kriterion 0.0.1

data/standards/stig_mcafee_move_2.6_multi-platform_client.json

@@ -0,0 +1,149 @@
+{
+  "name": "stig_mcafee_move_2.6_multi-platform_client",
+  "date": "2014-01-15",
+  "description": "The McAfee MOVE 2.6 Multi-Platform Client STIG is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the NIST 800-53 and related documents. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.letterkenny.FSO.mbx.stig-customer-support-mailbox@mail.mil.",
+  "title": "McAfee MOVE 2.6 Multi-Platform Client STIG",
+  "version": "1",
+  "item_syntax": "^\\w-\\d+$",
+  "section_separator": null,
+  "items": [
+    {
+      "id": "V-42933",
+      "title": "All other antivirus products must be removed from the virtual machine while the McAfee AV Client is running.",
+      "description": "Organizations should deploy antivirus software on all hosts for which satisfactory antivirus software is available. Antivirus software should be installed as soon after OS installation as possible and then updated with the latest signatures and antivirus software patches (to eliminate any known vulnerabilities in the antivirus software itself). To support the security of the host, the antivirus software should be configured and maintained properly so it continues to be effective at detecting and stopping malware. Antivirus software is most effective when its signatures are fully up-to-date. Accordingly, antivirus software should be kept current with the latest signature and software updates to improve malware detection.\n\nMcAfee MOVE AV Client will not function properly with other antivirus products installed.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-42935",
+      "title": "The McAfee MOVE AV [Multi-Platform] Client policies must be configured with, and managed by, the HBSS ePO server.",
+      "description": "Organizations should use centrally managed antivirus software that is controlled and monitored regularly by antivirus administrators, who are also typically responsible for acquiring, testing, approving, and delivering antivirus signature and software updates throughout the organization. Users should not be able to disable or delete antivirus software from their hosts, nor should they be able to alter critical settings. Antivirus administrators should perform continuous monitoring to confirm that hosts are using current antivirus software and that the software is configured properly. Implementing all of these recommendations should strongly support an organization in having a strong and consistent antivirus deployment across the organization.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-42936",
+      "title": "The McAfee MOVE AV [Multi-Platform] Client General policy must be configured to enable malware protection.",
+      "description": "Antivirus software should be installed as soon after OS installation as possible and then updated with the latest signatures and antivirus software patches (to eliminate any known vulnerabilities in the antivirus software itself). The antivirus software should then perform a complete scan of the host to identify any potential infections. To support the security of the host, the antivirus software should be configured and maintained properly so it continues to be effective at detecting and stopping malware. Antivirus software is most effective when its signatures are fully up-to-date. Accordingly, antivirus software should be kept current with the latest signature and software updates to improve malware detection.",
+      "severity": "high"
+    },
+    {
+      "id": "V-42937",
+      "title": "The McAfee MOVE AV [Multi-Platform] Client General policy must be configured with the IP address of the primary Offload Scan Server used by all virtual machines using this policy.",
+      "description": "Organizations should use centrally managed antivirus software that is controlled and monitored regularly by antivirus administrators, who are also typically responsible for acquiring, testing, approving, and delivering antivirus signature and software updates throughout the organization.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-42939",
+      "title": "The McAfee MOVE AV [Multi-Platform] Client General policy must be configured with the IP address of the secondary Offload Scan Server used by all virtual machines using this policy.",
+      "description": "Organizations should use centrally managed antivirus software that is controlled and monitored regularly by antivirus administrators, who are also typically responsible for acquiring, testing, approving, and delivering antivirus signature and software updates throughout the organization.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-42940",
+      "title": "The McAfee MOVE AV [Multi-Platform] Client General policy must be configured with a scan timeout of 180 seconds or more.",
+      "description": "This setting configures the amount of time to wait for a scan to complete, in seconds. The default setting is 45 seconds. This is the duration for which a McAfee MOVE AV Agent will wait for scan response of a file from the Offload Scan Server. Typically, file scans are very fast. However, file scans may take longer time due to large file size, file type or heavy load on the offload scan server. In such case that the file scan takes longer than the scan timeout limit, the file access is allowed and a scan timeout event is generated. Setting the timeout too low may result in scans of a file terminating before the scan is completed, resulting in malware potentially going undetected.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-42942",
+      "title": "The McAfee MOVE AV [Multi-Platform] Client General policy must be configured to cache scan results for files smaller than 40MB.",
+      "description": "This setting configures the maximum file size (in MB) up to which scan results should be cached. The default setting is 40MB. Files smaller than this threshold are copied completely to the Offload Scan Server and scanned. If the file is found to be clean, its scan result is cached based on its SHA 1 checksum for faster future access. Files larger than this size threshold are transferred in chunks that are requested by the Offload Scan Server and scanned and setting that threshold higher could impact the performance of the scan processes.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-42943",
+      "title": "The McAfee MOVE AV [Multi-Platform] Client General policy must be configured to expire cached scan results after a timeperiod of no more than 24 hours.",
+      "description": "Antivirus software should be installed as soon after OS installation as possible and then updated with the latest signatures and antivirus software patches (to eliminate any known vulnerabilities in the antivirus software itself). The antivirus software should then perform a complete scan of the host to identify any potential infections. To support the security of the host, the antivirus software should be configured and maintained properly so it continues to be effective at detecting and stopping malware. Antivirus software is most effective when its signatures are fully up-to-date. Accordingly, antivirus software should be kept current with the latest signature and software updates to improve malware detection.\n\nThe scan cache retains files previously scanned and determined to be clean. Since a cache scan result is not invalidated when a new antivirus signature (DAT) is received, and a cached file will only be re-scanned after the cached result expires, caching files past a 24 hour period allows for newly discovered malware to go undetected in those cached files.  Cached files should expire after no more than 24 hours in order t be scanned with new antivirus signatures every day.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-42944",
