is found must be configured to clean files automatically as first action.
| Malware may have infected a file that is necessary to the user. By configuring the antivirus software to first attempt cleaning the infected file, availability to the file is not sacrificed. If a... |
| V-14631 | Medium | McAfee VirusScan On-Access Default Processes Policies actions for When a threat is found must be configured delete files automatically if first action fails.
| Malware may have infected a file that is necessary to the user. By configuring the antivirus software to first attempt cleaning the infected file, availability to the file is not sacrificed. If a... |
| V-42529 | Medium | McAfee VirusScan Access Protection: Anti-Virus Standard Protection must be set to prevent IRC communication.
| Internet Relay Chat (IRC) is the preferred communication method used by botnet herders and remote-access trojans to control botnets (a set of scripts or an independent program that connects to... |
| V-42528 | Medium | McAfee VirusScan Access Protection: Anti-Virus Standard Protection must be set to prevent mass mailing worms from sending mail.
| Many viruses and worms find email addresses on the infected system and send themselves to these addresses. They do this by connecting directly to the email servers whose names they have harvested... |
| V-42527 | Medium | McAfee VirusScan Access Protection: Anti-Virus Standard Protection must be set to prevent remote creation of autorun files.
| Autorun files are used to automatically launch program files, typically setup files from CDs. Preventing other computers from making a connection and creating or altering autorun.inf files can... |
| V-42526 | Medium | McAfee VirusScan Access Protection: Anti-Spyware Maximum Protection must be set to block and log execution of scripts from the Temp folder.
| This rule prevents the Windows scripting host from running VBScript and JavaScript scripts from the Temp directory. This would protect against a large number of trojans and questionable web... |
| V-42525 | Medium | McAfee VirusScan Access Protection: Common Maximum Protection must be set to detect and log launching of files from the Downloaded Programs Files folder.
| A common distribution method for adware and spyware is to have the user download an executable file and run it automatically from the Downloaded Program Files folder. This rule is specific to... |
| V-42524 | Medium | McAfee VirusScan Access Protection: Common Standard Protection must be set to prevent hooking of McAfee processes.
| Hooking covers a range of techniques used to alter or augment the behavior of an operating system, of applications, or of other software components by intercepting function calls, messages, or... |
| V-42523 | Medium | McAfee VirusScan Access Protection Rules Common Standard Protection must be set to block and report when common programs are run from the Temp folder. | This rule will block common programs from running from the Temp directory; however, this rule is much more restrictive in that it stops nearly all processes from launching in the Temp folder. Most... |
| V-42522 | Medium | McAfee VirusScan Access Protection: Common Standard Protection must be set to prevent termination of McAfee processes.
| Many malicious programs have attempted to disable VirusScan by stopping services and processes and leaving the system vulnerable to attack. Self-protection is an important feature of VSE that... |
| V-42521 | Medium | McAfee VirusScan Access Protection: Common Standard Protection must be set to prevent modification of McAfee Scan Engine files and settings.
| Many malicious programs have attempted to disable VirusScan by stopping services and processes and leaving the system vulnerable to attack. Self-protection is an important feature of VSE that... |
| V-42520 | Medium | McAfee VirusScan Access Protection: Common Standard Protection must be set to prevent modification of McAfee Common Management Agent files and settings.
| Many malicious programs have attempted to disable VirusScan by stopping services and processes and leaving the system vulnerable to attack. Self-protection is an important feature of VSE that... |
| V-6478 | Medium | McAfee VirusScan On-Access General Policies must be configured to log the session summary.
| Log management is essential to ensuring that computer security records are stored in sufficient detail for an appropriate period of time. Routine log analysis is beneficial for identifying... |
| V-6474 | Medium | McAfee VirusScan On-Access General Policies must be configured to log the scan sessions. | Log management is essential to ensuring that computer security records are stored in sufficient detail for an appropriate period of time. Routine log analysis is beneficial for identifying... |
| V-6475 | Medium | McAfee VirusScan On-Access General Policies log file size must be restricted and be configured to at least 10MB.
| While logging is imperative to forensic analysis, logs could grow to the point of impacting disk space on the system. In order to avoid the risk of logs growing to the size of impacting the... |
| V-6470 | Medium | McAfee VirusScan On-Access General Policies must be configured to prevent users from removing messages from the list.
| Good incident response analysis includes reviewing all logs and alerts on the system reporting the infection. If users were permitted to remove alerts from the display, incident response forensic... |
| V-42538 | Medium | McAfee VirusScan On-Delivery Email Scan Policies must be configured to log session summary and failure to scan encrypted files.
| Log management is essential to ensuring that computer security records are stored in sufficient detail for an appropriate period of time. Routine log analysis is beneficial for identifying... |
| V-42539 | Medium | McAfee VirusScan On-Access General Policies must be configured to not exclude any URL scripts from being scanned unless the URL exclusions have been documented with, and approved by, the ISSO/ISSM/DAA.
| Many attackers use toolkits containing several different types of utilities and scripts that can be used to probe and attack hosts. Scripts are a common carrier of malware and none should be... |
| V-42534 | Medium | McAfee VirusScan On-Demand scan actions, When an unwanted program is found must be configured to delete files automatically if first action fails.
| Malware may have infected a file that is necessary to the user. By configuring the antivirus software to first attempt cleaning the infected file, availability to the file is not sacrificed. If a... |
| V-42535 | Medium | McAfee VirusScan General Options Policies must be configured to not allow On-Demand scans to utilize the scan cache.
| The cache is a list of scanned files that have been determined to be clean. The scanner will use this list to reduce duplicate file scanning. While disabling the cache persistence may result in... |
| V-42536 | Medium | McAfee VirusScan On-Delivery Email Scan Policies Artemis sensitivity level must be configured to medium or higher.
| Antivirus software vendors use collective intelligence from sensors and cross-vector intelligence from web, email, and network threats to compile scores that reflect the likelihood of whether a... |
| V-42537 | Medium | McAfee VirusScan On-Delivery Email Scan Policies must be configured to send a notification email to the IAO, IAM, and/or ePO administrator when a threatened email message is detected.
| Email has become one of the most frequently used methods of spreading malware, through embedded HTML code and attachments. User awareness and training, warning users to not open suspicious emails... |
| V-42530 | Medium | McAfee VirusScan On-Access General Policies must be configured to not exclude any script processes from being scanned unless the process exclusions have been documented with, and approved by, the ISSO/ISSM/DAA.
| Many attackers use toolkits containing several different types of utilities and scripts that can be used to probe and attack hosts. Scripts are a common carrier of malware and none should be... |
| V-42531 | Medium | McAfee VirusScan On-Access Default Processes Policies must be configured to not exclude any files from being scanned unless exclusions have been documented with, and approved by, the ISSO/ISSM/DAA.
| When scanning for malware, excluding specific files will increase the risk of a malware-infected file going undetected. By configuring antivirus software without any exclusions, the scanner has a... |
| V-42532 | Medium | McAfee VirusScan On-Demand scan must be configured to scan memory for rootkits.
| A rootkit is a stealthy type of software, usually malicious, and is designed to mask the existence of processes or programs from normal methods of detection. Rootkits will often enable continued... |
| V-42533 | Medium | McAfee VirusScan On-Demand scan actions, When an unwanted program is found must be configured to clean files automatically as first action.
| Malware may have infected a file that is necessary to the user. By configuring the antivirus software to first attempt cleaning the infected file, availability to the file is not sacrificed. If a... |
