UCF STIG Viewer Logo

Symantec Endpoint Protection 12.1 Managed Client Antivirus


Overview

Date Finding Count (114)
2015-07-08 CAT I (High): 3 CAT II (Med): 111 CAT III (Low): 0
STIG Description
The Symantec Endpoint protection 12.1 Managed Client Antivirus STIG is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the NIST 800-53 and related documents. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.letterkenny.FSO.mbx.stig-customer-support-mailbox@mail.mil.

Available Profiles



Findings (MAC I - Mission Critical Sensitive)

Finding ID Severity Title
V-42614 High The Symantec Endpoint Protection client must have the Symantec Client State Plug-in for ePO deployed.
V-42609 High The Symantec Endpoint Protection clients antivirus signature file age must be no older than 7 days.
V-42628 High The Symantec Endpoint Protection client File System Auto-Protect must be enabled.
V-42747 Medium The Symantec Endpoint Protection client Outlook Auto-Protect actions must be explicitly configured at the top, Security Risks, level and not be overridden by the Security Assessment Tool sub-level.
V-42746 Medium The Symantec Endpoint Protection client Outlook Auto-Protect actions must be explicitly configured at the top, Security Risks, level and not be overridden by the Remote Access sub-level.
V-42745 Medium The Symantec Endpoint Protection client Outlook Auto-Protect actions must be explicitly configured at the top, Security Risks, level and not be overridden by the Parental Control sub-level.
V-42744 Medium The Symantec Endpoint Protection client Outlook Auto-Protect actions must be explicitly configured at the top, Security Risks, level and not be overridden by the Misleading Application sub-level.
V-42743 Medium The Symantec Endpoint Protection client Outlook Auto-Protect actions must be explicitly configured at the top, Security Risks, level and not be overridden by the Joke Program sub-level.
V-42742 Medium The Symantec Endpoint Protection client Outlook Auto-Protect actions must be explicitly configured at the top, Security Risks, level and not be overridden by the Hack Tool sub-level.
V-42749 Medium The Symantec Endpoint Protection client Outlook Auto-Protect actions must be explicitly configured at the top, Security Risks, level and not be overridden by the Spyware sub-level.
V-42748 Medium The Symantec Endpoint Protection client Outlook Auto-Protect actions must be explicitly configured at the top, Security Risks, level and not be overridden by the Security Risk sub-level.
V-42691 Medium The Symantec Endpoint Protection client weekly scheduled scan must be configured to scan all file types or to scan excluded files option must be documented with, and approved by, IAO/IAM.
V-42693 Medium The Symantec Endpoint Protection client weekly scheduled scan must be configured to use Insight File Reputation lookup, when scanning, set to a sensitivity level of at least 5 (Typical).
V-42615 Medium The Symantec Endpoint Protection client must be verified as uploading SEP client detail to ePO.
V-42617 Medium The Symantec Endpoint Protection client Insight Lookup for threat detection must be enabled.
V-42616 Medium The Symantec Endpoint Protection client File Reputation Data Submission must be disabled from automatically forwarding selected anonymous security information to Symantec.
V-42611 Medium The Symantec Endpoint Protection client Global Settings for Log Retention must be enabled and configured to retain logs for 30 days.
V-42610 Medium The Symantec Endpoint Protection client User-defined Exceptions option must not be configured to exclude any files from scanning unless exclusions have been documented with, and approved by, the IAO/IAM.
V-42613 Medium The Symantec Endpoint Protection client Tamper Protection must be configured to block attempts to tamper with or shut down the client.
V-42612 Medium The Symantec Endpoint Protection client must be scheduled to auto update.
V-42754 Medium The Symantec Endpoint Protection Internet email Auto-Protect client must be configured to scan all file types.
V-42755 Medium The Symantec Endpoint Protection client Internet Email Auto-Protect must be configured to scan inside zipped files.
V-42756 Medium The Symantec Endpoint Protection client Internet Email Auto-Protect for notification must be configured to insert a warning into email messages when a message part has been deleted, cleaned, or quarantined.
V-42757 Medium The Symantec Endpoint Protection client Internet Email Auto-Protect must be configured to not send a notification to the sender of an email in which a threat was detected.
V-42750 Medium The Symantec Endpoint Protection client Outlook Auto-Protect actions must be explicitly configured at the top, Security Risks, level and not be overridden by the Trackware sub-level.
V-42751 Medium The Symantec Endpoint Protection client Outlook Auto-Protect actions for when a security risk has been detected must be configured to Delete Risk as first action.
V-42752 Medium The Symantec Endpoint Protection client Outlook Auto-Protect actions for when a Security Risk has been detected must be configured to Quarantine Risk if first action fails.