+      "title": "The McAfee MOVE AV [Multi-Platform] Client General policy must be configured to scan when writing to disk.",
+      "description": "Antivirus software is the most commonly used technical control for malware threat mitigation. Real-time scanning of files as they are written to disk is a crucial first line of defense from malware attacks.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-42945",
+      "title": "The McAfee MOVE AV [Multi-Platform] General policy must be configured to scan when reading from disk.",
+      "description": "Antivirus software is the most commonly used technical control for malware threat mitigation. Real-time scanning of files as they are read from disk is a crucial first line of defense from malware attacks.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-42946",
+      "title": "The McAfee MOVE AV [Multi-Platform] Client General policy must be configured to scan all file types.",
+      "description": "When scanning for malware, excluding specific file types will increase the risk of a malware-infected file going undetected. By configuring antivirus software to scan all file types, the scanner has a higher success rate at detecting and eradicating malware.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-42947",
+      "title": "If the McAfee MOVE AV [Multi-Platform] Client General policy is configured with path or file exclusions, those exclusions must be formally documented and approved by the IAO/IAM.",
+      "description": "When scanning for malware, excluding specific file types will increase the risk of a malware-infected file going undetected. By configuring antivirus software to scan all file types, the scanner has a higher success rate at detecting and eradicating malware. The excluding files, paths, and processes from being scanned expands the potential for malware to be allowed onto the information system. While it is recognized that some file types might need to be excluded for operational reasons and/or because there is protection afforded to those files through a different mechanism, allowing those exclusions should always be vetted, documented, and approved before applying.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-42948",
+      "title": "The McAfee MOVE AV [Multi-Platform] Client General policy must be configured to report malware detections to the client event log.",
+      "description": "Forensic identification is the practice of identifying infected hosts by looking for evidence of recent infections. The evidence may be very recent (only a few minutes old) or not so recent (hours or days old); the older the information is, the less accurate it is likely to be. The most obvious sources of evidence are those that are designed to identify malware activity, such as antivirus software, content filtering (e.g., anti-spam measures), IPS, and SIEM technologies. The logs of security applications might contain detailed records of suspicious activity, and might also indicate whether a security compromise occurred or was prevented. While logging is imperative to forensic analysis, logs could grow to the point of impacting disk space on the system. In order to avoid the risk of logs growing to the size of impacting the operating system, the log size and number of log files will be restricted, but must also be large enough to retain forensic value.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-42949",
+      "title": "The McAfee MOVE AV [Multi-Platform] Client General policy must be configured to send malware detection events to the HBSS ePO server.",
+      "description": "Forensic identification is the practice of identifying infected hosts by looking for evidence of recent infections. The evidence may be very recent (only a few minutes old) or not so recent (hours or days old); the older the information is, the less accurate it is likely to be. The most obvious sources of evidence are those that are designed to identify malware activity, such as antivirus software, content filtering (e.g., anti-spam measures), IPS, and SIEM technologies. The logs of security applications might contain detailed records of suspicious activity, and might also indicate whether a security compromise occurred or was prevented. While logging is imperative to forensic analysis, logs could grow to the point of impacting disk space on the system. In order to avoid the risk of logs growing to the size of impacting the operating system, the log size and number of log files will be restricted, but must also be large enough to retain forensic value.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-42950",
+      "title": "The McAfee MOVE AV [Multi-Platform] Client General policy must be configured to delete files automatically as first action.",
+      "description": "Malware incident containment has two major components:  stopping the spread of malware and preventing further damage to hosts. Disinfecting a file is generally preferable to quarantining it because the malware is removed and the original file restored; however, many infected files cannot be disinfected. The primary goal of eradication is to remove malware from infected hosts.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-42951",
+      "title": "The McAfee MOVE AV [Multi-Platform] Client General policy must be configured to enable the quarantine.",
+      "description": "Malware incident containment has two major components:  stopping the spread of malware and preventing further damage to hosts. Disinfecting a file is generally preferable to quarantining it because the malware is removed and the original file restored; however, many infected files cannot be disinfected. Accordingly, antivirus software should be configured to attempt to disinfect infected files and to either quarantine or delete files that cannot be disinfected. By enabling the quarantine, organizations will have the ability to submit copies of unknown malware to their security software vendors for analysis and will able to conduct internal forensic evaluation.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-42952",
+      "title": "The McAfee MOVE AV [Multi-Platform] Client General policy must be configured with the location of SYSTEM_DRIVE\\quarantine to ensure consistency across all systems.",
+      "description": "The quarantine on each system represents a potential danger should the files contained within the quarantine inadvertently be executed.\n\nTo better manage the quarantine on all systems, the quarantine should always be configured the same across all systems, which will allow management to better control access to those locations.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-42953",
+      "title": "The McAfee MOVE AV [Multi-Platform] Client General policy must be configured to automatically delete quarantined data after a time period of no more than 28 days.",
+      "description": "The quarantine on each system represents a potential danger should the files contained within the quarantine inadvertently be executed. Deleting the quarantine contents on a regular basis will alleviate the ability of malware from being executed. An organization's incident response policy should also contain steps in removing quarantined items after their forensic value has been depleted.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-42954",
+      "title": "The selfprotection feature of the McAfee MOVE AV [Multi-Platform] Client, designed to prevent malicious attacks on McAfee MOVE AV Multi-Platform software components, must be enabled.",
