StigData/Archive/McAfee/U_McAfee_VirusScan88_Local_Client_STIG_V5R16_Manual-xccdf.xml

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
1193
1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
1228
1229
1230
1231
1232
1233
1234
1235
1236
1237
1238
1239
1240
1241
1242
1243
1244
1245
1246
1247
1248
1249
1250
1251
1252
1253
1254
1255
1256
1257
1258
1259
1260
1261
1262
1263
1264
1265
1266
1267
1268
1269
1270
1271
1272
1273
1274
1275
1276
1277
1278
1279
1280
1281
1282
1283
1284
1285
1286
1287
1288
1289
1290
1291
1292
1293
1294
1295
1296
1297
1298
1299
1300
1301
1302
1303
1304
1305
1306
1307
1308
1309
1310
1311
1312
1313
1314
1315
1316
1317
1318
1319
1320
1321
1322
1323
1324
1325
1326
1327
1328
1329
1330
1331
1332
1333
1334
1335
1336
1337
1338
1339
1340
1341
1342
1343
1344
1345
1346
1347
1348
1349
1350
1351
1352
1353
1354
1355
1356
1357
1358
1359
1360
1361
1362
1363
1364
1365
1366
1367
1368
1369
1370
1371
1372
1373
1374
1375
1376
1377
1378
1379
1380
1381
1382
1383
1384
1385
1386
1387
1388
1389
1390
1391
1392
1393
1394
1395
1396
1397
1398
1399
1400
1401
1402
1403
1404
1405
1406
1407
1408
1409
1410
1411
1412
1413
1414
1415
1416
1417
1418
1419
1420
1421
1422
1423
1424
1425
1426
1427
1428
1429
1430
1431
1432
1433
1434
1435
1436
1437
1438
1439
1440
1441
1442
1443
1444
1445
1446
1447
1448
1449
1450
1451
1452
1453
1454
1455
1456
1457
1458
1459
1460
1461
1462
1463
1464
1465
1466
1467
1468
1469
1470
1471
1472
1473
1474
1475
1476
1477
1478
1479
1480
1481
1482
1483
1484
1485
1486
1487
1488
1489
1490
1491
1492
1493
1494
1495
1496
1497
1498
1499
1500
1501
1502
1503
1504
1505
1506
1507
1508
1509
1510
1511
1512
1513
1514
1515
1516
1517
1518
1519
1520
1521
1522
1523
1524
1525
1526
1527
1528
1529
1530
1531
1532
1533
1534
1535
1536
1537
1538
1539
1540
1541
1542
1543
1544
1545
1546
1547
1548
1549
1550
1551
1552
1553
1554
1555
1556
1557
1558
1559
1560
1561
1562
1563
1564
1565
1566
1567
1568
1569
1570
1571
1572
1573
1574
1575
1576
1577
1578
1579
1580
1581
1582
1583
1584
1585
1586
1587
1588
1589
1590
1591
1592
1593
1594
1595
1596
1597
1598
1599
1600
1601
1602
1603
1604
1605
1606
1607
1608
1609
1610
1611
1612
1613
1614
1615
1616
1617
1618
1619
1620
1621
1622
1623
1624
1625
1626
1627
1628
1629
1630
1631
1632
1633
1634
1635
1636
1637
1638
1639
1640
1641
1642
1643
1644
1645
1646
1647
1648
1649
1650
1651
1652
1653
1654
1655
1656
1657
1658
1659
1660
1661
1662
1663
1664
1665
1666
1667
1668
1669
1670
1671
1672
1673
1674
1675
1676
1677
1678
1679
1680
1681
1682
1683
1684
1685
1686
1687
1688
1689
1690
1691
1692
1693
1694
1695
1696
1697
1698
1699
1700
1701
1702
1703
1704
1705
1706
1707
1708
1709
1710
1711
1712
1713
1714
1715
1716
1717
1718
1719
1720
1721
1722
1723
1724
1725
1726
1727
1728
1729
1730
1731
1732
1733
1734
1735
1736
1737
1738
1739
1740
1741
1742
1743
1744
1745
1746
1747
<?xml version="1.0" encoding="utf-8"?><?xml-stylesheet type='text/xsl' href='STIG_unclass.xsl'?><Benchmark xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:cpe="http://cpe.mitre.org/language/2.0" xmlns:xhtml="http://www.w3.org/1999/xhtml" xmlns:dc="http://purl.org/dc/elements/1.1/" id="McAfee_VirusScan88_Local_Client" xml:lang="en" xsi:schemaLocation="http://checklists.nist.gov/xccdf/1.1 http://nvd.nist.gov/schema/xccdf-1.1.4.xsd http://cpe.mitre.org/dictionary/2.0 http://cpe.mitre.org/files/cpe-dictionary_2.1.xsd" xmlns="http://checklists.nist.gov/xccdf/1.1"><status date="2018-07-09">accepted</status><title>McAfee VirusScan 8.8 Local Client STIG</title><description>The McAfee VirusScan 8.8 Local Client STIG is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the NIST 800-53 and related documents. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil.</description><notice id="terms-of-use" xml:lang="en"></notice><reference href="http://iase.disa.mil"><dc:publisher>DISA</dc:publisher><dc:source>STIG.DOD.MIL</dc:source></reference><plain-text id="release-info">Release: 16 Benchmark Date: 27 Jul 2018</plain-text><version>5</version><Profile id="MAC-1_Classified"><title>I - Mission Critical Classified</title><description>&lt;ProfileDescription&gt;&lt;/ProfileDescription&gt;</description><select idref="V-6453" selected="true" /><select idref="V-6467" selected="true" /><select idref="V-6468" selected="true" /><select idref="V-6469" selected="true" /><select idref="V-6470" selected="true" /><select idref="V-6474" selected="true" /><select idref="V-6475" selected="true" /><select idref="V-6478" selected="true" /><select idref="V-6583" selected="true" /><select idref="V-6585" selected="true" /><select idref="V-6586" selected="true" /><select idref="V-6587" selected="true" /><select idref="V-6588" selected="true" /><select idref="V-6590" selected="true" /><select idref="V-6591" selected="true" /><select idref="V-6592" selected="true" /><select idref="V-6596" selected="true" /><select idref="V-6597" selected="true" /><select idref="V-6599" selected="true" /><select idref="V-6600" selected="true" /><select idref="V-6601" selected="true" /><select idref="V-6602" selected="true" /><select idref="V-6604" selected="true" /><select idref="V-6611" selected="true" /><select idref="V-6612" selected="true" /><select idref="V-6614" selected="true" /><select idref="V-6615" selected="true" /><select idref="V-6616" selected="true" /><select idref="V-6617" selected="true" /><select idref="V-6618" selected="true" /><select idref="V-6620" selected="true" /><select idref="V-6625" selected="true" /><select idref="V-6627" selected="true" /><select idref="V-14618" selected="true" /><select idref="V-14619" selected="true" /><select idref="V-14620" selected="true" /><select idref="V-14621" selected="true" /><select idref="V-14622" selected="true" /><select idref="V-14623" selected="true" /><select idref="V-14624" selected="true" /><select idref="V-14625" selected="true" /><select idref="V-14626" selected="true" /><select idref="V-14627" selected="true" /><select idref="V-14628" selected="true" /><select idref="V-14630" selected="true" /><select idref="V-14631" selected="true" /><select idref="V-14652" selected="true" /><select idref="V-14654" selected="true" /><select idref="V-14657" selected="true" /><select idref="V-14658" selected="true" /><select idref="V-14659" selected="true" /><select idref="V-14660" selected="true" /><select idref="V-14661" selected="true" /><select idref="V-14662" selected="true" /><select idref="V-14663" selected="true" /><select idref="V-19910" selected="true" /><select idref="V-35027" selected="true" /><select idref="V-42514" selected="true" /><select idref="V-42515" selected="true" /><select idref="V-42549" selected="true" /><select idref="V-42550" selected="true" /><select idref="V-42551" selected="true" /><select idref="V-42552" selected="true" /><select idref="V-42553" selected="true" /><select idref="V-42554" selected="true" /><select idref="V-42555" selected="true" /><select idref="V-42556" selected="true" /><select idref="V-42557" selected="true" /><select idref="V-42558" selected="true" /><select idref="V-42559" selected="true" /><select idref="V-42560" selected="true" /><select idref="V-42561" selected="true" /><select idref="V-42562" selected="true" /><select idref="V-42563" selected="true" /><select idref="V-42564" selected="true" /><select idref="V-42565" selected="true" /><select idref="V-42566" selected="true" /><select idref="V-42567" selected="true" /><select idref="V-42569" selected="true" /><select idref="V-42570" selected="true" /><select idref="V-42571" selected="true" /><select idref="V-42572" selected="true" /><select idref="V-42573" selected="true" /><select idref="V-42574" selected="true" /><select idref="V-42575" selected="true" /><select idref="V-42576" selected="true" /><select idref="V-59365" selected="true" /></Profile><Profile id="MAC-1_Public"><title>I - Mission Critical Public</title><description>&lt;ProfileDescription&gt;&lt;/ProfileDescription&gt;</description><select idref="V-6453" selected="true" /><select idref="V-6467" selected="true" /><select idref="V-6468" selected="true" /><select idref="V-6469" selected="true" /><select idref="V-6470" selected="true" /><select idref="V-6474" selected="true" /><select idref="V-6475" selected="true" /><select idref="V-6478" selected="true" /><select idref="V-6583" selected="true" /><select idref="V-6585" selected="true" /><select idref="V-6586" selected="true" /><select idref="V-6587" selected="true" /><select idref="V-6588" selected="true" /><select idref="V-6590" selected="true" /><select idref="V-6591" selected="true" /><select idref="V-6592" selected="true" /><select idref="V-6596" selected="true" /><select idref="V-6597" selected="true" /><select idref="V-6599" selected="true" /><select idref="V-6600" selected="true" /><select idref="V-6601" selected="true" /><select idref="V-6602" selected="true" /><select idref="V-6604" selected="true" /><select idref="V-6611" selected="true" /><select idref="V-6612" selected="true" /><select idref="V-6614" selected="true" /><select idref="V-6615" selected="true" /><select idref="V-6616" selected="true" /><select idref="V-6617" selected="true" /><select idref="V-6618" selected="true" /><select idref="V-6620" selected="true" /><select idref="V-6625" selected="true" /><select idref="V-6627" selected="true" /><select idref="V-14618" selected="true" /><select idref="V-14619" selected="true" /><select idref="V-14620" selected="true" /><select idref="V-14621" selected="true" /><select idref="V-14622" selected="true" /><select idref="V-14623" selected="true" /><select idref="V-14624" selected="true" /><select idref="V-14625" selected="true" /><select idref="V-14626" selected="true" /><select idref="V-14627" selected="true" /><select idref="V-14628" selected="true" /><select idref="V-14630" selected="true" /><select idref="V-14631" selected="true" /><select idref="V-14652" selected="true" /><select idref="V-14654" selected="true" /><select idref="V-14657" selected="true" /><select idref="V-14658" selected="true" /><select idref="V-14659" selected="true" /><select idref="V-14660" selected="true" /><select idref="V-14661" selected="true" /><select idref="V-14662" selected="true" /><select idref="V-14663" selected="true" /><select idref="V-19910" selected="true" /><select idref="V-35027" selected="true" /><select idref="V-42514" selected="true" /><select idref="V-42515" selected="true" /><select idref="V-42549" selected="true" /><select idref="V-42550" selected="true" /><select idref="V-42551" selected="true" /><select idref="V-42552" selected="true" /><select idref="V-42553" selected="true" /><select idref="V-42554" selected="true" /><select idref="V-42555" selected="true" /><select idref="V-42556" selected="true" /><select idref="V-42557" selected="true" /><select idref="V-42558" selected="true" /><select idref="V-42559" selected="true" /><select idref="V-42560" selected="true" /><select idref="V-42561" selected="true" /><select idref="V-42562" selected="true" /><select idref="V-42563" selected="true" /><select idref="V-42564" selected="true" /><select idref="V-42565" selected="true" /><select idref="V-42566" selected="true" /><select idref="V-42567" selected="true" /><select idref="V-42569" selected="true" /><select idref="V-42570" selected="true" /><select idref="V-42571" selected="true" /><select idref="V-42572" selected="true" /><select idref="V-42573" selected="true" /><select idref="V-42574" selected="true" /><select idref="V-42575" selected="true" /><select idref="V-42576" selected="true" /><select idref="V-59365" selected="true" /></Profile><Profile id="MAC-1_Sensitive"><title>I - Mission Critical Sensitive</title><description>&lt;ProfileDescription&gt;&lt;/ProfileDescription&gt;</description><select idref="V-6453" selected="true" /><select idref="V-6467" selected="true" /><select idref="V-6468" selected="true" /><select idref="V-6469" selected="true" /><select idref="V-6470" selected="true" /><select idref="V-6474" selected="true" /><select idref="V-6475" selected="true" /><select idref="V-6478" selected="true" /><select idref="V-6583" selected="true" /><select idref="V-6585" selected="true" /><select idref="V-6586" selected="true" /><select idref="V-6587" selected="true" /><select idref="V-6588" selected="true" /><select idref="V-6590" selected="true" /><select idref="V-6591" selected="true" /><select idref="V-6592" selected="true" /><select idref="V-6596" selected="true" /><select idref="V-6597" selected="true" /><select idref="V-6599" selected="true" /><select idref="V-6600" selected="true" /><select idref="V-6601" selected="true" /><select idref="V-6602" selected="true" /><select idref="V-6604" selected="true" /><select idref="V-6611" selected="true" /><select idref="V-6612" selected="true" /><select idref="V-6614" selected="true" /><select idref="V-6615" selected="true" /><select idref="V-6616" selected="true" /><select idref="V-6617" selected="true" /><select idref="V-6618" selected="true" /><select idref="V-6620" selected="true" /><select idref="V-6625" selected="true" /><select idref="V-6627" selected="true" /><select idref="V-14618" selected="true" /><select