The McAfee MOVE AV [Multi-Platform] Client General policy must be configured with a scan timeout of 180 seconds or more.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-42940	AV-MOVE-CLT-006	SV-55669r2_rule		Medium

Description
This setting configures the amount of time to wait for a scan to complete, in seconds. The default setting is 45 seconds. This is the duration for which a McAfee MOVE AV Agent will wait for scan response of a file from the Offload Scan Server. Typically, file scans are very fast. However, file scans may take longer time due to large file size, file type or heavy load on the offload scan server. In such case that the file scan takes longer than the scan timeout limit, the file access is allowed and a scan timeout event is generated. Setting the timeout too low may result in scans of a file terminating before the scan is completed, resulting in malware potentially going undetected.

Description

This setting configures the amount of time to wait for a scan to complete, in seconds. The default setting is 45 seconds. This is the duration for which a McAfee MOVE AV Agent will wait for scan response of a file from the Offload Scan Server. Typically, file scans are very fast. However, file scans may take longer time due to large file size, file type or heavy load on the offload scan server. In such case that the file scan takes longer than the scan timeout limit, the file access is allowed and a scan timeout event is generated. Setting the timeout too low may result in scans of a file terminating before the scan is completed, resulting in malware potentially going undetected.

STIG	Date
McAfee MOVE 2.6/3.6.1 Multi-Platform Client STIG	2016-04-05

Details

Check Text ( C-49127r2_chk )
From the ePO server console System Tree, select the Systems tab, find and click on the asset to which the McAfee MOVE AV Client has been deployed. Select Actions, select Agent, and select Modify Policies on a Single System. From the product drop-down list, select MOVE AV [Multi-Platform] Client. Click on the MOVE AV [Multi-Platform] Client policy to open the properties. Under the General tab, locate the "Scan Timeout:" label. Ensure the "File scans time out after (seconds):" box is configured with a value of 45 or more. If the "File scans time out after (seconds):" setting is not configured with a value of 45 or more, this is a finding. On the local client, access a cmd window, running as administrator. Navigate to the path to which the McAfee AV Client has been installed (default is C:\Program Files\McAfee\MOVE AV Client on 32-bit systems or C:\Program Files(x86)\McAfee\MOVE AV Client on 64-bit systems). Execute the following command: mvadm config show If the "ScanTimeout" setting does not have a value of 45 or more, this is a finding.

Check Text ( C-49127r2_chk )

From the ePO server console System Tree, select the Systems tab, find and click on the asset to which the McAfee MOVE AV Client has been deployed. Select Actions, select Agent, and select Modify Policies on a Single System.

From the product drop-down list, select MOVE AV [Multi-Platform] Client. Click on the MOVE AV [Multi-Platform] Client policy to open the properties.

Under the General tab, locate the "Scan Timeout:" label. Ensure the "File scans time out after (seconds):" box is configured with a value of 45 or more.

If the "File scans time out after (seconds):" setting is not configured with a value of 45 or more, this is a finding.

On the local client, access a cmd window, running as administrator.
Navigate to the path to which the McAfee AV Client has been installed (default is C:\Program Files\McAfee\MOVE AV Client on 32-bit systems or C:\Program Files(x86)\McAfee\MOVE AV Client on 64-bit systems).

Execute the following command:
mvadm config show

If the "ScanTimeout" setting does not have a value of 45 or more, this is a finding.

Fix Text (F-48520r2_fix)
From the ePO server console System Tree, select the Systems tab, find and click on the asset to which the McAfee MOVE AV Client has been deployed. Select Actions, select Agent, and select Modify Policies on a Single System. From the product drop-down list, select MOVE AV [Multi-Platform] Client. Click on the MOVE AV [Multi-Platform] Client policy to open the properties. Under the General tab, locate the "Scan Timeout:" label. In the "File scans time out after (seconds):" box, input a value of 45 or more. Click Save.

Fix Text (F-48520r2_fix)