V-42753 Medium The Symantec Endpoint Protection Internet Email Auto-Protect must be enabled.
V-42758 Medium The Symantec Endpoint Protection client Internet Email Auto-Protect must be configured to send a notification email to the IAO, IAM, and/or ePO administrator when a threatened email message is detected.
V-42759 Medium The Symantec Endpoint Protection client Internet Email Auto-Protect actions must be explicitly configured at the top, Malware, level and not be overridden by sub-levels.
V-42689 Medium The Symantec Endpoint Protection client scheduled weekly scan must be configured to scan memory.
V-42651 Medium The Symantec Endpoint Protection client Auto-Protect Scan Actions settings must be explicitly configured at the top, Security Risks, level and not be overridden by the Adware sub-level.
V-42650 Medium The Symantec Endpoint Protection client Auto-Protect Scan Actions for Malware must be configured to Delete Risk if first action fails.
V-42761 Medium The Symantec Endpoint Protection client Internet Email Auto-Protect actions for when malware has been detected must be configured to Delete Risk if first action fails.
V-42760 Medium The Symantec Endpoint Protection client Internet Email Auto-Protect actions for when malware has been detected must be configured to Clean Risk as first action.
V-42763 Medium The Symantec Endpoint Protection client Internet Email Auto-Protect actions must be explicitly configured at the top, Security Risks, level and not be overridden by the Dialer sub-level.
V-42762 Medium The Symantec Endpoint Protection client Internet Email Auto-Protect actions must be explicitly configured at the top, Security Risks, level and not be overridden by the Adware sub-level.
V-42765 Medium The Symantec Endpoint Protection client Internet Email Auto-Protect actions must be explicitly configured at the top, Security Risks, level and not be overridden by the Joke Program sub-level.
V-42764 Medium The Symantec Endpoint Protection client Internet Email Auto-Protect actions must be explicitly configured at the top, Security Risks, level and not be overridden by the Hack Tool sub-level.
V-42767 Medium The Symantec Endpoint Protection client Internet Email Auto-Protect actions must be explicitly configured at the top, Security Risks, level and not be overridden by the Parental Control sub-level.
V-42766 Medium The Symantec Endpoint Protection client Internet Email Auto-Protect actions must be explicitly configured at the top, Security Risks, level and not be overridden by the Misleading Application sub-level.
V-42769 Medium The Symantec Endpoint Protection client Internet Email Auto-Protect actions must be explicitly configured at the top, Security Risks, level and not be overridden by the Security Assessment Tool sub-level.
V-42768 Medium The Symantec Endpoint Protection client Internet Email Auto-Protect actions must be explicitly configured at the top, Security Risks, level and not be overridden by the Remote Access sub-level.
V-42659 Medium The Symantec Endpoint Protection client Auto-Protect Scan Actions settings must be explicitly configured at the top, Security Risks, level and not be overridden by the Security Risk sub-level.
V-42658 Medium The Symantec Endpoint Protection client Auto-Protect Scan Actions settings must be explicitly configured at the top, Security Risks, level and not be overridden by the Security Assessment Tool sub-level.
V-42774 Medium The Symantec Endpoint Protection client Internet Email Auto-Protect actions for when a security risk has been detected must be configured to Quarantine risk if first action fails.
V-42772 Medium The Symantec Endpoint Protection client Internet Email Auto-Protect actions must be explicitly configured at the top, Security Risks, level and not be overridden by the Trackware sub-level.
V-42773 Medium The Symantec Endpoint Protection client Internet Email Auto-Protect actions for when a security risk has been detected must be configured to Delete Risk as first action.
V-42770 Medium The Symantec Endpoint Protection client Internet Email Auto-Protect actions must be explicitly configured at the top, Security Risks, level and not be overridden by the Security Risk sub-level.
V-42771 Medium The Symantec Endpoint Protection client Internet Email Auto-Protect actions must be explicitly configured at the top, Security Risks, level and not be overridden by the Spyware sub-level.
V-42664 Medium The Symantec Endpoint Protection client must be configured with a full scan scheduled to run at least weekly.
V-42709 Medium The Symantec Endpoint Protection client weekly scheduled scan actions for handling malware upon detection must be explicitly configured at the top, Malware, level and not be overridden by sub-levels.
V-42708 Medium The Symantec Endpoint Protection client weekly scheduled scan must be configured for scanning well-known viruses and security risks.
V-42660 Medium The Symantec Endpoint Protection client Auto-Protect Scan Actions settings must be explicitly configured at the top, Security Risks, level and not be overridden by the Spyware sub-level.
V-42661 Medium The Symantec Endpoint Protection client Auto-Protect Scan Actions settings must be explicitly configured at the top, Security Risks, level and not be overridden by the Trackware sub-level.