idref="V-14619" selected="true" /><select idref="V-14620" selected="true" /><select idref="V-14621" selected="true" /><select idref="V-14622" selected="true" /><select idref="V-14623" selected="true" /><select idref="V-14624" selected="true" /><select idref="V-14625" selected="true" /><select idref="V-14626" selected="true" /><select idref="V-14627" selected="true" /><select idref="V-14628" selected="true" /><select idref="V-14630" selected="true" /><select idref="V-14631" selected="true" /><select idref="V-14652" selected="true" /><select idref="V-14654" selected="true" /><select idref="V-14657" selected="true" /><select idref="V-14658" selected="true" /><select idref="V-14659" selected="true" /><select idref="V-14660" selected="true" /><select idref="V-14661" selected="true" /><select idref="V-14662" selected="true" /><select idref="V-14663" selected="true" /><select idref="V-19910" selected="true" /><select idref="V-35027" selected="true" /><select idref="V-42514" selected="true" /><select idref="V-42515" selected="true" /><select idref="V-42549" selected="true" /><select idref="V-42550" selected="true" /><select idref="V-42551" selected="true" /><select idref="V-42552" selected="true" /><select idref="V-42553" selected="true" /><select idref="V-42554" selected="true" /><select idref="V-42555" selected="true" /><select idref="V-42556" selected="true" /><select idref="V-42557" selected="true" /><select idref="V-42558" selected="true" /><select idref="V-42559" selected="true" /><select idref="V-42560" selected="true" /><select idref="V-42561" selected="true" /><select idref="V-42562" selected="true" /><select idref="V-42563" selected="true" /><select idref="V-42564" selected="true" /><select idref="V-42565" selected="true" /><select idref="V-42566" selected="true" /><select idref="V-42567" selected="true" /><select idref="V-42569" selected="true" /><select idref="V-42570" selected="true" /><select idref="V-42571" selected="true" /><select idref="V-42572" selected="true" /><select idref="V-42573" selected="true" /><select idref="V-42574" selected="true" /><select idref="V-42575" selected="true" /><select idref="V-42576" selected="true" /><select idref="V-59365" selected="true" /></Profile><Profile id="MAC-2_Classified"><title>II - Mission Support Classified</title><description>&lt;ProfileDescription&gt;&lt;/ProfileDescription&gt;</description><select idref="V-6453" selected="true" /><select idref="V-6467" selected="true" /><select idref="V-6468" selected="true" /><select idref="V-6469" selected="true" /><select idref="V-6470" selected="true" /><select idref="V-6474" selected="true" /><select idref="V-6475" selected="true" /><select idref="V-6478" selected="true" /><select idref="V-6583" selected="true" /><select idref="V-6585" selected="true" /><select idref="V-6586" selected="true" /><select idref="V-6587" selected="true" /><select idref="V-6588" selected="true" /><select idref="V-6590" selected="true" /><select idref="V-6591" selected="true" /><select idref="V-6592" selected="true" /><select idref="V-6596" selected="true" /><select idref="V-6597" selected="true" /><select idref="V-6599" selected="true" /><select idref="V-6600" selected="true" /><select idref="V-6601" selected="true" /><select idref="V-6602" selected="true" /><select idref="V-6604" selected="true" /><select idref="V-6611" selected="true" /><select idref="V-6612" selected="true" /><select idref="V-6614" selected="true" /><select idref="V-6615" selected="true" /><select idref="V-6616" selected="true" /><select idref="V-6617" selected="true" /><select idref="V-6618" selected="true" /><select idref="V-6620" selected="true" /><select idref="V-6625" selected="true" /><select idref="V-6627" selected="true" /><select idref="V-14618" selected="true" /><select idref="V-14619" selected="true" /><select idref="V-14620" selected="true" /><select idref="V-14621" selected="true" /><select idref="V-14622" selected="true" /><select idref="V-14623" selected="true" /><select idref="V-14624" selected="true" /><select idref="V-14625" selected="true" /><select idref="V-14626" selected="true" /><select idref="V-14627" selected="true" /><select idref="V-14628" selected="true" /><select idref="V-14630" selected="true" /><select idref="V-14631" selected="true" /><select idref="V-14652" selected="true" /><select idref="V-14654" selected="true" /><select idref="V-14657" selected="true" /><select idref="V-14658" selected="true" /><select idref="V-14659" selected="true" /><select idref="V-14660" selected="true" /><select idref="V-14661" selected="true" /><select idref="V-14662" selected="true" /><select idref="V-14663" selected="true" /><select idref="V-19910" selected="true" /><select idref="V-35027" selected="true" /><select idref="V-42514" selected="true" /><select idref="V-42515" selected="true" /><select idref="V-42549" selected="true" /><select idref="V-42550" selected="true" /><select idref="V-42551" selected="true" /><select idref="V-42552" selected="true" /><select idref="V-42553" selected="true" /><select idref="V-42554" selected="true" /><select idref="V-42555" selected="true" /><select idref="V-42556" selected="true" /><select idref="V-42557" selected="true" /><select idref="V-42558" selected="true" /><select idref="V-42559" selected="true" /><select idref="V-42560" selected="true" /><select idref="V-42561" selected="true" /><select idref="V-42562" selected="true" /><select idref="V-42563" selected="true" /><select idref="V-42564" selected="true" /><select idref="V-42565" selected="true" /><select idref="V-42566" selected="true" /><select idref="V-42567" selected="true" /><select idref="V-42569" selected="true" /><select idref="V-42570" selected="true" /><select idref="V-42571" selected="true" /><select idref="V-42572" selected="true" /><select idref="V-42573" selected="true" /><select idref="V-42574" selected="true" /><select idref="V-42575" selected="true" /><select idref="V-42576" selected="true" /><select idref="V-59365" selected="true" /></Profile><Profile id="MAC-2_Public"><title>II - Mission Support Public</title><description>&lt;ProfileDescription&gt;&lt;/ProfileDescription&gt;</description><select idref="V-6453" selected="true" /><select idref="V-6467" selected="true" /><select idref="V-6468" selected="true" /><select idref="V-6469" selected="true" /><select idref="V-6470" selected="true" /><select idref="V-6474" selected="true" /><select idref="V-6475" selected="true" /><select idref="V-6478" selected="true" /><select idref="V-6583" selected="true" /><select idref="V-6585" selected="true" /><select idref="V-6586" selected="true" /><select idref="V-6587" selected="true" /><select idref="V-6588" selected="true" /><select idref="V-6590" selected="true" /><select idref="V-6591" selected="true" /><select idref="V-6592" selected="true" /><select idref="V-6596" selected="true" /><select idref="V-6597" selected="true" /><select idref="V-6599" selected="true" /><select idref="V-6600" selected="true" /><select idref="V-6601" selected="true" /><select idref="V-6602" selected="true" /><select idref="V-6604" selected="true" /><select idref="V-6611" selected="true" /><select idref="V-6612" selected="true" /><select idref="V-6614" selected="true" /><select idref="V-6615" selected="true" /><select idref="V-6616" selected="true" /><select idref="V-6617" selected="true" /><select idref="V-6618" selected="true" /><select idref="V-6620" selected="true" /><select idref="V-6625" selected="true" /><select idref="V-6627" selected="true" /><select idref="V-14618" selected="true" /><select idref="V-14619" selected="true" /><select idref="V-14620" selected="true" /><select idref="V-14621" selected="true" /><select idref="V-14622" selected="true" /><select idref="V-14623" selected="true" /><select idref="V-14624" selected="true" /><select idref="V-14625" selected="true" /><select idref="V-14626" selected="true" /><select idref="V-14627" selected="true" /><select idref="V-14628" selected="true" /><select idref="V-14630" selected="true" /><select idref="V-14631" selected="true" /><select idref="V-14652" selected="true" /><select idref="V-14654" selected="true" /><select idref="V-14657" selected="true" /><select idref="V-14658" selected="true" /><select idref="V-14659" selected="true" /><select idref="V-14660" selected="true" /><select idref="V-14661" selected="true" /><select idref="V-14662" selected="true" /><select idref="V-14663" selected="true" /><select idref="V-19910" selected="true" /><select idref="V-35027" selected="true" /><select idref="V-42514" selected="true" /><select idref="V-42515" selected="true" /><select idref="V-42549" selected="true" /><select idref="V-42550" selected="true" /><select idref="V-42551" selected="true" /><select idref="V-42552" selected="true" /><select idref="V-42553" selected="true" /><select idref="V-42554" selected="true" /><select idref="V-42555" selected="true" /><select idref="V-42556" selected="true" /><select idref="V-42557" selected="true" /><select idref="V-42558" selected="true" /><select idref="V-42559" selected="true" /><select idref="V-42560" selected="true" /><select idref="V-42561" selected="true" /><select idref="V-42562" selected="true" /><select idref="V-42563" selected="true" /><select idref="V-42564" selected="true" /><select idref="V-42565" selected="true" /><select idref="V-42566" selected="true" /><select idref="V-42567" selected="true" /><select idref="V-42569" selected="true" /><select idref="V-42570" selected="true" /><select idref="V-42571" selected="true" /><select idref="V-42572" selected="true" /><select idref="V-42573" selected="true" /><select idref="V-42574" selected="true" /><select idref="V-42575" selected="true" /><select idref="V-42576" selected="true" /><select idref="V-59365" selected="true" /></Profile><Profile id="MAC-2_Sensitive"><title>II - Mission Support Sensitive</title><description>&lt;ProfileDescription&gt;&lt;/ProfileDescription&gt;</description><select idref="V-6453" selected="true" /><select idref="V-6467" selected="true" /><select idref="V-6468" selected="true" /><select idref="V-6469" selected="true" /><select idref="V-6470" selected="true" /><select idref="V-6474" selected="true" /><select idref="V-6475" selected="true" /><select idref="V-6478" selected="true" /><select idref="V-6583" selected="true" /><select idref="V-6585" selected="true" /><select idref="V-6586" selected="true" /><select idref="V-6587" selected="true" /><select idref="V-6588" selected="true" /><select idref="V-6590" selected="true" /><select idref="V-6591" selected="true" /><select idref="V-6592" selected="true" /><select idref="V-6596" selected="true" /><select idref="V-6597" selected="true" /><select idref="V-6599" selected="true" /><select idref="V-6600" selected="true" /><select idref="V-6601" selected="true" /><select idref="V-6602" selected="true" /><select idref="V-6604" selected="true" /><select idref="V-6611" selected="true" /><select idref="V-6612" selected="true" /><select idref="V-6614" selected="true" /><select idref="V-6615" selected="true" /><select idref="V-6616" selected="true" /><select idref="V-6617" selected="true" /><select idref="V-6618" selected="true" /><select idref="V-6620" selected="true" /><select idref="V-6625" selected="true" /><select idref="V-6627" selected="true" /><select idref="V-14618" selected="true" /><select idref="V-14619" selected="true" /><select idref="V-14620" selected="true" /><select idref="V-14621" selected="true" /><select idref="V-14622" selected="true" /><select idref="V-14623" selected="true" /><select idref="V-14624" selected="true" /><select idref="V-14625" selected="true" /><select idref="V-14626" selected="true" /><select idref="V-14627" selected="true" /><select idref="V-14628" selected="true" /><select idref="V-14630" selected="true" /><select idref="V-14631" selected="true" /><select idref="V-14652" selected="true" /><select idref="V-14654" selected="true" /><select idref="V-14657" selected="true" /><select idref="V-14658" selected="true" /><select idref="V-14659" selected="true" /><select idref="V-14660" selected="true" /><select idref="V-14661" selected="true" /><select idref="V-14662" selected="true" /><select idref="V-14663" selected="true" /><select idref="V-19910" selected="true" /><select idref="V-35027" selected="true" /><select idref="V-42514" selected="true" /><select idref="V-42515" selected="true" /><select idref="V-42549" selected="true" /><select idref="V-42550" selected="true" /><select idref="V-42551" selected="true" /><select idref="V-42552" selected="true" /><select idref="V-42553" selected="true" /><select idref="V-42554" selected="true" /><select idref="V-42555" selected="true" /><select idref="V-42556" selected="true" /><select idref="V-42557" selected="true" /><select idref="V-42558" selected="true" /><select idref="V-42559" selected="true" /><select idref="V-42560" selected="true" /><select idref="V-42561" selected="true" /><select idref="V-42562" selected="true" /><select idref="V-42563" selected="true" /><select idref="V-42564" selected="true" /><select