+      "description": "The self-protection feature defends files, services, and registry keys on virtual machines and will ensure uninterrupted protection.",
+      "severity": "high"
+    },
+    {
+      "id": "V-42955",
+      "title": "The McAfee MOVE AV [Multi-Platform] Client General policy must be configured to deny access to files if first action fails.",
+      "description": "Malware incident containment has two major components:  stopping the spread of malware and preventing further damage to hosts. Disinfecting a file is generally preferable to quarantining it because the malware is removed and the original file restored; however, many infected files cannot be disinfected. The primary goal of eradication is to remove malware from infected hosts.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-42956",
+      "title": "The McAfee MOVE AV [Multi-Platform] Client General policy must be configured with the listening port of the primary Offload Scan Server used by all virtual machines using this policy.",
+      "description": "Organizations should use centrally managed antivirus software that is controlled and monitored regularly by antivirus administrators, who are also typically responsible for acquiring, testing, approving, and delivering antivirus signature and software updates throughout the organization.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-42957",
+      "title": "The McAfee MOVE AV [Multi-Platform] Client General policy must be configured with the listening port of the secondary Offload Scan Server used by all virtual machines using this policy.",
+      "description": "Organizations should use centrally managed antivirus software that is controlled and monitored regularly by antivirus administrators, who are also typically responsible for acquiring, testing, approving, and delivering antivirus signature and software updates throughout the organization.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-42958",
+      "title": "If the McAfee MOVE AV [Multi-Platform] Client General policy is configured with process exclusions, those exclusions must be formally documented and approved by the IAO/IAM.",
+      "description": "When scanning for malware, excluding specific file types will increase the risk of a malware-infected file going undetected. By configuring antivirus software to scan all file types, the scanner has a higher success rate at detecting and eradicating malware. The excluding files, paths, and processes from being scanned expands the potential for malware to be allowed onto the information system. While it is recognized that some file types might need to be excluded for operational reasons and/or because there is protection afforded to those files through a different mechanism, allowing those exclusions should always be vetted, documented, and approved before applying.",
+      "severity": "medium"
+    }
+  ]
+}

data/standards/stig_mcafee_move_2.6_multi-platform_oss.json

@@ -0,0 +1,101 @@
+{
+  "name": "stig_mcafee_move_2.6_multi-platform_oss",
+  "date": "2015-10-05",
+  "description": "The McAfee MOVE 2.6 Multi-Platform OSS STIG is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the NIST 800-53 and related documents. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil.",
+  "title": "McAfee MOVE 2.6 Multi-Platform OSS STIG",
+  "version": "1",
+  "item_syntax": "^\\w-\\d+$",
+  "section_separator": null,
+  "items": [
+    {
+      "id": "V-42964",
+      "title": "The McAfee MOVE AV [Multi-Platform] Offload Scan Server must have McAfee VirusScan Enterprise 8.8 (or most current version) installed.",
+      "description": "Organizations should deploy anti-virus software on all hosts for which satisfactory anti-virus software is available. Anti-virus software should be installed as soon after OS installation as possible and then updated with the latest signatures and anti-virus software patches (to eliminate any known vulnerabilities in the anti-virus software itself). To support the security of the host, the anti-virus software should be configured and maintained properly so it continues to be effective at detecting and stopping malware. Anti-virus software is most effective when its signatures are fully up-to-date. Accordingly, anti-virus software should be kept current with the latest signature and software updates to improve malware detection.",
+      "severity": "high"
+    },
+    {
+      "id": "V-42965",
+      "title": "The McAfee MOVE AV [Multi-Platform] Offload Scan Server packages policies must be configured with and managed by the HBSS ePO server.",
+      "description": "Organizations should use centrally managed anti-virus software that is controlled and monitored regularly by anti-virus administrators, who are also typically responsible for acquiring, testing, approving, and delivering anti-virus signature and software updates throughout the organization. Users should not be able to disable or delete anti-virus software from their hosts, nor should they be able to alter critical settings. Anti-virus administrators should perform continuous monitoring to confirm that hosts are using current anti-virus software and that the software is configured properly. Implementing all of these recommendations should strongly support an organization in having a strong and consistent anti-virus deployment across the organization.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-42966",
+      "title": "The McAfee MOVE AV [Multi-Platform] Offload Scan Server must be configured with a static IP address.",
+      "description": "Security management devices must be configured to ensure consistent and uninterrupted connectivity to/from the systems it manages/controls. Otherwise, the security management device will be less than effective.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-42968",
+      "title": "The McAfee MOVE AV [Multi-Platform] Offload Scan Server General policy must be configured to maintain a minimum of 7 log files before removing oldest log file.",
+      "description": "Forensic identification is the practice of identifying infected hosts by looking for evidence of recent infections. The evidence may be very recent (only a few minutes old) or not so recent (hours or days old); the older the information is, the less accurate it is likely to be. The most obvious sources of evidence are those that are designed to identify malware activity, such as anti-virus software, content filtering (e.g., anti-spam measures), IPS, and SIEM technologies. The logs of security applications might contain detailed records of suspicious activity, and might also indicate whether a security compromise occurred or was prevented. While logging is imperative to forensic analysis, logs could grow to the point of impacting disk space on the system. In order to avoid the risk of logs growing to the size of impacting the operating system, the log size and number of log files will be restricted, but must also be large enough to retain forensic value.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-42971",
+      "title": "The McAfee MOVE AV [Multi-Platform] Offload Scan Server General policy must be configured to rotate log files when they reach at least 10MB in size.",