V-42662 Medium The Symantec Endpoint Protection client Auto-Protect Scan Actions for Security Risks must be configured to Delete Risk as the first action upon detection.
V-42663 Medium The Symantec Endpoint Protection client Auto-Protect Scan Actions for Security Risks must be configured to Quarantine Risk if first action fails.
V-42703 Medium The Symantec Endpoint Protection client weekly scheduled scan actions for handling File Reputation lookup detections must be set to Leave alone (log only) if first action fails.
V-42702 Medium The Symantec Endpoint Protection client weekly scheduled scan actions for handling File Reputation lookup detections must be set to Quarantine Risk as first action.
V-42707 Medium The Symantec Endpoint Protection client weekly scheduled scan must be configured for scanning load points.
V-42706 Medium The Symantec Endpoint Protection client weekly scheduled scan must be configured to prevent users from stopping a scheduled scan.
V-42705 Medium The Symantec Endpoint Protection client weekly scheduled scan must be configured to scan compressed files.
V-42704 Medium The Symantec Endpoint Protection client weekly scheduled scan must be configured to display a message to the user if a virus is detected.
V-42718 Medium The Symantec Endpoint Protection client weekly scheduled scan actions for handling security risks upon detection must be explicitly configured at the top, Security Risks, level and not be overridden by the Remote Access sub-level.
V-42719 Medium The Symantec Endpoint Protection client weekly scheduled scan actions for handling security risks upon detection must be explicitly configured at the top, Security Risks, level and not be overridden by the Security Assessment Tool sub-level.
V-42653 Medium The Symantec Endpoint Protection client Auto-Protect Scan Actions settings must be explicitly configured at the top, Security Risks, level and not be overridden by the Hack Tool sub-level.
V-42652 Medium The Symantec Endpoint Protection client Auto-Protect Scan Actions settings must be explicitly configured at the top, Security Risks, level and not be overridden by the Dialer sub-level.
V-42655 Medium The Symantec Endpoint Protection client Auto-Protect Scan Actions settings must be explicitly configured at the top, Security Risks, level and not be overridden by the Misleading Application sub-level.
V-42654 Medium The Symantec Endpoint Protection client Auto-Protect Scan Actions settings must be explicitly configured at the top, Security Risks, level and not be overridden by the Joke Program sub-level.
V-42657 Medium The Symantec Endpoint Protection client Auto-Protect Scan Actions settings must be explicitly configured at the top, Security Risks, level and not be overridden by the Remote Access sub-level.
V-42656 Medium The Symantec Endpoint Protection client Auto-Protect Scan Actions settings must be explicitly configured at the top, Security Risks, level and not be overridden by the Parental Control sub-level.
V-42710 Medium The Symantec Endpoint Protection client weekly scheduled scan actions for when malware has been detected must be configured to Clean Risk as first action.
V-42711 Medium The Symantec Endpoint Protection client weekly scheduled scan actions for when malware has been detected must be configured to Delete Risk if first action fails.
V-42712 Medium The Symantec Endpoint Protection client weekly scheduled scan actions for handling security risks upon detection must be explicitly configured at the top, Security Risks, level and not be overridden by the Adware sub-level.
V-42713 Medium The Symantec Endpoint Protection client weekly scheduled scan actions for handling security risks upon detection must be explicitly configured at the top, Security Risks, level and not be overridden by the Dialer sub-level.
V-42714 Medium The Symantec Endpoint Protection client weekly scheduled scan actions for handling security risks upon detection must be explicitly configured at the top, Security Risks, level and not be overridden by the Hack Tool sub-level.
V-42715 Medium The Symantec Endpoint Protection client weekly scheduled scan actions for handling security risks upon detection must be explicitly configured at the top, Security Risks, level and not be overridden by the Joke Program sub-level.
V-42716 Medium The Symantec Endpoint Protection client weekly scheduled scan actions for handling security risks upon detection must be explicitly configured at the top, Security Risks, level and not be overridden by the Misleading Application sub-level.
V-42717 Medium The Symantec Endpoint Protection client weekly scheduled scan actions for handling security risks upon detection must be explicitly configured at the top, Security Risks, level and not be overridden by the Parental Control sub-level.
V-42725 Medium The Symantec Endpoint Protection client Outlook Auto-Protect client must be enabled.
V-42724 Medium The Symantec Endpoint Protection client weekly scheduled scan actions for when a security risk has been detected must be configured to Quarantine Risk if first action fails.
V-42727 Medium The Symantec Endpoint Protection client Outlook Auto-Protect client must be configured to scan all file types.