idref="V-42565" selected="true" /><select idref="V-42566" selected="true" /><select idref="V-42567" selected="true" /><select idref="V-42569" selected="true" /><select idref="V-42570" selected="true" /><select idref="V-42571" selected="true" /><select idref="V-42572" selected="true" /><select idref="V-42573" selected="true" /><select idref="V-42574" selected="true" /><select idref="V-42575" selected="true" /><select idref="V-42576" selected="true" /><select idref="V-59365" selected="true" /></Profile><Profile id="MAC-3_Classified"><title>III - Administrative Classified</title><description>&lt;ProfileDescription&gt;&lt;/ProfileDescription&gt;</description><select idref="V-6453" selected="true" /><select idref="V-6467" selected="true" /><select idref="V-6468" selected="true" /><select idref="V-6469" selected="true" /><select idref="V-6470" selected="true" /><select idref="V-6474" selected="true" /><select idref="V-6475" selected="true" /><select idref="V-6478" selected="true" /><select idref="V-6583" selected="true" /><select idref="V-6585" selected="true" /><select idref="V-6586" selected="true" /><select idref="V-6587" selected="true" /><select idref="V-6588" selected="true" /><select idref="V-6590" selected="true" /><select idref="V-6591" selected="true" /><select idref="V-6592" selected="true" /><select idref="V-6596" selected="true" /><select idref="V-6597" selected="true" /><select idref="V-6599" selected="true" /><select idref="V-6600" selected="true" /><select idref="V-6601" selected="true" /><select idref="V-6602" selected="true" /><select idref="V-6604" selected="true" /><select idref="V-6611" selected="true" /><select idref="V-6612" selected="true" /><select idref="V-6614" selected="true" /><select idref="V-6615" selected="true" /><select idref="V-6616" selected="true" /><select idref="V-6617" selected="true" /><select idref="V-6618" selected="true" /><select idref="V-6620" selected="true" /><select idref="V-6625" selected="true" /><select idref="V-6627" selected="true" /><select idref="V-14618" selected="true" /><select idref="V-14619" selected="true" /><select idref="V-14620" selected="true" /><select idref="V-14621" selected="true" /><select idref="V-14622" selected="true" /><select idref="V-14623" selected="true" /><select idref="V-14624" selected="true" /><select idref="V-14625" selected="true" /><select idref="V-14626" selected="true" /><select idref="V-14627" selected="true" /><select idref="V-14628" selected="true" /><select idref="V-14630" selected="true" /><select idref="V-14631" selected="true" /><select idref="V-14652" selected="true" /><select idref="V-14654" selected="true" /><select idref="V-14657" selected="true" /><select idref="V-14658" selected="true" /><select idref="V-14659" selected="true" /><select idref="V-14660" selected="true" /><select idref="V-14661" selected="true" /><select idref="V-14662" selected="true" /><select idref="V-14663" selected="true" /><select idref="V-19910" selected="true" /><select idref="V-35027" selected="true" /><select idref="V-42514" selected="true" /><select idref="V-42515" selected="true" /><select idref="V-42549" selected="true" /><select idref="V-42550" selected="true" /><select idref="V-42551" selected="true" /><select idref="V-42552" selected="true" /><select idref="V-42553" selected="true" /><select idref="V-42554" selected="true" /><select idref="V-42555" selected="true" /><select idref="V-42556" selected="true" /><select idref="V-42557" selected="true" /><select idref="V-42558" selected="true" /><select idref="V-42559" selected="true" /><select idref="V-42560" selected="true" /><select idref="V-42561" selected="true" /><select idref="V-42562" selected="true" /><select idref="V-42563" selected="true" /><select idref="V-42564" selected="true" /><select idref="V-42565" selected="true" /><select idref="V-42566" selected="true" /><select idref="V-42567" selected="true" /><select idref="V-42569" selected="true" /><select idref="V-42570" selected="true" /><select idref="V-42571" selected="true" /><select idref="V-42572" selected="true" /><select idref="V-42573" selected="true" /><select idref="V-42574" selected="true" /><select idref="V-42575" selected="true" /><select idref="V-42576" selected="true" /><select idref="V-59365" selected="true" /></Profile><Profile id="MAC-3_Public"><title>III - Administrative Public</title><description>&lt;ProfileDescription&gt;&lt;/ProfileDescription&gt;</description><select idref="V-6453" selected="true" /><select idref="V-6467" selected="true" /><select idref="V-6468" selected="true" /><select idref="V-6469" selected="true" /><select idref="V-6470" selected="true" /><select idref="V-6474" selected="true" /><select idref="V-6475" selected="true" /><select idref="V-6478" selected="true" /><select idref="V-6583" selected="true" /><select idref="V-6585" selected="true" /><select idref="V-6586" selected="true" /><select idref="V-6587" selected="true" /><select idref="V-6588" selected="true" /><select idref="V-6590" selected="true" /><select idref="V-6591" selected="true" /><select idref="V-6592" selected="true" /><select idref="V-6596" selected="true" /><select idref="V-6597" selected="true" /><select idref="V-6599" selected="true" /><select idref="V-6600" selected="true" /><select idref="V-6601" selected="true" /><select idref="V-6602" selected="true" /><select idref="V-6604" selected="true" /><select idref="V-6611" selected="true" /><select idref="V-6612" selected="true" /><select idref="V-6614" selected="true" /><select idref="V-6615" selected="true" /><select idref="V-6616" selected="true" /><select idref="V-6617" selected="true" /><select idref="V-6618" selected="true" /><select idref="V-6620" selected="true" /><select idref="V-6625" selected="true" /><select idref="V-6627" selected="true" /><select idref="V-14618" selected="true" /><select idref="V-14619" selected="true" /><select idref="V-14620" selected="true" /><select idref="V-14621" selected="true" /><select idref="V-14622" selected="true" /><select idref="V-14623" selected="true" /><select idref="V-14624" selected="true" /><select idref="V-14625" selected="true" /><select idref="V-14626" selected="true" /><select idref="V-14627" selected="true" /><select idref="V-14628" selected="true" /><select idref="V-14630" selected="true" /><select idref="V-14631" selected="true" /><select idref="V-14652" selected="true" /><select idref="V-14654" selected="true" /><select idref="V-14657" selected="true" /><select idref="V-14658" selected="true" /><select idref="V-14659" selected="true" /><select idref="V-14660" selected="true" /><select idref="V-14661" selected="true" /><select idref="V-14662" selected="true" /><select idref="V-14663" selected="true" /><select idref="V-19910" selected="true" /><select idref="V-35027" selected="true" /><select idref="V-42514" selected="true" /><select idref="V-42515" selected="true" /><select idref="V-42549" selected="true" /><select idref="V-42550" selected="true" /><select idref="V-42551" selected="true" /><select idref="V-42552" selected="true" /><select idref="V-42553" selected="true" /><select idref="V-42554" selected="true" /><select idref="V-42555" selected="true" /><select idref="V-42556" selected="true" /><select idref="V-42557" selected="true" /><select idref="V-42558" selected="true" /><select idref="V-42559" selected="true" /><select idref="V-42560" selected="true" /><select idref="V-42561" selected="true" /><select idref="V-42562" selected="true" /><select idref="V-42563" selected="true" /><select idref="V-42564" selected="true" /><select idref="V-42565" selected="true" /><select idref="V-42566" selected="true" /><select idref="V-42567" selected="true" /><select idref="V-42569" selected="true" /><select idref="V-42570" selected="true" /><select idref="V-42571" selected="true" /><select idref="V-42572" selected="true" /><select idref="V-42573" selected="true" /><select idref="V-42574" selected="true" /><select idref="V-42575" selected="true" /><select idref="V-42576" selected="true" /><select idref="V-59365" selected="true" /></Profile><Profile id="MAC-3_Sensitive"><title>III - Administrative Sensitive</title><description>&lt;ProfileDescription&gt;&lt;/ProfileDescription&gt;</description><select idref="V-6453" selected="true" /><select idref="V-6467" selected="true" /><select idref="V-6468" selected="true" /><select idref="V-6469" selected="true" /><select idref="V-6470" selected="true" /><select idref="V-6474" selected="true" /><select idref="V-6475" selected="true" /><select idref="V-6478" selected="true" /><select idref="V-6583" selected="true" /><select idref="V-6585" selected="true" /><select idref="V-6586" selected="true" /><select idref="V-6587" selected="true" /><select idref="V-6588" selected="true" /><select idref="V-6590" selected="true" /><select idref="V-6591" selected="true" /><select idref="V-6592" selected="true" /><select idref="V-6596" selected="true" /><select idref="V-6597" selected="true" /><select idref="V-6599" selected="true" /><select idref="V-6600" selected="true" /><select idref="V-6601" selected="true" /><select idref="V-6602" selected="true" /><select idref="V-6604" selected="true" /><select idref="V-6611" selected="true" /><select idref="V-6612" selected="true" /><select idref="V-6614" selected="true" /><select idref="V-6615" selected="true" /><select idref="V-6616" selected="true" /><select idref="V-6617" selected="true" /><select idref="V-6618" selected="true" /><select idref="V-6620" selected="true" /><select idref="V-6625" selected="true" /><select idref="V-6627" selected="true" /><select idref="V-14618" selected="true" /><select idref="V-14619" selected="true" /><select idref="V-14620" selected="true" /><select idref="V-14621" selected="true" /><select idref="V-14622" selected="true" /><select idref="V-14623" selected="true" /><select idref="V-14624" selected="true" /><select idref="V-14625" selected="true" /><select idref="V-14626" selected="true" /><select idref="V-14627" selected="true" /><select idref="V-14628" selected="true" /><select idref="V-14630" selected="true" /><select idref="V-14631" selected="true" /><select idref="V-14652" selected="true" /><select idref="V-14654" selected="true" /><select idref="V-14657" selected="true" /><select idref="V-14658" selected="true" /><select idref="V-14659" selected="true" /><select idref="V-14660" selected="true" /><select idref="V-14661" selected="true" /><select idref="V-14662" selected="true" /><select idref="V-14663" selected="true" /><select idref="V-19910" selected="true" /><select idref="V-35027" selected="true" /><select idref="V-42514" selected="true" /><select idref="V-42515" selected="true" /><select idref="V-42549" selected="true" /><select idref="V-42550" selected="true" /><select idref="V-42551" selected="true" /><select idref="V-42552" selected="true" /><select idref="V-42553" selected="true" /><select idref="V-42554" selected="true" /><select idref="V-42555" selected="true" /><select idref="V-42556" selected="true" /><select idref="V-42557" selected="true" /><select idref="V-42558" selected="true" /><select idref="V-42559" selected="true" /><select idref="V-42560" selected="true" /><select idref="V-42561" selected="true" /><select idref="V-42562" selected="true" /><select idref="V-42563" selected="true" /><select idref="V-42564" selected="true" /><select idref="V-42565" selected="true" /><select idref="V-42566" selected="true" /><select idref="V-42567" selected="true" /><select idref="V-42569" selected="true" /><select idref="V-42570" selected="true" /><select idref="V-42571" selected="true" /><select idref="V-42572" selected="true" /><select idref="V-42573" selected="true" /><select idref="V-42574" selected="true" /><select idref="V-42575" selected="true" /><select idref="V-42576" selected="true" /><select idref="V-59365" selected="true" /></Profile><Group id="V-6453"><title>DTAM001-McAfee VirusScan Control Panel </title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-56365r1_rule" severity="high" weight="10.0"><version>DTAM001</version><title>McAfee VirusScan On-Access Scanner General Settings must be configured to enable on-access scanning at system startup.</title><description>&lt;VulnDiscussion&gt;For Antivirus software to be effective, it must be running at all times, beginning from the point of the system's initial startup. Otherwise, the risk is greater for viruses, trojans, and other malware infecting the system during that startup phase.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;System Administrator&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target McAfee AntiVirus Locally Configured Client</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>McAfee AntiVirus Locally Configured Client</dc:subject><dc:identifier>605</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-001242</ident><fixtext fixref="F-49116r1_fix">Access the local VirusScan console by clicking Start-&gt;All Programs-&gt;McAfee-&gt;VirusScan Console.
On the menu bar, click Task-&gt;On-Access Scanner Properties.
 
