kriterion 0.0.1

data/standards/stig_mcafee_move_agentless_3.6.1_security_virtual_appliance.json

@@ -0,0 +1,167 @@
+{
+  "name": "stig_mcafee_move_agentless_3.6.1_security_virtual_appliance",
+  "date": "2016-09-30",
+  "description": "The McAfee MOVE 3.6.1 Agentless SVA STIG is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the NIST 800-53 and related documents. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil.",
+  "title": "McAfee MOVE Agentless 3.6.1 Security Virtual Appliance STIG",
+  "version": "1",
+  "item_syntax": "^\\w-\\d+$",
+  "section_separator": null,
+  "items": [
+    {
+      "id": "V-43788",
+      "title": "The Virtual Machine must have VMware vShield Endpoint thin client installed and shown as protected in the vShield Manager.",
+      "description": "The vShield Manager is the centralized network management component of vShield, and is installed as a virtual appliance on an ESX host in a vCenter Server environment. The vShield Manager user interface or vSphere Client plug-in is used by administrators to install, configure, and maintain vShield components. \n\nvShield Endpoint offloads antivirus and anti-malware agent processing to a dedicated secure virtual appliance delivered by VMware partners. Since the secure virtual appliance (unlike a guest virtual machine) does not go offline, it can continuously update antivirus signatures thereby giving uninterrupted protection to the virtual machines on the host. Also, new virtual machines (or existing virtual machines that went offline) are immediately protected with the most current antivirus signatures when they come online. vShield Endpoint installs as a hypervisor module and security virtual appliance from a third-party antivirus\nvendor (VMware partners) on an ESX host. The hypervisor scans guest virtual machines from the outside, removing the need for agents in every virtual machine. This makes vShield Endpoint efficient in avoiding\nresource bottlenecks while optimizing memory use.\n\nMcAfee MOVE AV Agentless requires vShield Endpoint to be installed on a virtual machine in order for the McAfee MOVE Security Virtual Appliance to protect it. If the virtual machine did not have vShield Endpoint installed, the virtual machine would not be protected from malware and viruses.",
+      "severity": "high"
+    },
+    {
+      "id": "V-43957",
+      "title": "The McAfee MOVE AV Agentless SVA policy must be configured with, and managed by, the HBSS ePO server.",
+      "description": "Organizations should use centrally managed antivirus software that is controlled and monitored regularly by antivirus administrators, who are also typically responsible for acquiring, testing, approving, and delivering antivirus signature and software updates throughout the organization. Users should not be able to disable or delete antivirus software from their hosts, nor should they be able to alter critical settings. Antivirus administrators should perform continuous monitoring to confirm that hosts are using current antivirus software and that the software is configured properly. Implementing all of these recommendations should strongly support an organization in having a strong and consistent antivirus deployment across the organization.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-43958",
+      "title": "The McAfee MOVE AV Agentless SVA Authentication policy must be configured to communicate with the Hypervisor/vCenter server via HTTPS protocol.",
+      "description": "Requiring the McAfee MOVE AV Agentless SVA to authenticate to the hypervisor over HTTPs ensures the authentication is over a secure path.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-43959",
+      "title": "The McAfee MOVE AV Agentless SVA Authentication policy must be configured to authenticate to the Hypervisor/vCenter server with user name and password.",
+      "description": "Requiring the McAfee MOVE AV Agentless SVA to authenticate to the hypervisor with a username and password, coupled with HTTPs, ensures authentication is over a secure path from a valid source.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-43960",
+      "title": "The McAfee MOVE AV Agentless SVA Scan Settings policy must be configured with the SVA cache enabled.\n",
+      "description": "Enabling cache in the McAfee MOVE AV Agentless SVA will enable a more effective performance when scanning virtual machines. ",
+      "severity": "medium"
+    },
+    {
+      "id": "V-43961",
+      "title": "The McAfee MOVE AV Agentless SVA Scan Settings policy must be configured to cache scan results for files up to a file size of 1 MB.",
+      "description": "While enabling cache in the McAfee MOVE AV Agentless SVA will enable a more effective performance when scanning virtual machines, the file size of cached items needs to be restricted in order to prevent excessively large files from being cached, which would have a negative impact on performance.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-43962",
+      "title": "The McAfee MOVE AV Agentless SVA Scan Settings policy for On-Demand Client Scan time interval must be set to no more than every 7 days.",
+      "description": "Antivirus software is the most commonly used technical control for malware threat mitigation. Antivirus software on hosts should be configured to scan all hard drives regularly to identify any file system infections and to scan any removable media, if applicable, before media is inserted into the system. Not scheduling a regular scan of the hard drives of a system and/or not configuring the scan to scan all files and running processes, introduces a higher risk of threats going undetected.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-44931",
+      "title": "The McAfee MOVE AV Agentless Scan policy must be configured to enable On-Access scanning.",
+      "description": "Antivirus software is the most commonly used technical control for malware threat mitigation. Antivirus software should be configured to perform real-time scans of each file as it is downloaded, opened, or executed.",
+      "severity": "high"
+    },
+    {
+      "id": "V-44933",
+      "title": "The McAfee MOVE AV Agentless Scan policy must be configured to enforce a maximum On-Access Scan timeout of no less than 45 seconds.",
+      "description": "This setting configures the amount of time to wait for a scan to complete, in seconds. The default setting is 45 seconds. Typically, file scans are very fast. However, file scans may take longer time due to large file size, file type, or heavy load on the offload scan server. In such cases that the file scan takes longer than the scan timeout limit, the file access is allowed and a scan timeout event is generated. Setting the timeout too low may result in scans of a file terminating before the scan is completed, resulting in malware potentially going undetected.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-44935",
+      "title": "The McAfee MOVE AV Agentless Scan policy must be configured to enable On-Demand scanning.",
+      "description": "Antivirus software is the mostly commonly used technical control for malware threat mitigation. Antivirus software on hosts should be configured to scan all hard drives and folders regularly to identify any file system infections and to scan any removable media, if applicable, before media is inserted into the system. Not scheduling a regular scan of the hard drives of a system and/or not configuring the scan to scan all files and running processes, introduces a higher risk of threats going undetected.\n",
