The Symantec Endpoint Protection client weekly scheduled scan actions for when a security risk has been detected must be configured to Quarantine Risk if first action fails.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-42724 | DTASEP070 | SV-55452r2_rule | Medium |
| Description |
|---|
| Malware may have infected a file that is necessary to the user. By configuring the antivirus software to first attempt cleaning the infected file, availability to the file is not sacrificed. If a cleaning attempt is not successful, however, deleting the file is the only safe option so as to ensure the malware is not introduced onto the system or network. |
| STIG | Date |
|---|---|
| Symantec Endpoint Protection 12.1 Managed Client Antivirus | 2015-07-08 |
Details
| Check Text ( C-48996r2_chk ) |
|---|
| Server check: From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Scheduled Scans -> Select Administrator-Defined Scans -> Double-click the Weekly Scan -> Select the Actions tab -> Under Actions -> Select Security Risks -> Observe the First action and the If first action fails boxes -> Ensure If first action fails is set to "Quarantine Risk". Criteria: If first action fails is not set to "Quarantine Risk" , this is a finding. |
| Fix Text (F-48310r1_fix) |
|---|
| From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Scheduled Scans -> Select Administrator-Defined Scans -> Double-click the Weekly Scan -> Select the Actions tab -> Under Actions -> Select Security Risks -> Observe the First action and the If first action fails boxes -> Set If first action fails to "Quarantine Risk". |