Under the General tab, locate the "General:" label. Select the "Enable on-access scanning at system startup" option.
 
Click OK to Save.</fixtext><fix id="F-49116r1_fix" /><check system="C-49292r2_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_McAfee_VirusScan88_Local_Client.xml" /><check-content>Access the local VirusScan console by clicking Start-&gt;All Programs-&gt;McAfee-&gt;VirusScan Console.
On the menu bar, click Task-&gt;On-Access Scanner Properties.
Select the General Settings.
Under the General tab, locate the "General:" label. Ensure the "Enable on-access scanning at system startup" option is selected.
 
Criteria: If the "Enable on-access scanning at startup" option is selected, this is not a finding.
 
On the client machine, use the Windows Registry Editor to navigate to the following key:
HKLM\Software\McAfee\ (32-bit)
HKLM\Software\Wow6432Node\McAfee\ (64-bit)
\SystemCore\VSCore\On Access Scanner\McShield\Configuration
 
Criteria: If the value of bStartDisabled is 0, this is not a finding. If the value is 1, this is a finding.
</check-content></check></Rule></Group><Group id="V-6467"><title>DTAM002-McAfee VirusScan on access scan boot sectors</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-56367r1_rule" severity="medium" weight="10.0"><version>DTAM002</version><title>McAfee VirusScan On-Access Scanner General Settings must be configured to scan boot sectors.</title><description>&lt;VulnDiscussion&gt;Boot sector viruses will install into the boot sector of a system, ensuring that they will execute when the user boots the system. This risk is mitigated by scanning boot sectors at each startup of the system.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;System Administrator&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target McAfee AntiVirus Locally Configured Client</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>McAfee AntiVirus Locally Configured Client</dc:subject><dc:identifier>605</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-001242</ident><fixtext fixref="F-49048r1_fix">Access the local VirusScan console by clicking Start-&gt;All Programs-&gt;McAfee-&gt;VirusScan Console.
On the menu bar, click Task-&gt;On-Access Scanner Properties.
Select the General Settings.
 
Under the General tab, locate the "Scan:" label. Select the "Boot Sectors" option.
 
Click OK to Save.
 
</fixtext><fix id="F-49048r1_fix" /><check system="C-49291r2_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_McAfee_VirusScan88_Local_Client.xml" /><check-content>Access the local VirusScan console by clicking Start-&gt;All Programs-&gt;McAfee-&gt;VirusScan Console.
On the menu bar, click Task-&gt;On-Access Scanner Properties
Select the General Settings.
 
Under the General tab, locate the "Scan:" label. Ensure the "Boot Sectors" option is selected.
 
Criteria: If the "Boot Sectors" option is selected, this is not a finding.
 
On the client machine, use the Windows Registry Editor to navigate to the following key:
HKLM\Software\McAfee\ (32-bit)
HKLM\Software\Wow6432Node\McAfee\ (64-bit)
\SystemCore\VSCore\On Access Scanner\McShield\Configuration
 
Criteria: If the value of bDontScanBootSectors is 0, this is not a finding. If the value is 1, this is a finding.</check-content></check></Rule></Group><Group id="V-6468"><title>DTAM003-McAfee VirusScan on access scan floppy</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-56368r1_rule" severity="medium" weight="10.0"><version>DTAM003</version><title>McAfee VirusScan On-Access Scanner General Settings must be configured to scan floppy during shutdown.</title><description>&lt;VulnDiscussion&gt;Computer viruses in the early days of personal computing were almost exclusively passed around by floppy disks. Floppy disks would be used to boot the computer and, if infected, would infect the hard drive files, as well. Although floppy drives have fallen out of use, it is still a good security practice, whenever the antivirus software allows, to enable the scanning software to scan a floppy disk at shutdown.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;System Administrator&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target McAfee AntiVirus Locally Configured Client</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>McAfee AntiVirus Locally Configured Client</dc:subject><dc:identifier>605</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-001242</ident><fixtext fixref="F-49049r2_fix">Access the local VirusScan console by clicking Start-&gt;All Programs-&gt;McAfee-&gt;VirusScan Console
On the menu bar, click Task-&gt;On-Access Scanner Properties.
Select the General Settings.
 
Under the General tab, locate the "Scan:" label. Select the "Floppy during shutdown" option.
 
Click OK to Save.</fixtext><fix id="F-49049r2_fix" /><check system="C-49294r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_McAfee_VirusScan88_Local_Client.xml" /><check-content>Access the local VirusScan console by clicking Start-&gt;All Programs-&gt;McAfee-&gt;VirusScan Console.
On the menu bar, click Task-&gt;On-Access Scanner Properties.
Select the General Settings.
 
Under the General tab, locate the "Scan:" label. Ensure the "Floppy during shutdown" option is selected.
 
Criteria: If the "Floppy during shutdown" option is selected, this is not a finding.
 
On the client machine, use the Windows Registry Editor to navigate to the following key:
HKLM\Software\McAfee\ (32-bit)
HKLM\Software\Wow6432Node\McAfee\ (64-bit)
SystemCore\VSCore\On Access Scanner\McShield\Configuration\
 
Criteria: If the value of bScanFloppyonShutdown is 1, this is not a finding. If the value is 0, this is a finding.</check-content></check></Rule></Group><Group id="V-6469"><title>DTAM004-McAfee VirusScan message dialog</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-56369r1_rule" severity="medium" weight="10.0"><version>DTAM004</version><title>McAfee VirusScan On-Access Scanner General Settings must be configured to notify local users when detections occur.</title><description>&lt;VulnDiscussion&gt;An effective awareness program explains proper rules of behavior for use of an organization's IT systems and information. Accordingly, awareness programs should include guidance to users on malware incident prevention, which can help reduce the frequency and severity of malware incidents.
 
Organizations should also make users aware of policies and procedures that apply to malware incident handling, such as how to identify if a host may be infected, how to report a suspected incident, and what users need to do to assist with incident handling
 
Ensuring the antivirus software alerts the users when malware is detected will ensure the user is informed of the incident and be able to more closely relate the incident to action being performed by the user at the time of the detection.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;System Administrator&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target McAfee AntiVirus Locally Configured Client</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>McAfee AntiVirus Locally Configured Client</dc:subject><dc:identifier>605</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-001662</ident><fixtext fixref="F-49050r1_fix">Access the local VirusScan console by clicking Start-&gt;All Programs-&gt;McAfee-&gt;VirusScan Console
On the menu bar, click Task-&gt;On-Access Scanner Properties.
Select the General Settings.
Under the Messages tab, locate the "Messages for local users:" label. Select the "Show the messages dialog box when a threat is detected and display the specified text in the message" option.
 
Click OK to Save.</fixtext><fix id="F-49050r1_fix" /><check system="C-49295r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_McAfee_VirusScan88_Local_Client.xml" /><check-content>Access the local VirusScan console by clicking Start-&gt;All Programs-&gt;McAfee-&gt;VirusScan Console.
On the menu bar, click Task-&gt;On-Access Scanner Properties.
Select the General Settings.
 
Under the Messages tab, locate the "Message for local users:" label. Ensure the "Show the messages dialog box when a threat is detected and display the specified text in the message" option is selected.
 
Criteria: If the "Show the messages dialog box when a threat is detected and display the specified text in the message" option is selected, this is not a finding.
 
On the client machine, use the Windows Registry Editor to navigate to the following key:
HKLM\Software\McAfee\ (32-bit)
HKLM\Software\Wow6432Node\McAfee\ (64-bit)
SystemCore\VSCore\On Access Scanner\McShield\Configuration
 
Criteria: If the value of Alert_AutoShowList is 1, this is not a finding. If the value is 0, this is a finding.</check-content></check></Rule></Group><Group id="V-6470"><title>DTAM005-McAfee VirusScan remove messages</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-56370r1_rule" severity="medium" weight="10.0"><version>DTAM005</version><title>McAfee VirusScan On-Access Scanner General Settings must be configured to prevent users from removing messages from the list.</title><description>&lt;VulnDiscussion&gt;Good incident response analysis includes reviewing all logs and alerts on the system reporting the infection. If users were permitted to remove alerts from the display, incident response forensic analysis would be inhibited.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;System Administrator&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target McAfee AntiVirus Locally Configured Client</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>McAfee AntiVirus Locally Configured Client</dc:subject><dc:identifier>605</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-001242</ident><fixtext fixref="F-49052r1_fix">Access the local VirusScan console by clicking Start-&gt;All Programs-&gt;McAfee-&gt;VirusScan Console.
On the menu bar, click on Task-&gt;On-Access Scanner Properties.
Select the General Settings.
 
Under the Messages tab, locate the "Actions available to user:" label. Uncheck the "Remove messages from the list" option.
 
Click OK to Save.</fixtext><fix id="F-49052r1_fix" /><check system="C-49296r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_McAfee_VirusScan88_Local_Client.xml" /><check-content>Access the local VirusScan console by clicking Start-&gt;All Programs-&gt;McAfee-&gt;VirusScan Console.
On the menu bar, click Task-&gt;On-Access Scanner Properties.
Select the General Settings.
 
Under the Messages tab, locate the "Actions available to user:" label. Ensure the "Remove messages from the list" option is NOT selected.
 
Criteria: If the "Remove messages from the list" option is NOT selected, this is not a finding.
 
On the client machine use the Windows Registry Editor to navigate to the following key:
HKLM\Software\McAfee\ (32-bit)
HKLM\Software\Wow6432Node\McAfee\ (64-bit)
SystemCore\VSCore\On Access Scanner\McShield\Configuration
 
Criteria: If the value of Alert_UsersCanRemove is 0, this is not a finding. If the value is 1, this is a finding.</check-content></check></Rule></Group><Group id="V-6474"><title>DTAM009-McAfee VirusScan Control Panel log</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-56371r1_rule" severity="medium" weight="10.0"><version>DTAM009</version><title>McAfee VirusScan On-Access Scanner General Settings must be configured to log the scan sessions.</title><description>&lt;VulnDiscussion&gt;Log management is essential to ensuring that computer security records are stored in sufficient detail for an appropriate period of time. Routine log analysis is beneficial for identifying security incidents, policy violations, fraudulent activity, and operational problems. Logs are also useful when performing auditing and forensic analysis, supporting internal investigations, establishing baselines, and identifying operational trends and long-term problems.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;System Administrator&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target McAfee AntiVirus Locally Configured Client</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>McAfee AntiVirus Locally Configured Client</dc:subject><dc:identifier>605</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-001242</ident><fixtext fixref="F-49053r1_fix">Access the local VirusScan console by clicking Start-&gt;All Programs-&gt;McAfee-&gt;VirusScan Console.
On the menu bar, click Task-&gt;On-Access Scanner Properties.
Select the General Settings.
 
Under the Reports tab, locate the "Log file" label. Select the "Enable activity logging and accept the default location for the log file or specify a new location" option.
 
Click OK to Save.</fixtext><fix id="F-49053r1_fix" /><check system="C-49297r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_McAfee_VirusScan88_Local_Client.xml" /><check-content>Access the local VirusScan console by clicking Start-&gt;All Programs-&gt;McAfee-&gt;VirusScan Console.
On the menu bar, click Task-&gt;On-Access Scanner Properties.
Select the General Settings.
 
Under the Reports tab, locate the "Log file" label. Ensure the "Enable activity logging and accept the default location for the log file or specify a new location" option is selected.
 
Criteria: If the "Enable activity logging and accept the default location for the log file or specify a new location" option is selected, this is not a finding.
 
