The Trellix Application Control Options Reputation setting must be configured to use the Trellix Global Threat Intelligence (Trellix GTI) option.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-213330	MCAC-TE-000104	SV-213330r944837_rule		Medium

Description
If a Threat Intelligence Exchange (TIE) server is being used in the organization, reputation for files and certificates is fetched from the TIE server. The reputation values control execution at endpoints and are displayed on the Application Control pages on the Trellix ePO console. If the GTI is being used, reputation for files and certificates is fetched from the Trellix GTI. For both methods, the administrator can review the reputation values and make informed decisions for inventory items in the enterprise.

Description

If a Threat Intelligence Exchange (TIE) server is being used in the organization, reputation for files and certificates is fetched from the TIE server. The reputation values control execution at endpoints and are displayed on the Application Control pages on the Trellix ePO console. If the GTI is being used, reputation for files and certificates is fetched from the Trellix GTI. For both methods, the administrator can review the reputation values and make informed decisions for inventory items in the enterprise.

STIG	Date
Trellix Application Control 8.x Security Technical Implementation Guide	2023-12-18

Details

Check Text ( C-14558r944835_chk )
NOTE: This requirement is Not Applicable on a classified SIPRNet or otherwise closed network. This requirement is only applicable to Windows platforms. For MAC and Linux platforms, this is Not Applicable. From the ePO server console System Tree, select the "Systems" tab. Select "This Group and All Subgroups". Select the asset(s) that need the organization-specific policy. Select "Actions". Select "Agent". Select "Modify Policies on a Single System". From the product pull-down list, select Solidcore 8.x: Application Control. From the "Policy" column, select the policy associated with the Category "Application Control Options (Windows)" that is specific for the asset being reviewed. Select the "Reputation" tab. Verify the "Use Trellix Global Threat Intelligence (Trellix GTI)" option is selected. Note: The "Trellix GTI" option must be selected, as a failover, even if an internal Trellix TIE server is configured. If the "Trellix GTI" option is not selected, this is a finding.

Check Text ( C-14558r944835_chk )

NOTE: This requirement is Not Applicable on a classified SIPRNet or otherwise closed network.

This requirement is only applicable to Windows platforms. For MAC and Linux platforms, this is Not Applicable.

From the ePO server console System Tree, select the "Systems" tab.

Select "This Group and All Subgroups".
Select the asset(s) that need the organization-specific policy.
Select "Actions".
Select "Agent".
Select "Modify Policies on a Single System".

From the product pull-down list, select Solidcore 8.x: Application Control.

From the "Policy" column, select the policy associated with the Category "Application Control Options (Windows)" that is specific for the asset being reviewed.

Select the "Reputation" tab.

Verify the "Use Trellix Global Threat Intelligence (Trellix GTI)" option is selected.

Note: The "Trellix GTI" option must be selected, as a failover, even if an internal Trellix TIE server is configured.

If the "Trellix GTI" option is not selected, this is a finding.

Fix Text (F-14556r944836_fix)
From the ePO server console System Tree, select the "Systems" tab. Select "This Group and All Subgroups". Select the asset. Select "Actions". Select "Agent". Select "Modify Policies on a Single System". From the product pull-down list, select Solidcore 8.x: Application Control. From the "Policy" column, select the policy associated with the Category "Application Control Options (Windows)" that is specific for the asset being reviewed. Select the "Reputation" tab. Place a check in the "Use Trellix Global Threat Intelligence (Trellix GTI)" option. Click "Save".

Fix Text (F-14556r944836_fix)

From the ePO server console System Tree, select the "Systems" tab.

Select "This Group and All Subgroups".
Select the asset.
Select "Actions".
Select "Agent".
Select "Modify Policies on a Single System".

From the product pull-down list, select Solidcore 8.x: Application Control.

From the "Policy" column, select the policy associated with the Category "Application Control Options (Windows)" that is specific for the asset being reviewed.

Select the "Reputation" tab.

Place a check in the "Use Trellix Global Threat Intelligence (Trellix GTI)" option.

Click "Save".