V-42726 Medium The Symantec Endpoint Protection client weekly scheduled scan backup option must be disabled to prevent backing up infected files before attempting to repair them.
V-42721 Medium The Symantec Endpoint Protection client weekly scheduled scan actions for handling security risks upon detection must be explicitly configured at the top, Security Risks, level and not be overridden by the Spyware sub-level.
V-42720 Medium The Symantec Endpoint Protection client weekly scheduled scan actions for handling security risks upon detection must be explicitly configured at the top, Security Risks, level and not be overridden by the Security Risk sub-level.
V-42723 Medium The Symantec Endpoint Protection client weekly scheduled scan actions for when a security risk has been detected must be configured to Delete Risk as first action.
V-42722 Medium The Symantec Endpoint Protection client weekly scheduled scan actions for handling security risks upon detection must be explicitly configured at the top, Security Risks, level and not be overridden by the Trackware sub-level.
V-42729 Medium The Symantec Endpoint Protection client Outlook Auto-Protect must be configured to insert a warning into email messages when a message part has been deleted, cleaned, or quarantined.
V-42728 Medium The Symantec Endpoint Protection client Outlook Auto-Protect must be configured to scan inside zipped files.
V-42648 Medium The Symantec Endpoint Protection client Auto-Protect Scan Actions settings must be explicitly configured at the top, Malware, level and not be overridden by sub-levels.
V-42649 Medium The Symantec Endpoint Protection client Auto-Protect Scan Actions for Malware must be configured to Clean Risk as the first action upon detection.
V-42646 Medium The Symantec Endpoint Protection client Global Settings must be configured to use Insight Lookup for File Reputation.
V-42647 Medium The Symantec Endpoint Protection client Global Settings Heuristics Level must be set to Automatic, at a minimum.
V-42644 Medium The Symantec Endpoint Protection client Auto-Protect Risk Tracer must be configured to poll network sessions.
V-42645 Medium The Symantec Endpoint Protection client Global Settings Bloodhound heuristic technology must be enabled.
V-42642 Medium The Symantec Endpoint Protection client Auto-Protect Risk Tracer must be enabled.
V-42643 Medium The Symantec Endpoint Protection client Auto-Protect Risk Tracer must be configured to resolve source IP address.
V-42640 Medium The Symantec Endpoint Protection client Auto-Protect option to Scan for Security Risks must be enabled.
V-42641 Medium The Symantec Endpoint Protection client Auto-Protect option to Delete newly created infected files must be enabled.
V-42732 Medium The Symantec Endpoint Protection client Outlook Auto-Protect actions must be explicitly configured at the top, Malware, level and not be overridden by sub-levels.
V-42733 Medium The Symantec Endpoint Protection client Outlook Auto-Protect actions for when Malware has been detected must be configured to Clean Risk as first action.
V-42730 Medium The Symantec Endpoint Protection client Outlook Auto-Protect must be configured to not send a notification to the sender of an email in which a threat was detected.
V-42731 Medium The Symantec Endpoint Protection client Outlook Auto-Protect must be configured to send a notification email to the IAO, IAM, and/or ePO administrator when a threatened email message is detected.
V-42736 Medium The Symantec Endpoint Protection client Outlook Auto-Protect actions must be explicitly configured at the top, Security Risks, level and not be overridden by the Dialer sub-level.
V-42734 Medium The Symantec Endpoint Protection client Outlook Auto-Protect actions for when Malware has been detected must be configured to Delete Risk if first action fails.
V-42735 Medium The Symantec Endpoint Protection client Outlook Auto-Protect actions must be explicitly configured at the top, Security Risks, level and not be overridden by the Adware sub-level.
V-42638 Medium The Symantec Endpoint Protection client Auto-Protect Advanced Options Floppy Settings must be configured to check floppies when system shuts down.
V-42633 Medium The Symantec Endpoint Protection Auto-Protect client Detection Options must be configured to display a notification to the user when a risk is detected.
V-42632 Medium The Symantec Endpoint Protection client Auto-Protect File Types options must be configured to scan all files.
V-42630 Medium The Symantec Endpoint Protection client Auto-Protect reload must be configured to stop and reload when the configuration changes.
V-42637 Medium The Symantec Endpoint Protection client Auto-Protect Advanced Options Floppy Settings must be enabled to scan for boot viruses.
V-42636 Medium The Symantec Endpoint Protection client Auto-Protect Advanced Options Automatic enablement setting must be enabled.
V-42635 Medium The Symantec Endpoint Protection client Auto-Protect Backup Option must be disabled to prevent backing up infected files before attempting to repair them.
V-42634 Medium The Symantec Endpoint Protection client Auto-Protect Advanced Options must be configured to scan files when accessed or modified.