+      "severity": "medium"
+    },
+    {
+      "id": "V-44969",
+      "title": "The McAfee MOVE AV Agentless Scan policy must be configured to scan files when opened.",
+      "description": "Antivirus software is the most commonly used technical control for malware threat mitigation. Real-time scanning of files as they are read from disk is a crucial first line of defense from malware attacks.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-44973",
+      "title": "The McAfee MOVE AV Agentless Scan policy must be configured to scan all file types.",
+      "description": "When scanning for malware, excluding specific file types will increase the risk of a malware-infected file going undetected. By configuring antivirus software to scan all file types, the scanner has a higher success rate at detecting and eradicating malware.\n",
+      "severity": "medium"
+    },
+    {
+      "id": "V-44979",
+      "title": "The McAfee MOVE AV Agentless Scan policy must be configured to scan files when closed.",
+      "description": "Antivirus software is the most commonly used technical control for malware threat mitigation. Real-time scanning of files as they are written to disk is a crucial first line of defense from malware attacks.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-44993",
+      "title": "The McAfee MOVE AV Agentless Scan policy must be configured to scan inside archives.",
+      "description": "Malware is often packaged within an archive. In addition, archives might have other archives within. Not scanning archive files introduces the risk of infected files being introduced into the environment. ",
+      "severity": "medium"
+    },
+    {
+      "id": "V-48853",
+      "title": "The McAfee MOVE AV Agentless Scan policy must be configured to decode MIME encoded files.",
+      "description": "Multipurpose Internet Mail Extensions (MIME) encoded files can be crafted to hide a malicious payload. When the MIME encoded file is presented to software that decodes the MIME encoded files, such as an email client, the malware is released. Scanning these files as part of the regularly scheduled scans tasks will mitigate this risk.\n",
+      "severity": "medium"
+    },
+    {
+      "id": "V-48855",
+      "title": "The McAfee MOVE AV Agentless Scan policy must be configured to find unknown macro threats.",
+      "description": "Due to the ability of malware to mutate after infection, standard antivirus signatures may not be able to catch new strains or variants of the malware. Typically, these strains and variants will share unique characteristics with others in their virus family. By using a generic signature to detect the shared characteristics, using wildcards where differences lie, the generic signature can detect viruses even if they are padded with extra, meaningless code. This method of detection is Heuristic detection.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-48857",
+      "title": "The McAfee MOVE AV Agentless Scan policy for Heuristics must be configured to find unknown unwanted programs and Trojans.",
+      "description": "Due to the ability of malware to mutate after infection, standard antivirus signatures may not be able to catch new strains or variants of the malware. Typically, these strains and variants will share unique characteristics with others in their virus family. By using a generic signature to detect the shared characteristics, using wildcards where differences lie, the generic signature can detect viruses even if they are padded with extra, meaningless code. This method of detection is Heuristic detection.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-48859",
+      "title": "The McAfee MOVE AV Agentless Scan policy must be configured to use McAfee Global Threat Intelligence file reputation set to a sensitivity level of Medium or higher.",
+      "description": "Antivirus software vendors use collective intelligence from sensors and cross-vector intelligence from web, email, and network threats to compile scores that reflect the likelihood of whether a file in question is malware. The collective intelligence is constantly being updated, more frequently than the typical daily antivirus signature files. With File Reputation lookup, a more real-time response to potential malicious code is realized than with the local-running antivirus software, since by querying the cloud-based database when a file appears to be suspicious, up-to-the-minute intelligence is provided. This type of protection reduces the threat protection time period from days to milliseconds, increases malware detection rates, and reduces downtime and remediation costs associated with malware attacks. Using File Reputation lookup is mandated by US CYBERCOM on DoD systems.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-48861",
+      "title": "The McAfee MOVE AV Agentless Scan policy must be configured to detect unwanted programs.",
+      "description": "Due to the ability of malware to mutate after infection, standard antivirus signatures may not be able to catch new strains or variants of the malware. Typically, these strains and variants will share unique characteristics with others in their virus family. By using a generic signature to detect the shared characteristics, using wildcards where differences lie, the generic signature can detect viruses even if they are padded with extra, meaningless code. This method of detection is Heuristic detection.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-48863",
+      "title": "For any path or file exclusions configured in the McAfee MOVE AV Agentless Scan policy, those exclusions must be formally documented by the System Administrator and approved by the IAO/IAM.",
+      "description": "When scanning for malware, excluding specific file types will increase the risk of a malware-infected file going undetected. By configuring antivirus software to scan all file types, the scanner has a higher success rate at detecting and eradicating malware. The excluding of files, paths, and processes from being scanned expands the potential for malware to be allowed onto the information system. While it is recognized that some file types might need to be excluded for operational reasons and/or because there is protection afforded to those files through a different mechanism, allowing those exclusions should always be vetted, documented and approved before applying.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-48865",
+      "title": "When a threat is found by the McAfee MOVE AV Agentless On-Access Scan, the Scan policy must be configured to delete files automatically as first action.",
+      "description": "Malware incident containment has two major components: stopping the spread of malware and preventing further damage to hosts. Disinfecting a file is generally preferable to quarantining it because the malware is removed and the original file restored; however, many infected files cannot be disinfected. The primary goal of eradication is to remove malware from infected hosts.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-48867",
+      "title": "When a threat is found by the McAfee MOVE AV Agentless On-Access Scan, the Scan policy must be configured to deny access to files if first action fails.",
