The McAfee MOVE AV [Multi-Platform] Offload Scan Server General policy alerts must be configured to send all events to the HBSS ePO server.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-42979	AV-MOVE-OSS-012	SV-55708r1_rule		Medium

Description
Organizations should strive to detect and validate malware incidents rapidly to minimize the number of infected hosts and the amount of damage the organization sustains. Recommended actions include analyzing any suspected malware incident and validating that malware is the cause. This includes identifying characteristics of the malware activity by examining detection sources, such as anti-virus software, intrusion prevention systems, and security information and event management (SIEM) technologies and identifying which hosts are infected by the malware, so the hosts can undergo the appropriate containment, eradication, and recovery actions. By sending all events to a central location, the events can be correlated to determine extent of infection.

Description

Organizations should strive to detect and validate malware incidents rapidly to minimize the number of infected hosts and the amount of damage the organization sustains. Recommended actions include analyzing any suspected malware incident and validating that malware is the cause. This includes identifying characteristics of the malware activity by examining detection sources, such as anti-virus software, intrusion prevention systems, and security information and event management (SIEM) technologies and identifying which hosts are infected by the malware, so the hosts can undergo the appropriate containment, eradication, and recovery actions. By sending all events to a central location, the events can be correlated to determine extent of infection.

STIG	Date
McAfee MOVE 2.6 Multi-Platform OSS STIG	2015-10-05

Details

Check Text ( C-49155r2_chk )
From the ePO server console System Tree, select the Systems tab, find and click on the asset representing the McAfee MOVE Offload Scan Server to open its properties, select Actions, select Agent, and select Modify Policies on a Single System. From the product drop-down list, select MOVE AV [Multi-Platform] Offload Scan Server 2.x.x. Click on the MOVE AV [Multi-Platform] Offload Scan Server policy to open the properties. On the Alerts tab, ensure the "Alerts:" "Offload Scan Server events are sent to ePolicy Orchestrator." check box is selected. If the "Offload Scan Server events are sent to ePolicy Orchestrator." check box is not selected, this is a finding On the system designated as the McAfee MOVE Offload Scan Server, access a cmd window, running as administrator. Navigate to the path to which the McAfee MOVE AV Server software has been installed (default is C:\Program Files (x86)\McAfee\MOVE AV Server). Execute the following command: mvadm config show From the displayed configuration, ensure the "EventSink" value is set to 4 (Events reported to the ePO Server) or 6 (Events reported to both the Windows Event Log and the ePO Server). If the "EventSink" is set to 0 or 2, this is a finding.

Check Text ( C-49155r2_chk )

From the ePO server console System Tree, select the Systems tab, find and click on the asset representing the McAfee MOVE Offload Scan Server to open its properties, select Actions, select Agent, and select Modify Policies on a Single System.

From the product drop-down list, select MOVE AV [Multi-Platform] Offload Scan Server 2.x.x. Click on the MOVE AV [Multi-Platform] Offload Scan Server policy to open the properties.

On the Alerts tab, ensure the "Alerts:" "Offload Scan Server events are sent to ePolicy Orchestrator." check box is selected.

If the "Offload Scan Server events are sent to ePolicy Orchestrator." check box is not selected, this is a finding

On the system designated as the McAfee MOVE Offload Scan Server, access a cmd window, running as administrator.
Navigate to the path to which the McAfee MOVE AV Server software has been installed (default is C:\Program Files (x86)\McAfee\MOVE AV Server).

Execute the following command:
mvadm config show

From the displayed configuration, ensure the "EventSink" value is set to 4 (Events reported to the ePO Server) or 6 (Events reported to both the Windows Event Log and the ePO Server).
If the "EventSink" is set to 0 or 2, this is a finding.

Fix Text (F-48560r1_fix)
From the ePO server console System Tree, select the Systems tab, find and click on the asset representing the McAfee MOVE Offload Scan Server to open its properties, select Actions, select Agent, and select Modify Policies on a Single System. From the product drop-down list, select MOVE AV [Multi-Platform] Offload Scan Server 2.x.x. Click on the MOVE AV [Multi-Platform] Offload Scan Server policy to open the properties. On the Alerts tab, place a check in the "Alerts: Offload Scan Server events are sent to ePolicy Orchestrator." check box. Click Save.

Fix Text (F-48560r1_fix)