On the client machine, use the Windows Registry Editor to navigate to the following key:
HKLM\Software\McAfee\ (32-bit) HKLM\Software\Wow6432Node\McAfee\ (64-bit)SystemCore\VSCore\On Access Scanner\McShield\Configuration
 
Criteria: If the value of bLogtoFile is 1, this is not a finding. If the value is 0, this is a finding.</check-content></check></Rule></Group><Group id="V-6475"><title>DTAM010-McAfee VirusScan limit log size parameter </title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-56372r1_rule" severity="medium" weight="10.0"><version>DTAM010</version><title>McAfee VirusScan On-Access Scanner General Settings log file size must be restricted and be configured to at least 10MB.</title><description>&lt;VulnDiscussion&gt;While logging is imperative to forensic analysis, logs could grow to the point of impacting disk space on the system. In order to avoid the risk of logs growing to the size of impacting the operating system, the log size will be restricted. If the data in the log file exceeds the file size set, the oldest 20 percent of the entries are deleted and new data is appended to the file, so although the file size is restricted, it must also be large enough to retain forensic value.
&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;System Administrator&lt;/Responsibility&gt;&lt;IAControls&gt;ECSC-1&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target McAfee AntiVirus Locally Configured Client</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>McAfee AntiVirus Locally Configured Client</dc:subject><dc:identifier>605</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-001242</ident><fixtext fixref="F-49054r1_fix">Access the local VirusScan console by clicking Start-&gt;All Programs-&gt;McAfee-&gt;VirusScan Console.
On the menu bar, click Task-&gt;On-Access Scanner Properties.
Select the General Settings.
 
Under the Reports tab, locate the "Log file size:" label. Select the "Limit the size of log file" option. For the "Maximum log file size:", select a value of at least 10MB or more.
 
Click OK to Save.</fixtext><fix id="F-49054r1_fix" /><check system="C-49298r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_McAfee_VirusScan88_Local_Client.xml" /><check-content>Access the local VirusScan console by clicking Start-&gt;All Programs-&gt;McAfee-&gt;VirusScan Console.
On the menu bar, click Task-&gt;On-Access Scanner Properties.
Select the General Settings.
 
Under the Reports tab, locate the "Log file size:" label. Ensure the "Limit the size of log file" option is selected. Ensure the "Maximum log file size" is at least 10MB.
 
Criteria: If the "Limit the size of log file" option is selected and the "Maximum log file size:" is at least 10MB, this is not a finding.
 
On the client machine, use the Windows Registry Editor to navigate to the following key:
HKLM\Software\McAfee\ (32-bit)
HKLM\Software\Wow6432Node\McAfee\ (64-bit)
SystemCore\VSCore\On Access Scanner\McShield\Configuration
 
Criteria: If the value of bLimitSize is 1 and dwMaxLogSizeMB is configured to Decimal (10) or higher, this is not a finding.
If bLimitSize is 0, this is a finding.
If dwMaxLogSizeMB is less than Decimal (10), this is a finding.</check-content></check></Rule></Group><Group id="V-6478"><title>DTAM012-McAfee VirusScan log summary parameter </title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-56373r1_rule" severity="medium" weight="10.0"><version>DTAM012</version><title>McAfee VirusScan On-Access Scanner General Settings must be configured to log the session summary.</title><description>&lt;VulnDiscussion&gt;Log management is essential to ensuring computer security records are stored in sufficient detail for an appropriate period of time. Routine log analysis is beneficial for identifying security incidents, policy violations, fraudulent activity, and operational problems. Logs are also useful when performing auditing and forensic analysis, supporting internal investigations, establishing baselines, and identifying operational trends and long-term problems.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;System Administrator&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target McAfee AntiVirus Locally Configured Client</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>McAfee AntiVirus Locally Configured Client</dc:subject><dc:identifier>605</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-001242</ident><fixtext fixref="F-49055r1_fix">Access the local VirusScan console by clicking Start-&gt;All Programs-&gt;McAfee-&gt;VirusScan Console.
On the menu bar, click Task-&gt;On-Access Scanner Properties.
Select the General Settings.
 
Under the Reports tab, locate the "What to log in addition to scanning activity:" label. Select the "Session summary" option.
 
Click OK to Save.</fixtext><fix id="F-49055r1_fix" /><check system="C-49299r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_McAfee_VirusScan88_Local_Client.xml" /><check-content>Access the local VirusScan console by clicking Start-&gt;All Programs-&gt;McAfee-&gt;VirusScan Console.
On the menu bar, click Task-&gt;On-Access Scanner Properties.
Select the General Settings.
 
Under the Reports tab, locate the "What to log in addition to scanning activity:" label. Ensure the "Session summary" option is selected.
 
Criteria: If the "Session summary" option is selected, this is not a finding.
 
On the client machine, use the Windows Registry Editor to navigate to the following key:
HKLM\Software\McAfee\ (32-bit)
HKLM\Software\Wow6432Node\McAfee\ (64-bit)
SystemCore\VSCore\On Access Scanner\McShield\Configuration
 
Criteria: If the value of bLogSummary is 1, this is not a finding. If the value is 0, this is a finding.</check-content></check></Rule></Group><Group id="V-6583"><title>DTAM013-McAfee VirusScan log encrypted files parameter</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-56374r1_rule" severity="medium" weight="10.0"><version>DTAM013</version><title>McAfee VirusScan On-Access Scanner General Settings must be configured to log any failure to scan encrypted files.</title><description>&lt;VulnDiscussion&gt;Log management is essential to ensuring computer security records are stored in sufficient detail for an appropriate period of time. Routine log analysis is beneficial for identifying security incidents, policy violations, fraudulent activity, and operational problems. Logs are also useful when performing auditing and forensic analysis, supporting internal investigations, establishing baselines, and identifying operational trends and long-term problems.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;System Administrator&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target McAfee AntiVirus Locally Configured Client</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>McAfee AntiVirus Locally Configured Client</dc:subject><dc:identifier>605</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-001242</ident><fixtext fixref="F-49057r1_fix">Access the local VirusScan console by clicking Start-&gt;All Programs-&gt;McAfee-&gt;VirusScan Console.
On the menu bar, click Task-&gt;On-Access Scanner Properties.
Select the General Settings.
 
Under the Reports tab, locate the "What to log in addition to scanning activity:" label. Select the "Failure to scan encrypted files" option.
 
Click OK to Save.
</fixtext><fix id="F-49057r1_fix" /><check system="C-49300r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_McAfee_VirusScan88_Local_Client.xml" /><check-content>Access the local VirusScan console by clicking Start-&gt;All Programs-&gt;McAfee-&gt;VirusScan Console.
On the menu bar, click Task-&gt;On-Access Scanner Properties.
Select the General Settings.
 
Under the Reports tab, locate the "What to log in addition to scanning activity:" label. Ensure the "Failure to scan encrypted files" option is selected.
 
Criteria: If the "Failure to scan encrypted files" option is selected, this is not a finding.
 
On the client machine, use the Windows Registry Editor to navigate to the following key:
HKLM\Software\McAfee\ (32-bit)
HKLM\Software\Wow6432Node\McAfee\ (64-bit)
SystemCore\VSCore\On Access Scanner\McShield\Configuration
 
Criteria: If the value ReportEncryptedFiles is 1, this is not a finding. If the value is 0, this is a finding.</check-content></check></Rule></Group><Group id="V-6585"><title>DTAM016-McAfee VirusScan autoupdate parameters</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-56375r2_rule" severity="medium" weight="10.0"><version>DTAM016</version><title>McAfee VirusScan must be configured to receive DAT and Engine updates.</title><description>&lt;VulnDiscussion&gt;Antivirus signature files are updated almost daily by antivirus software vendors. These files are made available to antivirus clients as they are published. Keeping virus signature files as current as possible is vital to the security of any system. The antivirus software product must be configured to receive those updates automatically in order to afford the expected protection.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;System Administrator&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target McAfee AntiVirus Locally Configured Client</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>McAfee AntiVirus Locally Configured Client</dc:subject><dc:identifier>605</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-001247</ident><fixtext fixref="F-49058r2_fix">Access the local VirusScan console by clicking Start-&gt;All Programs-&gt;McAfee-&gt;VirusScan Console.
 
Under the Task column, find the AutoUpdate option, right-click, and choose Properties.
Click the Schedule button.
On the Task tab, select "Enable (scheduled task runs at specified time)".
On the Schedule tab, the "Run task:" option must be configured with Daily.
 
Click OK to save.</fixtext><fix id="F-49058r2_fix" /><check system="C-49301r6_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_McAfee_VirusScan88_Local_Client.xml" /><check-content>NOTE: Automatic updates to antivirus signature definitions are to be performed once every 24 hours for hosts connected to the network. Hosts not connected to the network must be updated manually.
 
Access the local VirusScan console by clicking Start &gt;&gt; All Programs &gt;&gt; McAfee &gt;&gt; VirusScan Console.
 
Under the “Task” column, right-click on the “AutoUpdate” option, select “Properties”.
Click the “Schedule” button.
On the “Task” tab, the selection for "Enable (scheduled task runs at specified time)" must be selected.
On the “Schedule” tab, the "Run task:" option must be configured with “Daily”.
 
Alternative Registry method:
Use the Windows Registry Editor to navigate to the following key:
HKLM\Software\McAfee for 32-bit systems
HKLM\Software\Wow6432Node\McAfee for 64-bit systems
\DesktopProtection\Tasks\{A14CD6FC-3BA8-4703-87BF-e3247CE382F5}
 
Criteria:
If “bSchedEnabled=1” (indicates Scheduling is enabled) and “eScheduleType=0” (indicates Daily), this is not a finding.
 
If “bSchedEnabled=0” (indicates Scheduling is not enabled), this is a finding.
 
If the “AutoUpdate” task schedule is not enabled, or is not configured to run at a frequency of “Daily”, this is a finding.
</check-content></check></Rule></Group><Group id="V-6586"><title>DTAM021-McAfee VirusScan Exchange scanner</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-56376r2_rule" severity="medium" weight="10.0"><version>DTAM021</version><title>McAfee VirusScan On Delivery Email Scanner Properties must be configured to enable on-delivery email scanning.</title><description>&lt;VulnDiscussion&gt;Email has become one of the most frequently used methods of spreading malware, through embedded HTML code and attachments. User awareness and training, warning users to not open suspicious emails or email attachments and not clicking on hyperlinks, etc., from unknown or known senders, will not fully protect from email-borne malware. Mass mailing worms are similar to an email-borne virus but is self-contained rather than infecting an existing file. Protecting from email-borne viruses and mass mailing worms by scanning email upon delivery mitigates the risk of infection via email.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;System Administrator&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target McAfee AntiVirus Locally Configured Client</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>McAfee AntiVirus Locally Configured Client</dc:subject><dc:identifier>605</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-001170</ident><fixtext fixref="F-49200r3_fix">Access the local VirusScan console by clicking Start &gt;&gt; All Programs &gt;&gt; McAfee &gt;&gt; VirusScan Console.
Under the Task column, select the On-Delivery Email Scanner Option, right-click, and select "Enable".
 
Click OK to Save.</fixtext><fix id="F-49200r3_fix" /><check system="C-49302r5_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_McAfee_VirusScan88_Local_Client.xml" /><check-content>Note: If an email client is not running on this system, this check can be marked as Not Applicable.
 
Access the local VirusScan console by clicking Start &gt;&gt; All Programs &gt;&gt; McAfee &gt;&gt; VirusScan Console.
Under the Task column, select the On-Delivery Email Scanner option.
Under the Status column next to the On-Delivery Email Scanner option, ensure status shows "Enabled".
 
Criteria: If the "On-Delivery Email Scanner" status is "Enabled", this is not a finding.
 
On the client machine, use the Windows Registry Editor to navigate to the following key:
HKLM\Software\McAfee\ (32-bit)
HKLM\Software\Wow6432Node\McAfee\ (64-bit)
SystemCore\VSCore\Email Scanner\Outlook\OnDelivery\GeneralOptions
 
Criteria: If the value bEnabled is 1, this is not a finding. If the value is 0, this is a finding.</check-content></check></Rule></Group><Group id="V-6587"><title>DTAM022-McAfee VirusScan find unknown programs</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-56386r2_rule" severity="medium" weight="10.0"><version>DTAM022</version><title>McAfee VirusScan On-Delivery Email Scanner must be configured to find unknown program threats and trojans.</title><description>&lt;VulnDiscussion&gt;Email has become one of the most frequently used methods of spreading malware, through embedded HTML code and attachments. User awareness and training, warning users to not open suspicious emails or email attachments and not clicking on hyperlinks, etc., from unknown or known senders, will not fully protect from email-borne malware. Mass mailing worms are similar to an email-borne virus but is self-contained rather than infecting an existing file. Protecting from email-borne viruses and mass mailing worms by scanning email upon delivery mitigates the risk of infection via email.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;System Administrator&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target McAfee AntiVirus Locally Configured Client</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>McAfee AntiVirus Locally Configured Client</dc:subject><dc:identifier>605</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-001662</ident><fixtext fixref="F-49063r3_fix">Access the local VirusScan console by clicking Start &gt;&gt; All Programs &gt;&gt; McAfee &gt;&gt; VirusScan Console.
Under the Task column, select the On-Delivery Email Scanner Option, right-click, and select Properties.
 