+      "description": "Malware incident containment has two major components:  stopping the spread of malware and preventing further damage to hosts. Disinfecting a file is generally preferable to quarantining it because the malware is removed and the original file restored; however, many infected files cannot be disinfected. The primary goal of eradication is to remove malware from infected hosts.\n",
+      "severity": "medium"
+    },
+    {
+      "id": "V-48869",
+      "title": "When a threat is found by the McAfee MOVE AV Agentless On-Demand Scan, the Scan policy must be configured to delete files automatically as first action.",
+      "description": "Malware incident containment has two major components: stopping the spread of malware and preventing further damage to hosts. Disinfecting a file is generally preferable to quarantining it because the malware is removed and the original file restored; however, many infected files cannot be disinfected. The primary goal of eradication is to remove malware from infected hosts.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-48871",
+      "title": "When a threat is found by the McAfee MOVE AV Agentless On-Demand Scan, the Scan policy must be configured to notify only if first action fails.",
+      "description": "Malware incident containment has two major components:  stopping the spread of malware and preventing further damage to hosts. Disinfecting a file is generally preferable to quarantining it because the malware is removed and the original file restored; however, many infected files cannot be disinfected. The primary goal of eradication is to remove malware from infected hosts.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-48873",
+      "title": "The McAfee MOVE AV Agentless Scan policy must be configured to enable the quarantine.",
+      "description": "Malware incident containment has two major components: stopping the spread of malware and preventing further damage to hosts. Disinfecting a file is generally preferable to quarantining it because the malware is removed and the original file restored; however, many infected files cannot be disinfected. Accordingly, antivirus software should be configured to attempt to disinfect infected files and to either quarantine or delete files that cannot be disinfected. By enabling the Quarantine, organizations will have the ability to submit copies of unknown malware to their security software vendors for analysis and will able to conduct internal forensic evaluation.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-49679",
+      "title": "The McAfee MOVE AV Agentless SVAadmin account password must be changed from the default.",
+      "description": "The pre-configured Security Virtual Appliance (SVA)  comes with a default password for the SVAadmin account. This account has root privileges to the Linux O/S of the appliance. By not changing the password from the default, the appliance will be subject to access by unauthorized individuals.\n",
+      "severity": "high"
+    }
+  ]
+}

data/standards/stig_mcafee_move_av_agentless_4.5.json

@@ -0,0 +1,155 @@
+{
+  "name": "stig_mcafee_move_av_agentless_4.5",
+  "date": "2017-12-01",
+  "description": "This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.",
+  "title": "McAfee MOVE AV Agentless 4.5 Security Technical Implementation Guide",
+  "version": "1",
+  "item_syntax": "^\\w-\\d+$",
+  "section_separator": null,
+  "items": [
+    {
+      "id": "V-78461",
+      "title": "The admin password for the McAfee MOVE AV Agentless Security Virtual Machine (SVM) must be changed from the default.",
+      "description": "The preconfigured Security Virtual Appliance (SVA) comes with a default password for the \"SVAadmin\" account. This account has root privileges to the Linux operating system of the appliance. By not changing the password from the default, the appliance will be subject to access by unauthorized individuals.",
+      "severity": "high"
+    },
+    {
+      "id": "V-78463",
+      "title": "The McAfee MOVE AV On Access Scan policy must be configured to enable protection.",
+      "description": "Anti-virus software should be installed as soon after operating system installation as possible and then updated with the latest signatures and anti-virus software patches (to eliminate any known vulnerabilities in the anti-virus software itself). The anti-virus software should then perform a complete scan of the host to identify any potential infections. To support the security of the host, the anti-virus software should be configured and maintained properly so it continues to be effective at detecting and stopping malware. Anti-virus software is most effective when its signatures are fully up to date. Accordingly, anti-virus software should be kept current with the latest signature and software updates to improve malware detection.",
+      "severity": "high"
+    },
+    {
+      "id": "V-78465",
+      "title": "The McAfee MOVE AV On Access Scan policy must be configured to enforce a maximum On-Access Scan timeout of no less than 45 seconds.",
+      "description": "This setting configures the amount of time, in seconds, to wait for a scan to complete. The default setting is 45 seconds. This is the duration for which a McAfee MOVE AV Agent will wait for scan response of a file from the Security Virtual Machine (SVM). Typically, file scans are very fast. However, file scans may take longer due to large file size, file type, or heavy load on the SVM. If the file scan takes longer than the scan timeout limit, the file access is allowed and a scan timeout event is generated. Setting the timeout too low may result in scans of a file terminating before the scan is completed, resulting in malware potentially going undetected.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-78467",
+      "title": "The McAfee MOVE AV On Access Scan policy must be configured to scan files when writing to disk.",
+      "description": "Anti-virus software is the most commonly used technical control for malware threat mitigation. Real-time scanning of files as they are written to disk is a crucial first line of defense from malware attacks.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-78469",
+      "title": "The McAfee MOVE AV On Access Scan policy must be configured to scan files when reading from disk.",
+      "description": "Anti-virus software is the most commonly used technical control for malware threat mitigation. Real-time scanning of files as they are read from disk is a crucial first line of defense from malware attacks.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-78471",
+      "title": "The McAfee MOVE AV On Access Scan policy must be configured to scan all file types.",
+      "description": "When scanning for malware, excluding specific file types will increase the risk of a malware-infected file going undetected. By configuring anti-virus software to scan all file types, the scanner has a higher success rate at detecting and eradicating malware.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-78473",
+      "title": "Path or file exclusions configured in the McAfee MOVE AV On Access Scan policy must be formally documented by the System Administrator and approved by the ISSO/ISSM.",