+      "description": "Forensic identification is the practice of identifying infected hosts by looking for evidence of recent infections. The evidence may be very recent (only a few minutes old) or not so recent (hours or days old); the older the information is, the less accurate it is likely to be. The most obvious sources of evidence are those that are designed to identify malware activity, such as anti-virus software, content filtering (e.g., anti-spam measures), IPS, and SIEM technologies. The logs of security applications might contain detailed records of suspicious activity, and might also indicate whether a security compromise occurred or was prevented. While logging is imperative to forensic analysis, logs could grow to the point of impacting disk space on the system. In order to avoid the risk of logs growing to the size of impacting the operating system, the log size and number of log files will be restricted, but must also be large enough to retain forensic value.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-42973",
+      "title": "The McAfee MOVE AV [Multi-Platform] Offload Scan Server General policy Scan Settings must be configured to scan inside archive files.",
+      "description": "Malware is often packaged within an archive. In addition, archives might have other archives within. Not scanning archive files introduces the risk of infected files being introduced into the environment.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-42974",
+      "title": "The McAfee MOVE AV [Multi-Platform] Offload Scan Server General policy Scan Settings must be configured to scan for potentially unwanted programs.",
+      "description": "Due to the ability of malware to mutate after infection, standard anti-virus signatures may not be able to catch new strains or variants of the malware. Typically, these strains and variants will share unique characteristics with others in their virus family. By using a generic signature to detect the shared characteristics, using wildcards where differences lie, the generic signature can detect viruses even if they are padded with extra, meaningless code. This method of detection is Heuristic detection.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-42976",
+      "title": "The McAfee MOVE AV [Multi-Platform] Offload Scan Server General policy Scan Settings must be configured to scan for MIME-encoded files.",
+      "description": "Multipurpose Internet Mail Extensions (MIME) encoded files can be crafted to hide a malicious payload. When the MIME encoded file is presented to software that decodes the MIME encoded files, such as an email client, the malware is released. Scanning these files as part of the regularly scheduled scans tasks will mitigate this risk.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-42977",
+      "title": "The McAfee MOVE AV [Multi-Platform] Offload Scan Server General policy Scan Settings must be configured to use McAfee Global Threat Intelligence file reputation, with a sensitivity level of Medium or higher.",
+      "description": "Anti-virus software vendors use collective intelligence from sensors and cross-vector intelligence from web, email, and network threats to compile scores that reflect the likelihood of whether a file in question is malware. The collective intelligence is constantly being updated, more frequently than the typical daily anti-virus signature files. With File Reputation lookup, a more real-time response to potential malicious code is realized than with the local-running anti-virus software, since by querying the cloud-based database when a file appears to be suspicious, up-to-the-minute intelligence is provided. This type of protection reduces the threat protection time period from days to milliseconds, increases malware detection rates, and reduces downtime and remediation costs associated with malware attacks. Using File Reputation lookup is mandated by US CYBERCOM on DoD systems.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-42978",
+      "title": "The McAfee MOVE AV [Multi-Platform] Offload Scan Server General policy alerts must be configured to report all events to the Windows Event Log.",
+      "description": "Forensic identification is the practice of identifying infected hosts by looking for evidence of recent infections. The evidence may be very recent (only a few minutes old) or not so recent (hours or days old); the older the information is, the less accurate it is likely to be. The most obvious sources of evidence are those that are designed to identify malware activity, such as anti-virus software, content filtering (e.g., anti-spam measures), IPS, and SIEM technologies. The logs of security applications might contain detailed records of suspicious activity, and might also indicate whether a security compromise occurred or was prevented.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-42979",
+      "title": "The McAfee MOVE AV [Multi-Platform] Offload Scan Server General policy alerts must be configured to send all events to the HBSS ePO server.",
+      "description": "Organizations should strive to detect and validate malware incidents rapidly to minimize the number of infected hosts and the amount of damage the organization sustains. Recommended actions include analyzing any suspected malware incident and validating that malware is the cause. This includes identifying characteristics of the malware activity by examining detection sources, such as anti-virus software, intrusion prevention systems, and security information and event management (SIEM) technologies and identifying which hosts are infected by the malware, so the hosts can undergo the appropriate containment, eradication, and recovery actions. By sending all events to a central location, the events can be correlated to determine extent of infection.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-42981",
+      "title": "The McAfee MOVE AV [Multi-Platform] Offload Scan Server General policy On-Demand Scan must be configured with On-Demand scanning enabled.",
+      "description": "Anti-virus software is the most commonly used technical control for malware threat mitigation. Anti-virus software on hosts should be configured to scan all hard drives and folders regularly to identify any file system infections and to scan any removable media, if applicable, before media is inserted into the system. Not scheduling a regular scan of the hard drives of a system and/or not configuring the scan to scan all files and running processes introduces a higher risk of threats going undetected.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-42982",
+      "title": "The McAfee MOVE AV [Multi-Platform] Offload Scan Server General policy On-Demand Scan Client Scan interval must be set to no more than every seven days.",
+      "description": "Anti-virus software is the mostly commonly used technical control for malware threat mitigation. Anti-virus software on hosts should be configured to scan all hard drives and folders regularly to identify any file system infections and to scan any removable media, if applicable, before media is inserted into the system. Not scheduling a regular scan of the hard drives of a system and/or not configuring the scan to scan all files and running processes introduces a higher risk of threats going undetected.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-42983",
+      "title": "The McAfee VirusScan Enterprise Access Protection rules must be used for self-protection of the files and folder of Offload Scan Server configuration.",
+      "description": "The VirusScan Enterprise Access Protection rules will defend files, services, and registry keys on the Offload Scan Server.",
+      "severity": "high"
+    },
+    {
+      "id": "V-42986",
+      "title": "The McAfee VirusScan Enterprise Access Protection rules must be used for self-protection of the registry keys of Offload Scan Server configuration.",
+      "description": "The VirusScan Enterprise Access Protection rules will defend files, services, and registry keys on the Offload Scan Server.",