Under the Scan Items tab, locate the "Heuristics:" label. Select the "Find unknown program threats and trojans" option.
 
Click OK to Save.</fixtext><fix id="F-49063r3_fix" /><check system="C-49303r3_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_McAfee_VirusScan88_Local_Client.xml" /><check-content>Note: If an email client is not running on this system, this check can be marked as Not Applicable.
 
Access the local VirusScan console by clicking Start &gt;&gt; All Programs &gt;&gt; McAfee &gt;&gt; VirusScan Console.
Under the Task column, select the On-Delivery Email Scanner Option, right-click, and select Properties.
 
Under the Scan Items tab, locate the "Heuristics:" label. Ensure the "Find unknown program threats and trojans" option is selected.
 
Criteria: If the "Find unknown program threats and trojans" option is selected, this is not a finding.
 
On the client machine, use the Windows Registry Editor to navigate to the following key:
HKLM\Software\McAfee\ (32-bit)
HKLM\Software\Wow6432Node\McAfee\ (64-bit)
SystemCore\VSCore\Email Scanner\Outlook\OnDelivery\DetectionOptions
 
Criteria: If the value dwProgramHeuristicsLevel is 1, this is not a finding. If the value is 0, this is a finding.</check-content></check></Rule></Group><Group id="V-6588"><title>DTAM023- McAfee VirusScan find unknown macro virus</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-56387r2_rule" severity="medium" weight="10.0"><version>DTAM023</version><title>McAfee VirusScan On Delivery Email Scanner Properties must be configured to find unknown macro threats.</title><description>&lt;VulnDiscussion&gt;Email has become one of the most frequently used methods of spreading malware, through embedded HTML code and attachments. User awareness and training, warning users to not open suspicious emails or email attachments and not clicking on hyperlinks, etc. from unknown or known senders, will not fully protect from email-borne malware. Mass mailing worms are similar to an email-borne virus but is self-contained rather than infecting an existing file. Protecting from email-borne viruses and mass mailing worms by scanning email upon delivery mitigates the risk of infection via email.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;System Administrator&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target McAfee AntiVirus Locally Configured Client</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>McAfee AntiVirus Locally Configured Client</dc:subject><dc:identifier>605</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-001662</ident><fixtext fixref="F-49074r2_fix">Access the local VirusScan console by clicking Start &gt;&gt; All Programs &gt;&gt; McAfee &gt;&gt; VirusScan Console.
Under the Task column, select the On-Delivery Email Scanner Option, right-click, and select Properties.
 
Under the Scan Items tab, locate the "Heuristics:" label. Select the "Find unknown macro threats" option.
 
Click OK to Save.</fixtext><fix id="F-49074r2_fix" /><check system="C-49304r3_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_McAfee_VirusScan88_Local_Client.xml" /><check-content>Note: If an email client is not running on this system, this check can be marked as Not Applicable.
 
Access the local VirusScan console by clicking Start &gt;&gt; All Programs &gt;&gt; McAfee &gt;&gt; VirusScan Console.
Under the Task column, select the On-Delivery Email Scanner Option, right-click, and select Properties.
 
Under the Scan Items tab, locate the "Heuristics:" label. Ensure the "Find unknown macro threats" option is selected.
 
Criteria: If the "Find unknown macro threats" option is selected, this is not a finding.
 
On the client machine, use the Windows Registry Editor to navigate to the following key:
HKLM\Software\McAfee\ (32-bit)
HKLM\Software\Wow6432Node\McAfee\ (64-bit)
SystemCore\VSCore\Email scanner\Outlook\OnDelivery\DetectionOptions
 
Criteria: If the value dwMacroHeuristicsLevel is 1, this is not a finding. If the value is 0, this is a finding.</check-content></check></Rule></Group><Group id="V-6590"><title>DTAM027-McAfee VirusScan decode MIME email</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-56389r2_rule" severity="medium" weight="10.0"><version>DTAM027</version><title>McAfee VirusScan On Delivery Email Scanner Properties must be configured to decode MIME encoded files.</title><description>&lt;VulnDiscussion&gt;Email has become one of the most frequently used methods of spreading malware, through embedded HTML code and attachments. User awareness and training, warning users to not open suspicious emails or email attachments and not clicking on hyperlinks, etc. from unknown or known senders, will not fully protect from email-borne malware. Mass mailing worms are similar to an email-borne virus but is self-contained rather than infecting an existing file. Protecting from email-borne viruses and mass mailing worms by scanning email upon delivery mitigates the risk of infection via email.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;System Administrator&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target McAfee AntiVirus Locally Configured Client</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>McAfee AntiVirus Locally Configured Client</dc:subject><dc:identifier>605</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-001170</ident><fixtext fixref="F-49112r2_fix">Access the local VirusScan console by clicking Start &gt;&gt; All Programs &gt;&gt; McAfee &gt;&gt; VirusScan Console.
Under the Task column, select the On-Delivery Email Scanner Option, right-click, and select Properties.
 
Under the Scan Items tab, locate the "Compressed files:" label. Select the "Decode MIME encoded files" option.
 
Click OK to Save.</fixtext><fix id="F-49112r2_fix" /><check system="C-49306r3_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_McAfee_VirusScan88_Local_Client.xml" /><check-content>Note: If an email client is not running on this system, this check can be marked as Not Applicable.
 
Access the local VirusScan console by clicking Start &gt;&gt; All Programs &gt;&gt; McAfee &gt;&gt; VirusScan Console.
Under the Task column, select the On-Delivery Email Scanner Option, right-click, and select Properties.
 
Under the Scan Items tab, locate the "Compressed files:" label. Ensure the "Decode MIME encoded files" option is selected.
 
Criteria: If the "Decode MIME encoded files" option is selected, this is not a finding.
 
On the client machine, use the Windows Registry Editor to navigate to the following key:
HKLM\Software\McAfee\ (32-bit)
HKLM\Software\Wow6432Node\McAfee\ (64-bit)
SystemCore\VSCore\Email Scanner\Outlook\OnDelivery\DetectionOptions
 
Criteria: If the value ScanMime is 1, this is not a finding. If the value is 0, this is a finding.</check-content></check></Rule></Group><Group id="V-6591"><title>DTAM028-McAfee VirusScan scan e-mail message body</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-56390r2_rule" severity="medium" weight="10.0"><version>DTAM028</version><title>McAfee VirusScan On Delivery Email Scanner Properties must be configured to scan email message body.</title><description>&lt;VulnDiscussion&gt;Email has become one of the most frequently used methods of spreading malware, through embedded HTML code and attachments. User awareness and training, warning users to not open suspicious emails or email attachments and not clicking on hyperlinks, etc. from unknown or known senders, will not fully protect from email-borne malware. Mass mailing worms are similar to an email-borne virus but is self-contained rather than infecting an existing file. Protecting from email-borne viruses and mass mailing worms by scanning email upon delivery mitigates the risk of infection via email.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;System Administrator&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target McAfee AntiVirus Locally Configured Client</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>McAfee AntiVirus Locally Configured Client</dc:subject><dc:identifier>605</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-001170</ident><fixtext fixref="F-49101r4_fix">Access the local VirusScan console by clicking Start &gt;&gt; All Programs &gt;&gt; McAfee &gt;&gt; VirusScan Console.
Under the Task column, select the On-Delivery Email Scanner Option, right-click, and select Properties.
 
Under the Scan Items tab, locate the "Email message body (Setting for Outlook Scanner Only):" label. Select the "Scan email message body" option.
 
Click OK to Save.</fixtext><fix id="F-49101r4_fix" /><check system="C-49307r4_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_McAfee_VirusScan88_Local_Client.xml" /><check-content>Note: If an email client is not running on this system, this check can be marked as Not Applicable.
 
Access the local VirusScan console by clicking Start &gt;&gt; All Programs &gt;&gt; McAfee &gt;&gt; VirusScan Console.
Under the Task column, select the On-Delivery Email Scanner Option, right-click, and select Properties.
 
Under the Scan Items tab, locate the "Email message body (Setting for Outlook Scanner Only):" label. Ensure the "Scan email message body" option is selected.
 
Criteria: If the option "Scan email message body" is selected, this is not a finding.
 
On the client machine, use the Windows Registry Editor to navigate to the following key:
HKLM\Software\McAfee\ (32-bit)
HKLM\Software\Wow6432Node\McAfee\ (64-bit)
SystemCore\VSCore\Email Scanner\Outlook\OnDelivery\DetectionOptions
 
Criteria: If the value ScanMessageBodies is 1, this is not a finding. If the value is 0, this is a finding.</check-content></check></Rule></Group><Group id="V-6592"><title>DTAM029-McAfee VirusScan allowed actions email</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-56391r2_rule" severity="medium" weight="10.0"><version>DTAM029</version><title>McAfee VirusScan On Delivery Email Scanner Properties, When a threat is found, must be configured to clean attachments as the first action.</title><description>&lt;VulnDiscussion&gt;Email has become one of the most frequently used methods of spreading malware, through embedded HTML code and attachments. User awareness and training, warning users to not open suspicious emails or email attachments and not clicking on hyperlinks, etc., from unknown or known senders, will not fully protect from email-borne malware. Mass mailing worms are similar to an email-borne virus but is self-contained rather than infecting an existing file. Protecting from email-borne viruses and mass mailing worms by scanning email upon delivery mitigates the risk of infection via email.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;System Administrator&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target McAfee AntiVirus Locally Configured Client</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>McAfee AntiVirus Locally Configured Client</dc:subject><dc:identifier>605</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-001243</ident><fixtext fixref="F-49113r2_fix">Access the local VirusScan console by clicking Start &gt;&gt; All Programs &gt;&gt; McAfee &gt;&gt; VirusScan Console.
Under the Task column, select the On-Delivery Email Scanner Option, right-click, and select Properties.
 
Under the Actions tab, locate the "When a threat is found:" label. From the "Perform this action first:" pull down menu, select "Clean attachments".
 
Click OK to Save. </fixtext><fix id="F-49113r2_fix" /><check system="C-49308r3_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_McAfee_VirusScan88_Local_Client.xml" /><check-content>Note: If an email client is not running on this system, this check can be marked as Not Applicable.
 
Access the local VirusScan console by clicking Start &gt;&gt; All Programs &gt;&gt; McAfee &gt;&gt; VirusScan Console.
Under the Task column, select the On-Delivery Email Scanner Option, right-click, and select Properties.
 
Under the Actions tab, locate the "When a threat is found:" label. Ensure the "Perform this action first:" pull down menu has "Clean attachments" selected.
 
Criteria: If "Clean attachments" is selected for "Perform this action first", this is not a finding.
 
On the client machine, use the Windows Registry Editor to navigate to the following key:
HKLM\Software\McAfee\ (32-bit)
HKLM\Software\Wow6432Node\McAfee\ (64-bit)
SystemCore\VSCore\Email Scanner\Outlook\OnDelivery\ActionOptions
 
Criteria: If the value for uAction is not 5, this is a finding.
</check-content></check></Rule></Group><Group id="V-6596"><title>DTAM035-McAfee VirusScan log to file email </title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-56392r2_rule" severity="medium" weight="10.0"><version>DTAM035</version><title>McAfee VirusScan On Delivery Email Scanner Properties must be configured to record scanning activity in a log file.</title><description>&lt;VulnDiscussion&gt;Log management is essential to ensuring that computer security records are stored in sufficient detail for an appropriate period of time. Routine log analysis is beneficial for identifying security incidents, policy violations, fraudulent activity, and operational problems. Logs are also useful when performing auditing and forensic analysis, supporting internal investigations, establishing baselines, and identifying operational trends and long-term problems.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;System Administrator&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target McAfee AntiVirus Locally Configured Client</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>McAfee AntiVirus Locally Configured Client</dc:subject><dc:identifier>605</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000130</ident><fixtext fixref="F-49114r2_fix">
Access the local VirusScan console by clicking Start &gt;&gt; All Programs &gt;&gt; McAfee &gt;&gt; VirusScan Console.
Under the Task column, select the On-Delivery Email Scanner Option, right-click, and select Properties.
 
Under the Reports tab, locate the "Log file" label. Select the "Enable activity logging and accept the default location for the log file or specify a new location." option.
 
Click OK to Save. </fixtext><fix id="F-49114r2_fix" /><check system="C-49309r3_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_McAfee_VirusScan88_Local_Client.xml" /><check-content>Note: If an email client is not running on this system, this check can be marked as Not Applicable.
 