+      "description": "When scanning for malware, excluding specific file types will increase the risk of a malware-infected file going undetected. By configuring anti-virus software to scan all file types, the scanner has a higher success rate at detecting and eradicating malware. Excluding files, paths, and processes from being scanned expands the potential for malware to be allowed onto the information system. While it is recognized that some file types might need to be excluded for operational reasons and/or because protection is afforded to those files through a different mechanism, allowing those exclusions should always be vetted, documented, and approved before applying.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-78475",
+      "title": "The McAfee MOVE AV On Access Scan policy must be configured to delete files automatically and quarantine as the first response of a threat detection.",
+      "description": "Malware incident containment has two major components: stopping the spread of malware and preventing further damage to hosts. Disinfecting a file is generally preferable to quarantining it because the malware is removed and the original file restored; however, many infected files cannot be disinfected. The primary goal of eradication is to remove malware from infected hosts.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-78477",
+      "title": "The McAfee MOVE AV policy must be configured to enable On-Demand scanning.",
+      "description": "Anti-virus software is the most commonly used technical control for malware threat mitigation. Anti-virus software on hosts should be configured to scan all hard drives and folders regularly to identify any file system infections and to scan any removable media, if applicable, before media is inserted into the system. Not scheduling a regular scan of the hard drives of a system and/or not configuring the scan to scan all files and running processes introduces a higher risk of threats going undetected.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-78479",
+      "title": "The McAfee MOVE AV On Demand Scan policy must be configured to enforce a maximum time for each file scan of no less than 45 seconds.",
+      "description": "This setting configures the amount of time, in seconds, to wait for a scan to complete. The default setting is 45 seconds. This is the duration for which a McAfee MOVE AV Agent will wait for scan response of a file from the Security Virtual Machine (SVM). Typically, file scans are very fast. However, file scans may take longer due to large file size, file type, or heavy load on the SVM. If the file scan takes longer than the scan timeout limit, the file access is allowed and a scan timeout event is generated. Setting the timeout too low may result in scans of a file terminating before the scan is completed, resulting in malware potentially going undetected.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-78481",
+      "title": "The McAfee MOVE AntiVirus On Demand Scan policy must be configured to stop an on-demand scan after 150 minutes.",
+      "description": "This setting configures the maximum time (in minutes) for on-demand scanning. The default setting is 150 minutes. Typically, file scans are very fast. However, file scans may take longer due to large file size, file type, or heavy load on the Security Virtual Machine (SVM). For cases where an on-demand scan will take longer, the organization should determine the maximum amount of time for its on-demand scanning and explicitly configure this setting.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-78483",
+      "title": "The McAfee MOVE AV On Demand Scan policy must be configured to delete files automatically and quarantine as the first response of a threat detection.",
+      "description": "Malware incident containment has two major components: stopping the spread of malware and preventing further damage to hosts. Disinfecting a file is generally preferable to quarantining it because the malware is removed and the original file restored; however, many infected files cannot be disinfected. The primary goal of eradication is to remove malware from infected hosts. Deleting files found to contain malware while also moving them to quarantine will allow the files to be rendered useless but recoverable in the event of a false positive.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-78485",
+      "title": "The McAfee MOVE AV On Demand Scan policy must be configured to scan all file types.",
+      "description": "When scanning for malware, excluding specific file types will increase the risk of a malware-infected file going undetected. By configuring anti-virus software to scan all file types, the scanner has a higher success rate at detecting and eradicating malware.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-78487",
+      "title": "Path Exclusions configured in the McAfee MOVE AV On Demand Scan policy must be formally documented by the System Administrator and approved by the ISSO/ISSM.",
+      "description": "When scanning for malware, excluding specific file types will increase the risk of a malware-infected file going undetected. By configuring anti-virus software to scan all file types, the scanner has a higher success rate at detecting and eradicating malware. Excluding files, paths, and processes from being scanned expands the potential for malware to be allowed onto the information system. While it is recognized that some file types might need to be excluded for operational reasons and/or because protection is afforded to those files through a different mechanism, allowing those exclusions should always be vetted, documented, and approved before applying.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-78489",
+      "title": "The McAfee MOVE AV On-Demand Scan interval must be set to no more than every seven days.",
+      "description": "Anti-virus software is the most commonly used technical control for malware threat mitigation. Anti-virus software on hosts should be configured to scan all hard drives and folders regularly to identify any file system infections and to scan any removable media, if applicable, before media is inserted into the system. Not scheduling a regular scan of the hard drives of a system and/or not configuring the scan to scan all files and running processes introduces a higher risk of threats going undetected.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-78491",
+      "title": "The McAfee MOVE AV Options policy must specify the location of the quarantine network share.",
+      "description": "The quarantine on each system represents a potential danger should the files contained within the quarantine be executed inadvertently.\n\nTo centrally manage the quarantine on all systems, the quarantine should always be configured the same across all systems, which will allow management to better control access to those locations.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-78493",
+      "title": "The McAfee MOVE AV Options policy must specify the username and password for the quarantine network share.",
+      "description": "The quarantine on each system represents a potential danger should the files contained within the quarantine be executed inadvertently. \n\nTo centrally manage the quarantine on all systems, the quarantine should always be configured the same across all systems, which will allow management to better control access to those locations.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-78495",
+      "title": "The McAfee MOVE AV SVM Settings policy ODS scheduler must be set to no more than every seven days.",