+      "severity": "high"
+    }
+  ]
+}

data/standards/stig_mcafee_move_3.6.1_multi-platform_client.json

@@ -0,0 +1,149 @@
+{
+  "name": "stig_mcafee_move_3.6.1_multi-platform_client",
+  "date": "2016-09-29",
+  "description": "The McAfee MOVE 3.6.1 Multi-Platform Client STIG is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the NIST 800-53 and related documents. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil.",
+  "title": "McAfee MOVE 3.6.1 Multi-Platform Client STIG",
+  "version": "1",
+  "item_syntax": "^\\w-\\d+$",
+  "section_separator": null,
+  "items": [
+    {
+      "id": "V-42933",
+      "title": "All other antivirus products must be removed from the virtual machine while the McAfee AV Client is running.",
+      "description": "Organizations should deploy antivirus software on all hosts for which satisfactory antivirus software is available. Antivirus software should be installed as soon after OS installation as possible and then updated with the latest signatures and antivirus software patches (to eliminate any known vulnerabilities in the antivirus software itself). To support the security of the host, the antivirus software should be configured and maintained properly so it continues to be effective at detecting and stopping malware. Antivirus software is most effective when its signatures are fully up-to-date. Accordingly, antivirus software should be kept current with the latest signature and software updates to improve malware detection.\n\nMcAfee MOVE AV Client will not function properly with other antivirus products installed.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-42935",
+      "title": "The McAfee MOVE AV [Multi-Platform] Client policies must be configured with, and managed by, the HBSS ePO server.",
+      "description": "Organizations should use centrally managed antivirus software that is controlled and monitored regularly by antivirus administrators, who are also typically responsible for acquiring, testing, approving, and delivering antivirus signature and software updates throughout the organization. Users should not be able to disable or delete antivirus software from their hosts, nor should they be able to alter critical settings. Antivirus administrators should perform continuous monitoring to confirm that hosts are using current antivirus software and that the software is configured properly. Implementing all of these recommendations should strongly support an organization in having a strong and consistent antivirus deployment across the organization.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-42936",
+      "title": "The McAfee MOVE AV [Multi-Platform] Client General policy must be configured to enable malware protection.",
+      "description": "Antivirus software should be installed as soon after OS installation as possible and then updated with the latest signatures and antivirus software patches (to eliminate any known vulnerabilities in the antivirus software itself). The antivirus software should then perform a complete scan of the host to identify any potential infections. To support the security of the host, the antivirus software should be configured and maintained properly so it continues to be effective at detecting and stopping malware. Antivirus software is most effective when its signatures are fully up-to-date. Accordingly, antivirus software should be kept current with the latest signature and software updates to improve malware detection.",
+      "severity": "high"
+    },
+    {
+      "id": "V-42937",
+      "title": "The McAfee MOVE AV [Multi-Platform] Client General policy must be configured with the IP address of the primary Offload Scan Server used by all virtual machines using this policy.",
+      "description": "Organizations should use centrally managed antivirus software that is controlled and monitored regularly by antivirus administrators, who are also typically responsible for acquiring, testing, approving, and delivering antivirus signature and software updates throughout the organization.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-42939",
+      "title": "The McAfee MOVE AV [Multi-Platform] Client General policy must be configured with the IP address of the secondary Offload Scan Server used by all virtual machines using this policy.",
+      "description": "Organizations should use centrally managed antivirus software that is controlled and monitored regularly by antivirus administrators, who are also typically responsible for acquiring, testing, approving, and delivering antivirus signature and software updates throughout the organization.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-42940",
+      "title": "The McAfee MOVE AV [Multi-Platform] Client General policy must be configured with a scan timeout of 45 seconds or more.",
+      "description": "This setting configures the amount of time to wait for a scan to complete, in seconds. The default setting is 45 seconds. This is the duration for which a McAfee MOVE AV Agent will wait for scan response of a file from the Offload Scan Server. Typically, file scans are very fast. However, file scans may take longer time due to large file size, file type or heavy load on the offload scan server. In such case that the file scan takes longer than the scan timeout limit, the file access is allowed and a scan timeout event is generated. Setting the timeout too low may result in scans of a file terminating before the scan is completed, resulting in malware potentially going undetected.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-42942",
+      "title": "The McAfee MOVE AV [Multi-Platform] Client General policy must be configured to cache scan results for files smaller than 40MB.",
+      "description": "This setting configures the maximum file size (in MB) up to which scan results should be cached. The default setting is 40MB. Files smaller than this threshold are copied completely to the Offload Scan Server and scanned. If the file is found to be clean, its scan result is cached based on its SHA 1 checksum for faster future access. Files larger than this size threshold are transferred in chunks that are requested by the Offload Scan Server and scanned and setting that threshold higher could impact the performance of the scan processes.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-42943",
+      "title": "The McAfee MOVE AV [Multi-Platform] Client General policy must be configured to expire cached scan results after a time period of no more than 24 hours.",
+      "description": "Antivirus software should be installed as soon after OS installation as possible and then updated with the latest signatures and antivirus software patches (to eliminate any known vulnerabilities in the antivirus software itself). The antivirus software should then perform a complete scan of the host to identify any potential infections. To support the security of the host, the antivirus software should be configured and maintained properly so it continues to be effective at detecting and stopping malware. Antivirus software is most effective when its signatures are fully up-to-date. Accordingly, antivirus software should be kept current with the latest signature and software updates to improve malware detection.\n\nThe scan cache retains files previously scanned and determined to be clean. Since a cache scan result is not invalidated when a new antivirus signature (DAT) is received, and a cached file will only be re-scanned after the cached result expires, caching files past a 24 hour period allows for newly discovered malware to go undetected in those cached files.  Cached files should expire after no more than 24 hours in order to be scanned with new antivirus signatures every day.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-42944",