Access the local VirusScan console by clicking Start &gt;&gt; All Programs &gt;&gt; McAfee &gt;&gt; VirusScan Console.
Under the Task column, select the On-Delivery Email Scanner Option, right-click, and select Properties.
 
Under the Reports tab, locate the "Log file" label. Ensure "Enable activity logging and accept the default location for the log file or specify a new location" is selected.
 
Criteria: If the option "Enable activity logging and accept the default location for the log file or specify a new location" is selected, this is not a finding.
 
On the client machine, use the Windows Registry Editor to navigate to the following key:
HKLM\Software\McAfee\ (32-bit)
HKLM\Software\Wow6432Node\McAfee\ (64-bit)
SystemCore\VSCore\Email Scanner\Outlook\OnDelivery\ReportOptions
 
Criteria: If the value bLogToFile is 1, this is not a finding. If the value is 0, this is a finding.</check-content></check></Rule></Group><Group id="V-6597"><title>DTAM036-McAfee VirusScan limit log size email</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-56393r2_rule" severity="medium" weight="10.0"><version>DTAM036</version><title>McAfee VirusScan On-Delivery Email Scanner log file size must be restricted and be configured to be at least 10MB.</title><description>&lt;VulnDiscussion&gt;While logging is imperative to forensic analysis, logs could grow to the point of impacting disk space on the system. In order to avoid the risk of logs growing to the size of impacting the operating system, the log size will be restricted. If the data in the log file exceeds the file size set, the oldest 20 percent of the entries are deleted and new data is appended to the file so although the file size is restricted, it must also be large enough to retain forensic value.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;System Administrator&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target McAfee AntiVirus Locally Configured Client</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>McAfee AntiVirus Locally Configured Client</dc:subject><dc:identifier>605</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000140</ident><fixtext fixref="F-49115r3_fix">Access the local VirusScan console by clicking Start &gt;&gt; All Programs &gt;&gt; McAfee &gt;&gt; VirusScan Console.
Under the Task column, select the On-Delivery Email Scanner Option, right-click, and select Properties.
 
Under the Reports tab, locate the "Log file" label.
 
Select the "Limit the size of log file" option. For the "Maximum log file size:" select a value of at least 10MB.
 
Click OK to Save. </fixtext><fix id="F-49115r3_fix" /><check system="C-49310r2_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_McAfee_VirusScan88_Local_Client.xml" /><check-content>Access the local VirusScan console by clicking Start &gt;&gt; All Programs &gt;&gt; McAfee &gt;&gt; VirusScan Console.
Under the Task column, select the On-Delivery Email Scanner Option, right-click, and select Properties.
 
Under the Reports tab, locate the "Log file size" label.
 
Criteria: If the "Limit the size of log file" is checked and the "Maximum log file size:" is at least 10MB, this is not a finding.
 
On the client machine, use the Windows Registry Editor to navigate to the following key:
HKLM\Software\McAfee\ (32-bit)
HKLM\Software\Wow6432Node\McAfee\ (64-bit)
SystemCore\VSCore\Email Scanner\Outlook\OnDelivery\ReportOptions
 
Criteria: If both the value of bLimitSize is 1 and the value of dwMaxLogSizeMB is at least decimal (10), this is not a finding.</check-content></check></Rule></Group><Group id="V-6599"><title>DTAM045-McAfee VirusScan fixed disk and processes</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-56396r2_rule" severity="medium" weight="10.0"><version>DTAM045</version><title>McAfee VirusScan On-Demand scan must be configured to scan all fixed, or local, disks and running processes.</title><description>&lt;VulnDiscussion&gt;Antivirus software is the mostly commonly used technical control for malware threat mitigation. Antivirus software on hosts should be configured to scan all hard drives regularly to identify any file system infections and to scan any removable media, if applicable, before media is inserted into the system. Not scheduling a regular scan of the hard drives of a system and/or not configuring the scan to scan all files and running processes, introduces a higher risk of threats going undetected.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;System Administrator&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target McAfee AntiVirus Locally Configured Client</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>McAfee AntiVirus Locally Configured Client</dc:subject><dc:identifier>605</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-001241</ident><fixtext fixref="F-49212r2_fix">Access the local VirusScan console by clicking Start-&gt;All Programs-&gt;McAfee-&gt;VirusScan Console.
In the console window, under Task, with the assistance of the System Administrator, identify the weekly on-demand client scan task.
Right-click the Task and select Properties.
 
Under the Scan Locations tab, in the box under the "Specify where scanning takes place." label, click the "Add" button and add "All fixed drives" or "All local drives" and "Running processes" options from the drop-down selection.
 
Click OK to save.</fixtext><fix id="F-49212r2_fix" /><check system="C-49312r2_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_McAfee_VirusScan88_Local_Client.xml" /><check-content>Access the local VirusScan console by clicking Start-&gt;All Programs-&gt;McAfee-&gt;VirusScan Console.
In the console window, under Task, with the assistance of the System Administrator, identify the weekly on-demand client scan task.
Right-click the Task and select Properties.
 
Under the Scan Locations tab, in the box under the "Specify where scanning takes place." label, ensure both "All fixed drives" or "All local drives" and "Running processes" options are included.
 
Criteria: If "All fixed drives" or "All local drives" and "Running processes" are displayed in the configuration for the daily or weekly On Demand Scan, this is not a finding.
 
On the client machine, use the Windows Registry Editor to navigate to the following key:
HKLM\Software\McAfee\ (32-bit)
HKLM\Software\Wow6432Node\McAfee\ (64-bit)
DesktopProtection\Tasks
 
Under the DesktopProtection\Tasks, with the assistance of the System Administrator, review each GUID key's szTaskName to find the GUID key associated with the weekly on-demand client scan task.
 
Criteria: If, under the applicable GUID key, there exists a szScanItem with a REG_SZ value of "FixedDrives" or "LocalDrives" and a szScanItem with a REG_SZ value of "SpecialMemory", this is not a finding.</check-content></check></Rule></Group><Group id="V-6600"><title>DTAM046-McAfee VirusScan include subfolders</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-56397r1_rule" severity="medium" weight="10.0"><version>DTAM046</version><title>McAfee VirusScan On-Demand scan must be configured to scan all subfolders.</title><description>&lt;VulnDiscussion&gt;Antivirus software is the mostly commonly used technical control for malware threat mitigation. Antivirus software on hosts should be configured to scan all hard drives and folders regularly to identify any file system infections and to scan any removable media, if applicable, before media is inserted into the system. Not scheduling a regular scan of the hard drives of a system and/or not configuring the scan to scan all files and running processes, introduces a higher risk of threats going undetected.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;System Administrator&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target McAfee AntiVirus Locally Configured Client</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>McAfee AntiVirus Locally Configured Client</dc:subject><dc:identifier>605</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-001241</ident><fixtext fixref="F-49117r1_fix">Access the local VirusScan console by clicking Start-&gt;All Programs-&gt;McAfee-&gt;VirusScan Console.
In the console window, under Task, with the assistance of the System Administrator, identify the weekly on-demand client scan task.
Right-click the Task and select Properties.
 
Under the Scan Locations tab, locate the "Scan options:" label. Select the "Include subfolders" option.
 
 
Click OK to Save.</fixtext><fix id="F-49117r1_fix" /><check system="C-49313r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_McAfee_VirusScan88_Local_Client.xml" /><check-content>Access the local VirusScan console by clicking Start-&gt;All Programs-&gt;McAfee-&gt;VirusScan Console.
In the console window, under Task, with the assistance of the System Administrator, identify the weekly on-demand client scan task.
Right-click the Task and select Properties.
 
Under the Scan Locations tab, locate the "Scan options:" label. Ensure the "Include subfolders" option is selected.
 
Criteria: If "Include subfolders" is selected, this is not a finding.
 
On the client machine, use the Windows Registry Editor to navigate to the following key:
HKLM\Software\McAfee\ (32-bit)
HKLM\Software\Wow6432Node\McAfee\ (64-bit)
DesktopProtection\Tasks
 
Under the DesktopProtection\Tasks, and with the assistance of the System Administrator, review each GUID key's szTaskName to find the GUID key associated with weekly on-demand client scan task.
 
Criteria: If, under the applicable GUID key, the bScanSubdirs has value of 0, this is a finding.</check-content></check></Rule></Group><Group id="V-6601"><title>DTAM047-McAfee VirusScan include boot sectors</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-56398r1_rule" severity="medium" weight="10.0"><version>DTAM047</version><title>McAfee VirusScan On-Demand scan must be configured to scan boot sectors.</title><description>&lt;VulnDiscussion&gt;Boot sector viruses will install into the boot sector of a system, ensuring that they will execute when the user boots the system. This risk is mitigated by scanning boot sectors at each startup of the system.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;System Administrator&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target McAfee AntiVirus Locally Configured Client</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>McAfee AntiVirus Locally Configured Client</dc:subject><dc:identifier>605</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-001241</ident><fixtext fixref="F-49118r1_fix">Access the local VirusScan console by clicking Start-&gt;All Programs-&gt;McAfee-&gt;VirusScan Console.
In the console window, under Task, find and select the scheduled task that shows a Status of "Daily" or "Weekly" or any frequency other than "Not Scheduled".
Right-click the Task and select Properties.
 
Under the Scan Locations tab, locate the "Scan options:" label. Select the "Scan boot sectors" option.
 
 
Click OK to Save.</fixtext><fix id="F-49118r1_fix" /><check system="C-49314r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_McAfee_VirusScan88_Local_Client.xml" /><check-content>Access the local VirusScan console by clicking Start-&gt;All Programs-&gt;McAfee-&gt;VirusScan Console.
In the console window, under Task, with the assistance of the System Administrator, identify the weekly on-demand client scan task.
Right-click the Task and select Properties.
 
Under the Scan Locations tab, locate the "Scan options:" label. Ensure the "Scan boot sectors" option is selected.
 
Criteria: If "Scan boot sectors" is selected, this is not a finding.
 
On the client machine, use the Windows Registry Editor to navigate to the following key:
HKLM\Software\McAfee\ (32-bit)
HKLM\Software\Wow6432Node\McAfee\ (64-bit)
DesktopProtection\Tasks
 
Under the DesktopProtection\Tasks, and with the assistance of the System Administrator, review each GUID key's szTaskName to find the GUID key associated with weekly on-demand client scan task.
 
Criteria: If, under the applicable GUID key, the bSkipBootScan has value of 1, this is a finding.
</check-content></check></Rule></Group><Group id="V-6602"><title>DTAM048-McAfee VirusScan scan all files parameter </title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-56399r1_rule" severity="medium" weight="10.0"><version>DTAM048</version><title>McAfee VirusScan On-Demand scan must be configured to scan all files.</title><description>&lt;VulnDiscussion&gt;When scanning for malware, excluding specific file types will increase the risk of a malware-infected file going undetected. By configuring antivirus software to scan all file types, the scanner has a higher success rate at detecting and eradicating malware.
&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;System Administrator&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target McAfee AntiVirus Locally Configured Client</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>McAfee AntiVirus Locally Configured Client</dc:subject><dc:identifier>605</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-001241</ident><fixtext fixref="F-49119r1_fix">Access the local VirusScan console by clicking Start-&gt;All Programs-&gt;McAfee-&gt;VirusScan Console.
In the console window, under Task, with the assistance of the System Administrator, identify the weekly on-demand client scan task.
Right-click the Task and select Properties.
 
Under the Scan Item tab, locate the "File types to scan:" label. Select the "All files" option.
 
 
Click OK to Save.</fixtext><fix id="F-49119r1_fix" /><check system="C-49315r2_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_McAfee_VirusScan88_Local_Client.xml" /><check-content>Access the local VirusScan console by clicking Start-&gt;All Programs-&gt;McAfee-&gt;VirusScan Console.
In the console window, under Task, with the assistance of the System Administrator, identify the weekly on-demand client scan task.
Right-click the Task and select Properties.
 
Under the Scan Items tab, locate the "File types to scan:" label. Ensure the "All files" option is selected.
 
Criteria: If "All files" is selected, this is not a finding.
 
On the client machine, use the Windows Registry Editor to navigate to the following key:
HKLM\Software\McAfee\ (32-bit)
HKLM\Software\Wow6432Node\McAfee\ (64-bit)
DesktopProtection\Tasks
 
Under the DesktopProtection\Tasks, and with the assistance of the System Administrator, review each GUID key's szTaskName to find the GUID key associated with weekly on-demand client scan task.
 