+      "description": "Anti-virus software is the mostly commonly used technical control for malware threat mitigation. Anti-virus software on hosts should be configured to scan all hard drives and folders regularly to identify any file system infections and to scan any removable media, if applicable, before media is inserted into the system. Not scheduling a regular scan of the hard drives of a system and/or not configuring the scan to scan all files and running processes introduces a higher risk of threats going undetected.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-78497",
+      "title": "The McAfee MOVE AV SVM must be managed by the HBSS ePO server.",
+      "description": "Organizations should use centrally managed anti-virus software that is controlled and monitored regularly by anti-virus administrators, who are also typically responsible for acquiring, testing, approving, and delivering anti-virus signature and software updates throughout the organization. Users should not be able to disable or delete anti-virus software from their hosts, nor should they be able to alter critical settings.\n\nAnti-virus administrators should perform continuous monitoring to confirm that hosts are using current anti-virus software and that the software is configured properly. Implementing all of these recommendations should strongly support an organization in having a strong and consistent anti-virus deployment across the organization.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-78499",
+      "title": "The McAfee MOVE AV SVM Settings policy must be configured to scan for potentially unwanted programs.",
+      "description": "Due to the ability of malware to mutate after infection, standard anti-virus signatures may not be able to catch new strains or variants of the malware. Typically, these strains and variants will share unique characteristics with others in their virus family. By using a generic signature to detect the shared characteristics, using wildcards where differences lie, the generic signature can detect viruses even if they are padded with extra, meaningless code. This method of detection is heuristic detection.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-78501",
+      "title": "The McAfee MOVE AV SVM Settings policy must be configured to scan for Multipurpose Internet Mail Extensions (MIME)-encoded files.",
+      "description": "MIME-encoded files can be crafted to hide a malicious payload. When the MIME-encoded file is presented to software that decodes the MIME encoded files, such as an email client, the malware is released. Scanning these files as part of the regularly scheduled scans tasks will mitigate this risk.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-78503",
+      "title": "The McAfee MOVE AV SVM Settings policy must be configured to use McAfee Global Threat Intelligence File Reputation with a sensitivity level of medium or higher.",
+      "description": "Anti-virus software vendors use collective intelligence from sensors and cross-vector intelligence from web, email, and network threats to compile scores that reflect the likelihood of whether a file in question is malware. The collective intelligence is constantly being updated, more frequently than the typical daily anti-virus signature files. \n\nWith File Reputation lookup, a more real-time response to potential malicious code is realized than with the local-running anti-virus software, since by querying the cloud-based database when a file appears to be suspicious, up-to-the-minute intelligence is provided. This type of protection reduces the threat protection time period from days to milliseconds, increases malware detection rates, and reduces downtime and remediation costs associated with malware attacks. Using File Reputation lookup is mandated by USCYBERCOM on DoD systems.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-78505",
+      "title": "The McAfee MOVE AV SVM settings policy must be configured to communicate with the hypervisor/vCenter server via HTTPS protocol.",
+      "description": "Requiring the McAfee MOVE AV Agentless SVA to authenticate to the hypervisor over HTTPs ensures the authentication is over a secure path.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-78507",
+      "title": "The McAfee MOVE AV SVM settings policy must be configured to authenticate to the hypervisor/vCenter server with user name and password.",
+      "description": "Requiring the McAfee MOVE AV Agentless SVA to authenticate to the hypervisor with a username and password, coupled with HTTPs, ensures authentication is over a secure path from a valid source.",
+      "severity": "medium"
+    }
+  ]
+}

data/standards/stig_mcafee_move_av_multi-platform_4.5.json

@@ -0,0 +1,215 @@
+{
+  "name": "stig_mcafee_move_av_multi-platform_4.5",
+  "date": "2017-12-01",
+  "description": "This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.",
+  "title": "McAfee MOVE AV Multi-Platform 4.5 Security Technical Implementation Guide",
+  "version": "1",
+  "item_syntax": "^\\w-\\d+$",
+  "section_separator": null,
+  "items": [
+    {
+      "id": "V-78509",
+      "title": "The McAfee MOVE AV Common Options policy must be configured to report all events to the Windows Event Log.",
+      "description": "Forensic identification is the practice of identifying infected hosts by looking for evidence of recent infections. The evidence may be very recent (only a few minutes old) or not so recent (hours or days old); the older the information is, the less accurate it is likely to be. The most obvious sources of evidence are those that are designed to identify malware activity, such as anti-virus software, content filtering (e.g., anti-spam measures), IPS, and SIEM technologies. The logs of security applications might contain detailed records of suspicious activity and might also indicate whether a security compromise occurred or was prevented.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-78511",
+      "title": "The McAfee MOVE AV Common Options policy must be configured to send all events to the HBSS ePO server.",
+      "description": "Forensic identification is the practice of identifying infected hosts by looking for evidence of recent infections. The evidence may be very recent (only a few minutes old) or not so recent (hours or days old); the older the information is, the less accurate it is likely to be. The most obvious sources of evidence are those that are designed to identify malware activity, such as anti-virus software, content filtering (e.g., anti-spam measures), IPS, and SIEM technologies. The logs of security applications might contain detailed records of suspicious activity and might also indicate whether a security compromise occurred or was prevented.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-78513",
+      "title": "The McAfee MOVE AV Common Options policy must be configured to not rotate log files until they reach at least 10 MB in size.",
+      "description": "Forensic identification is the practice of identifying infected hosts by looking for evidence of recent infections. The evidence may be very recent (only a few minutes old) or not so recent (hours or days old); the older the information is, the less accurate it is likely to be. The most obvious sources of evidence are those that are designed to identify malware activity, such as anti-virus software, content filtering (e.g., anti-spam measures), IPS, and SIEM technologies. The logs of security applications might contain detailed records of suspicious activity and might also indicate whether a security compromise occurred or was prevented.\n\nWhile logging is imperative to forensic analysis, logs could grow to the point of impacting disk space on the system. To avoid the risk of logs growing to the size of impacting the operating system, the log size and number of log files will be restricted but must be large enough to retain forensic value.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-78515",