+      "title": "The McAfee MOVE AV [Multi-Platform] Client General policy must be configured to scan when writing to disk.",
+      "description": "Antivirus software is the most commonly used technical control for malware threat mitigation. Real-time scanning of files as they are written to disk is a crucial first line of defense from malware attacks.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-42945",
+      "title": "The McAfee MOVE AV [Multi-Platform] General policy must be configured to scan when reading from disk.",
+      "description": "Antivirus software is the most commonly used technical control for malware threat mitigation. Real-time scanning of files as they are read from disk is a crucial first line of defense from malware attacks.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-42946",
+      "title": "The McAfee MOVE AV [Multi-Platform] Client General policy must be configured to scan all file types.",
+      "description": "When scanning for malware, excluding specific file types will increase the risk of a malware-infected file going undetected. By configuring antivirus software to scan all file types, the scanner has a higher success rate at detecting and eradicating malware.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-42947",
+      "title": "If the McAfee MOVE AV [Multi-Platform] Client General policy is configured with path or file exclusions, those exclusions must be formally documented and approved by the ISSO/ISSM.",
+      "description": "When scanning for malware, excluding specific file types will increase the risk of a malware-infected file going undetected. By configuring antivirus software to scan all file types, the scanner has a higher success rate at detecting and eradicating malware. The excluding files, paths, and processes from being scanned expands the potential for malware to be allowed onto the information system. While it is recognized that some file types might need to be excluded for operational reasons and/or because there is protection afforded to those files through a different mechanism, allowing those exclusions should always be vetted, documented, and approved before applying.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-42948",
+      "title": "The McAfee MOVE AV [Multi-Platform] Client General policy must be configured to report malware detections to the client event log.",
+      "description": "Forensic identification is the practice of identifying infected hosts by looking for evidence of recent infections. The evidence may be very recent (only a few minutes old) or not so recent (hours or days old); the older the information is, the less accurate it is likely to be. The most obvious sources of evidence are those that are designed to identify malware activity, such as antivirus software, content filtering (e.g., anti-spam measures), IPS, and SIEM technologies. The logs of security applications might contain detailed records of suspicious activity, and might also indicate whether a security compromise occurred or was prevented. While logging is imperative to forensic analysis, logs could grow to the point of impacting disk space on the system. In order to avoid the risk of logs growing to the size of impacting the operating system, the log size and number of log files will be restricted, but must also be large enough to retain forensic value.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-42949",
+      "title": "The McAfee MOVE AV [Multi-Platform] Client General policy must be configured to send malware detection events to the HBSS ePO server.",
+      "description": "Forensic identification is the practice of identifying infected hosts by looking for evidence of recent infections. The evidence may be very recent (only a few minutes old) or not so recent (hours or days old); the older the information is, the less accurate it is likely to be. The most obvious sources of evidence are those that are designed to identify malware activity, such as antivirus software, content filtering (e.g., anti-spam measures), IPS, and SIEM technologies. The logs of security applications might contain detailed records of suspicious activity, and might also indicate whether a security compromise occurred or was prevented. While logging is imperative to forensic analysis, logs could grow to the point of impacting disk space on the system. In order to avoid the risk of logs growing to the size of impacting the operating system, the log size and number of log files will be restricted, but must also be large enough to retain forensic value.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-42950",
+      "title": "The McAfee MOVE AV [Multi-Platform] Client General policy must be configured to delete files automatically as first action.",
+      "description": "Malware incident containment has two major components:  stopping the spread of malware and preventing further damage to hosts. Disinfecting a file is generally preferable to quarantining it because the malware is removed and the original file restored; however, many infected files cannot be disinfected. The primary goal of eradication is to remove malware from infected hosts.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-42951",
+      "title": "The McAfee MOVE AV [Multi-Platform] Client General policy must be configured to enable the quarantine.",
+      "description": "Malware incident containment has two major components:  stopping the spread of malware and preventing further damage to hosts. Disinfecting a file is generally preferable to quarantining it because the malware is removed and the original file restored; however, many infected files cannot be disinfected. Accordingly, antivirus software should be configured to attempt to disinfect infected files and to either quarantine or delete files that cannot be disinfected. By enabling the quarantine, organizations will have the ability to submit copies of unknown malware to their security software vendors for analysis and will able to conduct internal forensic evaluation.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-42952",
+      "title": "The McAfee MOVE AV [Multi-Platform] Client General policy must be configured with the location of SYSTEM_DRIVE\\quarantine to ensure consistency across all systems.",
+      "description": "The quarantine on each system represents a potential danger should the files contained within the quarantine inadvertently be executed.\n\nTo better manage the quarantine on all systems, the quarantine should always be configured the same across all systems, which will allow management to better control access to those locations.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-42953",
+      "title": "The McAfee MOVE AV [Multi-Platform] Client General policy must be configured to automatically delete quarantined data after a time period of no more than 28 days.",
+      "description": "The quarantine on each system represents a potential danger should the files contained within the quarantine inadvertently be executed. Deleting the quarantine contents on a regular basis will alleviate the ability of malware from being executed. An organization's incident response policy should also contain steps in removing quarantined items after their forensic value has been depleted.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-42954",
+      "title": "The selfprotection feature of the McAfee MOVE AV [Multi-Platform] Client, designed to prevent malicious attacks on McAfee MOVE AV Multi-Platform software components, must be enabled.",