+      "title": "The McAfee MOVE AV Common Options policy must be configured to enable self-protection.",
+      "description": "The self-protection feature defends files, services, and registry keys on virtual machines and will ensure uninterrupted protection.\n\nSelf-protection on the McAfee MOVE SVM is provided by the SVM's VirusScan Enterprise Access Protection configuration.\n\nThe self-protection feature is controlled by the IntegrityEnabled configuration parameter. By default, the parameter is set to \"0x7\", and all components of the feature are enabled.",
+      "severity": "high"
+    },
+    {
+      "id": "V-78517",
+      "title": "All other anti-virus products must be removed from the virtual machine while the McAfee AV Client is running.",
+      "description": "Organizations should deploy anti-virus software on all hosts for which satisfactory anti-virus software is available. Anti-virus software should be installed as soon after operating system installation as possible and then updated with the latest anti-virus software patches (to eliminate any known vulnerabilities in the anti-virus software itself). \n\nTo support the security of the host, the anti-virus software should be configured and maintained properly so it continues to be effective at detecting and stopping malware. \n\nMcAfee MOVE AV Client will not function properly with other anti-virus products installed.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-78519",
+      "title": "The McAfee MOVE AV policies must be configured with and managed by the HBSS ePO server.",
+      "description": "Organizations should use centrally managed anti-virus software that is controlled and monitored regularly by anti-virus administrators, who are also typically responsible for acquiring, testing, approving, and delivering anti-virus signature and software updates throughout the organization. Users should not be able to disable or delete anti-virus software from their hosts, nor should they be able to alter critical settings. Anti-virus administrators should perform continuous monitoring to confirm that hosts are using current anti-virus software and that the software is configured properly. Implementing all of these recommendations should strongly support an organization in having a strong and consistent anti-virus deployment across the organization.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-78521",
+      "title": "The admin password for the McAfee MOVE AV Security Virtual Machine (SVM) must be changed from the default.",
+      "description": "The preconfigured Security Virtual Appliance (SVA) comes with a default password for the \"SVAadmin\" account. This account has root privileges to the Linux operating system of the appliance. By not changing the password from the default, the appliance will be subject to access by unauthorized individuals.",
+      "severity": "high"
+    },
+    {
+      "id": "V-78523",
+      "title": "The McAfee VirusScan Enterprise Access Protection rules must be used for self-protection of the files and folder of the McAfee Security Virtual Manager (SVM).",
+      "description": "The VirusScan Enterprise Access Protection rules will defend files, services, and registry keys on the McAfee Security Virtual Manager (SVM).",
+      "severity": "high"
+    },
+    {
+      "id": "V-78525",
+      "title": "The McAfee MOVE AV On Access Scan Policy must be configured to enable protection.",
+      "description": "Anti-virus software should be installed as soon after operating system installation as possible and then updated with the latest signatures and anti-virus software patches (to eliminate any known vulnerabilities in the anti-virus software itself). The anti-virus software should then perform a complete scan of the host to identify any potential infections. To support the security of the host, the anti-virus software should be configured and maintained properly so it continues to be effective at detecting and stopping malware. Anti-virus software is most effective when its signatures are fully up to date. Accordingly, antivirus software should be kept current with the latest signature and software updates to improve malware detection.",
+      "severity": "high"
+    },
+    {
+      "id": "V-78527",
+      "title": "The McAfee MOVE AV On Access Scan Policy must be configured with a scan timeout of 45 seconds or more.",
+      "description": "This setting configures the amount of time, in seconds, to wait for a scan to complete. The default setting is 45 seconds. This is the duration for which a McAfee MOVE AV Agent will wait for scan response of a file from the Security Virtual Machine (SVM). Typically, file scans are very fast. However, file scans may take longer due to large file size, file type, or heavy load on the SVM. If the file scan takes longer than the scan timeout limit, the file access is allowed and a scan timeout event is generated. Setting the timeout too low may result in scans of a file terminating before the scan is completed, resulting in malware potentially going undetected.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-78529",
+      "title": "The McAfee MOVE AV On Access Scan Policy must be configured to cache scan results for files smaller than 40 MB.",
+      "description": "This setting configures the maximum file size (in MB) up to which scan results should be cached. The default setting is 40 MB. Files smaller than this threshold are copied completely to the Security Virtual Machine (SVM) and scanned. If the file is found to be clean, its scan result is cached based on its SHA 1 checksum for faster future access. Files larger than this size threshold are transferred in chunks that are requested by the SVM and scanned. Setting that threshold higher could impact the performance of the scan processes.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-78531",
+      "title": "The McAfee MOVE AV On Access Scan Policy must be configured to scan when writing to disk.",
+      "description": "Anti-virus software is the most commonly used technical control for malware threat mitigation. Real-time scanning of files as they are written to disk is a crucial first line of defense from malware attacks.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-78533",
+      "title": "The McAfee MOVE AV On Access Scan Policy must be configured to scan when reading from disk.",
+      "description": "Anti-virus software is the most commonly used technical control for malware threat mitigation. Real-time scanning of files as they are read from disk is a crucial first line of defense from malware attacks.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-78535",
+      "title": "The McAfee MOVE AV On Access Scan Policy must be configured to scan all file types.",
+      "description": "When scanning for malware, excluding specific file types will increase the risk of a malware-infected file going undetected. By configuring anti-virus software to scan all file types, the scanner has a higher success rate at detecting and eradicating malware.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-78537",