+      "description": "The self-protection feature defends files, services, and registry keys on virtual machines and will ensure uninterrupted protection.",
+      "severity": "high"
+    },
+    {
+      "id": "V-42955",
+      "title": "The McAfee MOVE AV [Multi-Platform] Client General policy must be configured to deny access to files if first action fails.",
+      "description": "Malware incident containment has two major components:  stopping the spread of malware and preventing further damage to hosts. Disinfecting a file is generally preferable to quarantining it because the malware is removed and the original file restored; however, many infected files cannot be disinfected. The primary goal of eradication is to remove malware from infected hosts.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-42956",
+      "title": "The McAfee MOVE AV [Multi-Platform] Client General policy must be configured with the listening port of the primary Offload Scan Server used by all virtual machines using this policy.",
+      "description": "Organizations should use centrally managed antivirus software that is controlled and monitored regularly by antivirus administrators, who are also typically responsible for acquiring, testing, approving, and delivering antivirus signature and software updates throughout the organization.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-42957",
+      "title": "The McAfee MOVE AV [Multi-Platform] Client General policy must be configured with the listening port of the secondary Offload Scan Server used by all virtual machines using this policy.",
+      "description": "Organizations should use centrally managed antivirus software that is controlled and monitored regularly by antivirus administrators, who are also typically responsible for acquiring, testing, approving, and delivering antivirus signature and software updates throughout the organization.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-42958",
+      "title": "If the McAfee MOVE AV [Multi-Platform] Client General policy is configured with process exclusions, those exclusions must be formally documented and approved by the ISSO/ISSM.",
+      "description": "When scanning for malware, excluding specific file types will increase the risk of a malware-infected file going undetected. By configuring antivirus software to scan all file types, the scanner has a higher success rate at detecting and eradicating malware. The excluding files, paths, and processes from being scanned expands the potential for malware to be allowed onto the information system. While it is recognized that some file types might need to be excluded for operational reasons and/or because there is protection afforded to those files through a different mechanism, allowing those exclusions should always be vetted, documented, and approved before applying.",
+      "severity": "medium"
+    }
+  ]
+}

data/standards/stig_mcafee_move_3.6.1_multi-platform_oss.json

@@ -0,0 +1,101 @@
+{
+  "name": "stig_mcafee_move_3.6.1_multi-platform_oss",
+  "date": "2016-09-30",
+  "description": "The McAfee MOVE 3.6.1 Multi-Platform OSS STIG is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the NIST 800-53 and related documents. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil.",
+  "title": "McAfee MOVE 3.6.1 Multi-Platform OSS STIG",
+  "version": "1",
+  "item_syntax": "^\\w-\\d+$",
+  "section_separator": null,
+  "items": [
+    {
+      "id": "V-42964",
+      "title": "The McAfee MOVE AV [Multi-Platform] Offload Scan Server must have McAfee VirusScan Enterprise 8.8 (or most current version) installed.",
+      "description": "Organizations should deploy anti-virus software on all hosts for which satisfactory anti-virus software is available. Anti-virus software should be installed as soon after OS installation as possible and then updated with the latest signatures and anti-virus software patches (to eliminate any known vulnerabilities in the anti-virus software itself). To support the security of the host, the anti-virus software should be configured and maintained properly so it continues to be effective at detecting and stopping malware. Anti-virus software is most effective when its signatures are fully up-to-date. Accordingly, anti-virus software should be kept current with the latest signature and software updates to improve malware detection.",
+      "severity": "high"
+    },
+    {
+      "id": "V-42965",
+      "title": "The McAfee MOVE AV [Multi-Platform] Offload Scan Server must be managed by the HBSS ePO server.",
+      "description": "Organizations should use centrally managed anti-virus software that is controlled and monitored regularly by anti-virus administrators, who are also typically responsible for acquiring, testing, approving, and delivering anti-virus signature and software updates throughout the organization. Users should not be able to disable or delete anti-virus software from their hosts, nor should they be able to alter critical settings. Anti-virus administrators should perform continuous monitoring to confirm that hosts are using current anti-virus software and that the software is configured properly. Implementing all of these recommendations should strongly support an organization in having a strong and consistent anti-virus deployment across the organization.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-42966",
+      "title": "The McAfee MOVE AV [Multi-Platform] Offload Scan Server must be configured with a static IP address.",
+      "description": "Security management devices must be configured to ensure consistent and uninterrupted connectivity to/from the systems it manages/controls. Otherwise, the security management device will be less than effective.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-42968",
+      "title": "The McAfee MOVE AV [Multi-Platform] Offload Scan Server General policy must be configured to maintain a minimum of 20 log files before removing oldest log file.",
+      "description": "Forensic identification is the practice of identifying infected hosts by looking for evidence of recent infections. The evidence may be very recent (only a few minutes old) or not so recent (hours or days old); the older the information is, the less accurate it is likely to be. The most obvious sources of evidence are those that are designed to identify malware activity, such as anti-virus software, content filtering (e.g., anti-spam measures), IPS, and SIEM technologies. The logs of security applications might contain detailed records of suspicious activity, and might also indicate whether a security compromise occurred or was prevented. While logging is imperative to forensic analysis, logs could grow to the point of impacting disk space on the system. In order to avoid the risk of logs growing to the size of impacting the operating system, the log size and number of log files will be restricted, but must also be large enough to retain forensic value.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-42971",
+      "title": "The McAfee MOVE AV [Multi-Platform] Offload Scan Server General policy must be configured to not rotate log files until they reach at least 10MB in size.",