+      "title": "Path or file exclusions configured in McAfee MOVE AV On Access Scan Policy must be formally documented by the System Administrator and approved by the ISSO/ISSM.",
+      "description": "When scanning for malware, excluding specific file types will increase the risk of a malware-infected file going undetected. By configuring anti-virus software to scan all file types, the scanner has a higher success rate at detecting and eradicating malware. Excluding files, paths, and processes from being scanned expands the potential for malware to be allowed onto the information system. While it is recognized that some file types might need to be excluded for operational reasons and/or because there is protection afforded to those files through a different mechanism, allowing those exclusions should always be vetted, documented, and approved before applying.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-78539",
+      "title": "Process exclusions configured in McAfee MOVE AV On Access Scan Policy must be formally documented by the System Administrator and approved by the ISSO/ISSM.",
+      "description": "When scanning for malware, excluding specific file types will increase the risk of a malware-infected file going undetected. By configuring anti-virus software to scan all file types, the scanner has a higher success rate at detecting and eradicating malware. Excluding files, paths, and processes from being scanned expands the potential for malware to be allowed onto the information system. While it is recognized that some file types might need to be excluded for operational reasons and/or because there is protection afforded to those files through a different mechanism, allowing those exclusions should always be vetted, documented, and approved before applying.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-78541",
+      "title": "The McAfee MOVE AV On Access Scan policy must be configured to delete files automatically and quarantine as the first response of a threat detection.",
+      "description": "Malware incident containment has two major components: stopping the spread of malware and preventing further damage to hosts. Disinfecting a file is generally preferable to quarantining it because the malware is removed and the original file restored; however, many infected files cannot be disinfected. The primary goal of eradication is to remove malware from infected hosts.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-78543",
+      "title": "The McAfee MOVE AV On Demand Scan policy must be configured to enable on-demand scan.",
+      "description": "Anti-virus software is the most commonly used technical control for malware threat mitigation. Anti-virus software on hosts should be configured to scan all hard drives and folders regularly to identify any file system infections and to scan any removable media, if applicable, before media is inserted into the system. Not scheduling a regular scan of the hard drives of a system and/or not configuring the scan to scan all files and running processes introduces a higher risk of threats going undetected.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-78545",
+      "title": "The McAfee MOVE AV On Demand Scan policy must be configured to enforce a maximum time for each file scan of no less than 45 seconds.",
+      "description": "This setting configures the amount of time, in seconds, to wait for a scan to complete. The default setting is 45 seconds. This is the duration for which a McAfee MOVE AV Agent will wait for scan response of a file from the Security Virtual Machine (SVM). Typically, file scans are very fast. However, file scans may take longer due to large file size, file type, or heavy load on the SVM. If the file scan takes longer than the scan timeout limit, the file access is allowed and a scan timeout event is generated. Setting the timeout too low may result in scans of a file terminating before the scan is completed, resulting in malware potentially going undetected.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-78547",
+      "title": "The McAfee MOVE AV On Demand Scan policy must be explicitly configured to stop an on-demand scan after an organization-specific period.",
+      "description": "This setting configures the maximum time, in minutes, for on-demand scanning. The default setting is 150 minutes. Typically, file scans are very fast. However, file scans may take longer due to large file size, file type, or heavy load on the Security Virtual Machine (SVM). For cases where an on-demand scan will take longer, an organization should determine the maximum amount of time for its on-demand scanning and explicitly configure this setting.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-78549",
+      "title": "The McAfee MOVE AV On Demand Scan policy must be configured to cache scan results for files smaller than 40 MB.",
+      "description": "This setting configures the maximum file size (in MB) up to which scan results should be cached. The default setting is 40 MB. Files smaller than this threshold are copied completely to the Security Virtual Machine (SVM) and scanned. If the file is found to be clean, its scan result is cached based on its SHA 1 checksum for faster future access. Files larger than this size threshold are transferred in chunks that are requested by the SVM and scanned. Setting that threshold higher could impact the performance of the scan processes.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-78551",
+      "title": "The McAfee MOVE AV On Demand Scan policy must be configured to delete files automatically and quarantine as the first response of a threat detection.",
+      "description": "Malware incident containment has two major components: stopping the spread of malware and preventing further damage to hosts. Disinfecting a file is generally preferable to quarantining it because the malware is removed and the original file restored; however, many infected files cannot be disinfected. The primary goal of eradication is to remove malware from infected hosts. Deleting files found to contain malware, while also moving them to quarantine, will allow the files to be rendered useless but are recoverable in the event of false positive.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-78553",
+      "title": "The McAfee MOVE AV On Demand Scan policy must be configured to scan all file types.",
+      "description": "When scanning for malware, excluding specific file types will increase the risk of a malware-infected file going undetected. By configuring anti-virus software to scan all file types, the scanner has a higher success rate at detecting and eradicating malware.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-78555",
+      "title": "Path Exclusions configured in the McAfee MOVE AV On Demand Scan policy must be formally documented by the System Administrator and approved by the ISSO/ISSM.",
+      "description": "When scanning for malware, excluding specific file types will increase the risk of a malware-infected file going undetected. By configuring anti-virus software to scan all file types, the scanner has a higher success rate at detecting and eradicating malware. Excluding files, paths, and processes from being scanned expands the potential for malware to be allowed onto the information system. While it is recognized that some file types might need to be excluded for operational reasons and/or because there is protection afforded to those files through a different mechanism, allowing those exclusions should always be vetted, documented, and approved before applying.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-78557",
+      "title": "The McAfee MOVE AV On-Demand Scan interval must be set to no more than every seven days.",
+      "description": "Anti-virus software is the most commonly used technical control for malware threat mitigation. Anti-virus software on hosts should be configured to scan all hard drives and folders regularly to identify any file system infections and to scan any removable media, if applicable, before media is inserted into the system. Not scheduling a regular scan of the hard drives of a system and/or not configuring the scan to scan all files and running processes introduces a higher risk of threats going undetected.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-78559",
+      "title": "The McAfee MOVE AV Options Policy must be configured with the location of quarantine to ensure consistency across all systems.",
+      "description": "The quarantine on each system represents a potential danger should the files contained within the quarantine be executed inadvertently. \n\nTo centrally manage the quarantine on all systems, the quarantine should always be configured the same across all systems, which will allow management to better control access to those locations.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-78561",
+      "title": "The McAfee MOVE AV Options Policy must be configured to automatically delete quarantined data after a time period of no more than 28 days.",
+      "description": "The quarantine on each system represents a potential danger should the files contained within the quarantine be executed inadvertently. Deleting the quarantine contents on a regular basis will alleviate the ability of malware from being executed. An organization's incident response policy should also contain steps in removing quarantined items after their forensic value has been depleted.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-78563",
+      "title": "The McAfee MOVE AV SVM Settings policy ODS scan interval must be set to no more than every seven days.",
+      "description": "Anti-virus software is the mostly commonly used technical control for malware threat mitigation. Anti-virus software on hosts should be configured to scan all hard drives and folders regularly to identify any file system infections and to scan any removable media, if applicable, before media is inserted into the system. Not scheduling a regular scan of the hard drives of a system and/or not configuring the scan to scan all files and running processes introduces a higher risk of threats going undetected.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-78565",
+      "title": "The McAfee MOVE AV SVM must have McAfee VirusScan Enterprise installed.",
+      "description": "Organizations should deploy anti-virus software on all hosts for which satisfactory anti-virus software is available. Anti-virus software should be installed as soon after OS installation as possible and then updated with the latest signatures and anti-virus software patches (to eliminate any known vulnerabilities in the anti-virus software itself). To support the security of the host, the anti-virus software should be configured and maintained properly so it continues to be effective at detecting and stopping malware. Anti-virus software is most effective when its signatures are fully up to date. Accordingly, anti-virus software should be kept current with the latest signature and software updates to improve malware detection.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-78567",
+      "title": "The McAfee MOVE AV SVM must be managed by the HBSS ePO server.",
+      "description": "Organizations should use centrally managed anti-virus software that is controlled and monitored regularly by anti-virus administrators, who are also typically responsible for acquiring, testing, approving, and delivering anti-virus signature and software updates throughout the organization. Users should not be able to disable or delete anti-virus software from their hosts, nor should they be able to alter critical settings. Anti-virus administrators should perform continuous monitoring to confirm that hosts are using current anti-virus software and that the software is configured properly. Implementing all of these recommendations should strongly support an organization in having a strong and consistent anti-virus deployment across the organization.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-78569",
+      "title": "The McAfee MOVE AV SVM must be configured with a static Internet Protocol (IP) address.",
+      "description": "Security management devices must be configured to ensure consistent and uninterrupted connectivity to/from the systems they manage/control. Otherwise, the security management device will be less than effective.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-78571",
+      "title": "The McAfee MOVE AV SVM Settings policy must be configured to scan for potentially unwanted programs.",
+      "description": "Due to the ability of malware to mutate after infection, standard anti-virus signatures may not be able to catch new strains or variants of the malware. Typically, these strains and variants will share unique characteristics with others in their virus family. By using a generic signature to detect the shared characteristics, using wildcards where differences lie, the generic signature can detect viruses even if they are padded with extra, meaningless code. This method of detection is heuristic detection.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-78573",
+      "title": "The McAfee MOVE AV SVM Settings policy must be configured to scan for Multipurpose Internet Mail Extensions (MIME)-encoded files.",
+      "description": "Multipurpose Internet Mail Extensions (MIME) encoded files can be crafted to hide a malicious payload. When the MIME encoded file is presented to software that decodes the MIME encoded files, such as an email client, the malware is released. Scanning these files as part of the regularly scheduled scans tasks will mitigate this risk.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-78575",
+      "title": "The McAfee MOVE AV SVM Settings policy must be configured to use McAfee Global Threat Intelligence file reputation with a sensitivity level of medium or higher.",
+      "description": "Anti-virus software vendors use collective intelligence from sensors and cross-vector intelligence from web, email, and network threats to compile scores that reflect the likelihood of whether a file in question is malware. The collective intelligence is constantly being updated, more frequently than the typical daily anti-virus signature files. With File Reputation lookup, a more real-time response to potential malicious code is realized than with the local-running anti-virus software, since by querying the cloud-based database when a file appears to be suspicious, up-to-the-minute intelligence is provided. This type of protection reduces the threat protection time period from days to milliseconds, increases malware detection rates, and reduces downtime and remediation costs associated with malware attacks. Using File Reputation lookup is mandated by USCYBERCOM on DoD systems.",
+      "severity": "medium"
+    }
+  ]
+}