+      "description": "Forensic identification is the practice of identifying infected hosts by looking for evidence of recent infections. The evidence may be very recent (only a few minutes old) or not so recent (hours or days old); the older the information is, the less accurate it is likely to be. The most obvious sources of evidence are those that are designed to identify malware activity, such as anti-virus software, content filtering (e.g., anti-spam measures), IPS, and SIEM technologies. The logs of security applications might contain detailed records of suspicious activity, and might also indicate whether a security compromise occurred or was prevented. While logging is imperative to forensic analysis, logs could grow to the point of impacting disk space on the system. In order to avoid the risk of logs growing to the size of impacting the operating system, the log size and number of log files will be restricted, but must also be large enough to retain forensic value.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-42973",
+      "title": "The McAfee MOVE AV [Multi-Platform] Offload Scan Server General policy Scan Settings must be configured to scan inside archive files.",
+      "description": "Malware is often packaged within an archive. In addition, archives might have other archives within. Not scanning archive files introduces the risk of infected files being introduced into the environment.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-42974",
+      "title": "The McAfee MOVE AV [Multi-Platform] Offload Scan Server General policy Scan Settings must be configured to scan for potentially unwanted programs.",
+      "description": "Due to the ability of malware to mutate after infection, standard anti-virus signatures may not be able to catch new strains or variants of the malware. Typically, these strains and variants will share unique characteristics with others in their virus family. By using a generic signature to detect the shared characteristics, using wildcards where differences lie, the generic signature can detect viruses even if they are padded with extra, meaningless code. This method of detection is Heuristic detection.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-42976",
+      "title": "The McAfee MOVE AV [Multi-Platform] Offload Scan Server General policy Scan Settings must be configured to scan for MIME-encoded files.",
+      "description": "Multipurpose Internet Mail Extensions (MIME) encoded files can be crafted to hide a malicious payload. When the MIME encoded file is presented to software that decodes the MIME encoded files, such as an email client, the malware is released. Scanning these files as part of the regularly scheduled scans tasks will mitigate this risk.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-42977",
+      "title": "The McAfee MOVE AV [Multi-Platform] Offload Scan Server General policy Scan Settings must be configured to use McAfee Global Threat Intelligence file reputation, with a sensitivity level of Medium or higher.",
+      "description": "Anti-virus software vendors use collective intelligence from sensors and cross-vector intelligence from web, email, and network threats to compile scores that reflect the likelihood of whether a file in question is malware. The collective intelligence is constantly being updated, more frequently than the typical daily anti-virus signature files. With File Reputation lookup, a more real-time response to potential malicious code is realized than with the local-running anti-virus software, since by querying the cloud-based database when a file appears to be suspicious, up-to-the-minute intelligence is provided. This type of protection reduces the threat protection time period from days to milliseconds, increases malware detection rates, and reduces downtime and remediation costs associated with malware attacks. Using File Reputation lookup is mandated by US CYBERCOM on DoD systems.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-42978",
+      "title": "The McAfee MOVE AV [Multi-Platform] Offload Scan Server General policy alerts must be configured to report all events to the Windows Event Log.",
+      "description": "Forensic identification is the practice of identifying infected hosts by looking for evidence of recent infections. The evidence may be very recent (only a few minutes old) or not so recent (hours or days old); the older the information is, the less accurate it is likely to be. The most obvious sources of evidence are those that are designed to identify malware activity, such as anti-virus software, content filtering (e.g., anti-spam measures), IPS, and SIEM technologies. The logs of security applications might contain detailed records of suspicious activity, and might also indicate whether a security compromise occurred or was prevented.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-42979",
+      "title": "The McAfee MOVE AV [Multi-Platform] Offload Scan Server General policy alerts must be configured to send all events to the HBSS ePO server.",
+      "description": "Organizations should strive to detect and validate malware incidents rapidly to minimize the number of infected hosts and the amount of damage the organization sustains. Recommended actions include analyzing any suspected malware incident and validating that malware is the cause. This includes identifying characteristics of the malware activity by examining detection sources, such as anti-virus software, intrusion prevention systems, and security information and event management (SIEM) technologies and identifying which hosts are infected by the malware, so the hosts can undergo the appropriate containment, eradication, and recovery actions. By sending all events to a central location, the events can be correlated to determine extent of infection.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-42981",
+      "title": "The McAfee MOVE AV [Multi-Platform] Offload Scan Server General policy On-Demand Scan must be configured with On-Demand scanning enabled.",
+      "description": "Anti-virus software is the most commonly used technical control for malware threat mitigation. Anti-virus software on hosts should be configured to scan all hard drives and folders regularly to identify any file system infections and to scan any removable media, if applicable, before media is inserted into the system. Not scheduling a regular scan of the hard drives of a system and/or not configuring the scan to scan all files and running processes introduces a higher risk of threats going undetected.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-42982",
+      "title": "The McAfee MOVE AV [Multi-Platform] Offload Scan Server General policy On-Demand Scan Client Scan interval must be set to no more than every seven days.",
+      "description": "Anti-virus software is the mostly commonly used technical control for malware threat mitigation. Anti-virus software on hosts should be configured to scan all hard drives and folders regularly to identify any file system infections and to scan any removable media, if applicable, before media is inserted into the system. Not scheduling a regular scan of the hard drives of a system and/or not configuring the scan to scan all files and running processes introduces a higher risk of threats going undetected.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-42983",
+      "title": "The McAfee VirusScan Enterprise Access Protection rules must be used for self-protection of the files and folder of Offload Scan Server configuration.",
+      "description": "The VirusScan Enterprise Access Protection rules will defend files, services, and registry keys on the Offload Scan Server.",
+      "severity": "high"
+    },
+    {
+      "id": "V-42986",
+      "title": "The McAfee VirusScan Enterprise Access Protection rules must be used for self-protection of the registry keys of Offload Scan Server configuration.",
+      "description": "The VirusScan Enterprise Access Protection rules will defend files, services, and registry keys on the Offload Scan Server.",
+      "severity": "high"
+    }
+  ]
+}