Criteria: If, under the applicable GUID key, the bScanAllFiles has value of 0, this is a finding.</check-content></check></Rule></Group><Group id="V-6604"><title>DTAM050-McAfee VirusScan exclusions parameter </title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-56401r2_rule" severity="medium" weight="10.0"><version>DTAM050</version><title>McAfee VirusScan On-Demand scan must be configured so there are no exclusions from the scan unless exclusions have been documented with, and approved by, the ISSO/ISSM/DAA.</title><description>&lt;VulnDiscussion&gt;When scanning for malware, excluding specific files will increase the risk of a malware-infected file going undetected. By configuring antivirus software without any exclusions, the scanner has a higher success rate at detecting and eradicating malware.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;System Administrator&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target McAfee AntiVirus Locally Configured Client</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>McAfee AntiVirus Locally Configured Client</dc:subject><dc:identifier>605</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-001241</ident><fixtext fixref="F-49120r1_fix">Access the local VirusScan console by clicking Start-&gt;All Programs-&gt;McAfee-&gt;VirusScan Console.
In the console window, under Task, with the assistance of the System Administrator, identify the weekly on-demand client scan task.
Right-click on the Task and select Properties.
 
Under the Exclusions tab, locate the "What not to scan:" label, remove any items.
 
 
Click OK to Save.</fixtext><fix id="F-49120r1_fix" /><check system="C-49316r2_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_McAfee_VirusScan88_Local_Client.xml" /><check-content>Access the local VirusScan console by clicking Start-&gt;All Programs-&gt;McAfee-&gt;VirusScan Console.
In the console window, under Task, with the assistance of the System Administrator, identify the weekly on-demand client scan task.
Right-click the Task and select Properties.
 
Under the Exclusions tab, locate the "What not to scan:" label. Ensure that no items are listed in this area. If any items are listed, they must be documented with, and approved by, the local ISSO/ISSM/DAA.
 
Criteria: If no items are listed in the "What not to scan:" area, this is not a finding.
If excluded items exist, and they are documented with and approved by the ISSO/ISSM/DAA, this is not a finding.
If excluded items exist, and they are not documented with and approved by the ISSO/ISSM/DAA, this is a finding.
 
On the client machine, use the Windows Registry Editor to navigate to the following key:
HKLM\Software\McAfee\ (32-bit)
HKLM\Software\Wow6432Node\McAfee\ (64-bit)
DesktopProtection\Tasks
 
Under the DesktopProtection\Tasks, and with the assistance of the System Administrator, review each GUID key's szTaskName to find the GUID key associated with weekly on-demand client scan task.
 
Criteria: If, under the applicable GUID key, the NumExcludeItems has value of 0, this is not a finding.
If the NumExcludeItems has value other than 0, and they are documented with and approved by the ISSO/ISSM/DAA, this is not a finding.
If the NumExcludeItems has value other than 0, and they are not documented with and approved by the ISSO/ISSM/DAA, this is a finding.</check-content></check></Rule></Group><Group id="V-6611"><title>DTAM052-McAfee VirusScan scan archives parameter</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-56403r2_rule" severity="medium" weight="10.0"><version>DTAM052</version><title>McAfee VirusScan On-Demand scan must be configured to scan inside archives.</title><description>&lt;VulnDiscussion&gt;Malware is often packaged within an archive. In addition, archives might have other archives within. Not scanning archive files introduces the risk of infected files being introduced into the environment.
&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;System Administrator&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target McAfee AntiVirus Locally Configured Client</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>McAfee AntiVirus Locally Configured Client</dc:subject><dc:identifier>605</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-001241</ident><fixtext fixref="F-49121r1_fix">Access the local VirusScan console by clicking Start-&gt;All Programs-&gt;McAfee-&gt;VirusScan Console.
In the console window, under Task, with the assistance of the System Administrator, identify the weekly on-demand client scan task.
Right-click the Task and select Properties.
 
Under the Scan Items tab, locate the "Options:" label. Select the "Scan inside archives (e.g. .ZIP)" option.
 
 
Click OK to Save.</fixtext><fix id="F-49121r1_fix" /><check system="C-49317r2_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_McAfee_VirusScan88_Local_Client.xml" /><check-content>NOTE: This setting must be configured. Exclusions for specific extensions may be created. Exclusions must be documented with, and approved by, the local ISSO/ISSM.
 
Access the local VirusScan console by clicking Start-&gt;All Programs-&gt;McAfee-&gt;VirusScan Console.
In the console window, under Task, with the assistance of the System Administrator, identify the weekly on-demand client scan task.
Right-click the Task and select Properties.
 
Under the Scan Items tab, locate the "Options:" label. Ensure the "Scan inside archives (e.g. .ZIP)" option is selected.
 
Criteria: If "Scan inside archives (e.g. .ZIP)" is selected, this is not a finding.
 
On the client machine, use the Windows Registry Editor to navigate to the following key:
HKLM\Software\McAfee\ (32-bit)
HKLM\Software\Wow6432Node\McAfee\ (64-bit)
DesktopProtection\Tasks
 
Under the DesktopProtection\Tasks, and with the assistance of the System Administrator, review each GUID key's szTaskName to find the GUID key associated with weekly on-demand client scan task.
 
Criteria: If, under the applicable GUID key, the ScanArchives has value of 0, this is a finding.
</check-content></check></Rule></Group><Group id="V-6612"><title>DTAM053-McAfee VirusScan decode MIME encoded</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-56404r1_rule" severity="medium" weight="10.0"><version>DTAM053</version><title>McAfee VirusScan On-Demand scan must be configured to decode MIME encoded files.</title><description>&lt;VulnDiscussion&gt;Multipurpose Internet Mail Extensions (MIME) encoded files can be crafted to hide a malicious payload. When the MIME encoded file is presented to software that decodes the MIME encoded files, such as an email client, the malware is released. Scanning these files as part of the regularly scheduled scans tasks will mitigate this risk.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;System Administrator&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target McAfee AntiVirus Locally Configured Client</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>McAfee AntiVirus Locally Configured Client</dc:subject><dc:identifier>605</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-001241</ident><fixtext fixref="F-49122r1_fix">Access the local VirusScan console by clicking Start-&gt;All Programs-&gt;McAfee-&gt;VirusScan Console.
In the console window, under Task, with the assistance of the System Administrator, identify the weekly on-demand client scan task.
Right-click the Task and select Properties.
 
Under the Scan Items tab, locate the "Options:" label. Select the "Decode MIME encoded files" option.
 
 
Click OK to Save.</fixtext><fix id="F-49122r1_fix" /><check system="C-49318r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_McAfee_VirusScan88_Local_Client.xml" /><check-content>Access the local VirusScan console by clicking Start-&gt;All Programs-&gt;McAfee-&gt;VirusScan Console.
In the console window, under Task, with the assistance of the System Administrator, identify the weekly on-demand client scan task.
Right-click the Task and select Properties.
 
Under the Scan Items tab, locate the "Options:" label. Ensure the "Decode MIME encoded files" option is selected.
 
Criteria: If "Decode MIME encoded files" is selected, this is not a finding.
 
On the client machine, use the Windows Registry Editor to navigate to the following key:
HKLM\Software\McAfee\ (32-bit)
HKLM\Software\Wow6432Node\McAfee\ (64-bit)
DesktopProtection\Tasks
 
Under the DesktopProtection\Tasks, and with the assistance of the System Administrator, review each GUID key's szTaskName to find the GUID key associated with weekly on-demand client scan task.
 
Criteria: If, under the applicable GUID key, the ScanMime has value of 0, this is a finding.
</check-content></check></Rule></Group><Group id="V-6614"><title>DTAM054 - McAfee VirusScan find unknown programs</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-56419r1_rule" severity="medium" weight="10.0"><version>DTAM054</version><title>McAfee VirusScan On-Demand scan must be configured to find unknown program threats.</title><description>&lt;VulnDiscussion&gt;Due to the ability of malware to mutate after infection, standard antivirus signatures may not be able to catch new strains or variants of the malware. Typically, these strains and variants will share unique characteristics with others in their virus family. By using a generic signature to detect the shared characteristics, using wildcards where differences lie, the generic signature can detect viruses even if they are padded with extra, meaningless code. This method of detection is Heuristic detection.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;System Administrator&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target McAfee AntiVirus Locally Configured Client</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>McAfee AntiVirus Locally Configured Client</dc:subject><dc:identifier>605</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-001241</ident><fixtext fixref="F-49123r1_fix">Access the local VirusScan console by clicking Start-&gt;All Programs-&gt;McAfee-&gt;VirusScan Console.
In the console window, under Task, with the assistance of the System Administrator, identify the weekly on-demand client scan task.
Right-click the Task and select Properties.
 
Under the Scan Items tab, locate the "Heuristics:" label. Select the "Find unknown program threats" option.
 
 
Click OK to Save.</fixtext><fix id="F-49123r1_fix" /><check system="C-49319r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_McAfee_VirusScan88_Local_Client.xml" /><check-content>Access the local VirusScan console by clicking Start-&gt;All Programs-&gt;McAfee-&gt;VirusScan Console.
In the console window, under Task, with the assistance of the System Administrator, identify the weekly on-demand client scan task.
Right-click the Task and select Properties.
 
Under the Scan Items tab, locate the "Heuristics: " label. Ensure the "Find unknown program threats" option is selected.
 
Criteria: If "Find unknown program threats" is selected, this is not a finding.
 
On the client machine, use the Windows Registry Editor to navigate to the following key:
HKLM\Software\McAfee\ (32-bit)
HKLM\Software\Wow6432Node\McAfee\ (64-bit)
DesktopProtection\Tasks
 
Under the DesktopProtection\Tasks, and with the assistance of the System Administrator, review each GUID key's szTaskName to find the GUID key associated with weekly on-demand client scan task.
 
Criteria: If, under the applicable GUID key, the dwProgramHeuristicsLevel has value of 0, this is a finding.
</check-content></check></Rule></Group><Group id="V-6615"><title>DTAM055-McAfee VirusScan find unknown macro virus</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-56409r1_rule" severity="medium" weight="10.0"><version>DTAM055</version><title>McAfee VirusScan On-Demand scan must be configured to find unknown macro threats.</title><description>&lt;VulnDiscussion&gt;Interpreted viruses are executed by an application. Within this subcategory, macro viruses take advantage of the capabilities of applications' macro programming language to infect application documents and document templates, while scripting viruses infect scripts that are understood by scripting languages processed by services on the OS. Many attackers use toolkits containing several different types of utilities and scripts that can be used to probe and attack hosts. The scanning for unknown macro viruses will mitigate zero day attacks.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;System Administrator&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target McAfee AntiVirus Locally Configured Client</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>McAfee AntiVirus Locally Configured Client</dc:subject><dc:identifier>605</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-001241</ident><fixtext fixref="F-49124r1_fix">Access the local VirusScan console by clicking Start-&gt;All Programs-&gt;McAfee-&gt;VirusScan Console.
In the console window, under Task, with the assistance of the System Administrator, identify the weekly on-demand client scan task.
Right-click the Task and select Properties.
 
Under the Scan Items tab, locate the "Heuristics:" label. Select the "Find unknown macro threats" option.
 
 
Click OK to Save.</fixtext><fix id="F-49124r1_fix" /><check system="C-49320r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_McAfee_VirusScan88_Local_Client.xml" /><check-content>Access the local VirusScan console by clicking Start-&gt;All Programs-&gt;McAfee-&gt;VirusScan Console.
In the console window, under Task, with the assistance of the System Administrator, identify the weekly on-demand client scan task.
Right-click the Task and select Properties.
 
Under the Scan Items tab, locate the "Heuristics:" label. Ensure the "Find unknown macro threats" option is selected.
 
Criteria: If "Find unknown macro threats" is selected, this is not a finding.
 
On the client machine, use the Windows Registry Editor to navigate to the following key:
HKLM\Software\McAfee\ (32-bit)
HKLM\Software\Wow6432Node\McAfee\ (64-bit)
DesktopProtection\Tasks
 
Under the DesktopProtection\Tasks, and with the assistance of the System Administrator, review each GUID key's szTaskName to find the GUID key associated with weekly on-demand client scan task.
 
Criteria: If, under the applicable GUID key, the dwMacroHeuristicsLevel has value of 0, this is a finding.</check-content></check></Rule></Group><Group id="V-6616"><title>DTAM056-McAfee VirusScan action for Virus </title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-56420r1_rule" severity="medium" weight="10.0"><version>DTAM056</version><title>McAfee VirusScan On-Demand scan actions, When a threat is found must be configured to clean files automatically as first action.</title><description>&lt;VulnDiscussion&gt;Malware may have infected a file that is necessary to the user. By configuring the antivirus software to first attempt cleaning the infected file, availability to the file is not sacrificed. If a cleaning attempt is not successful, however, deleting the file is the only safe option so as to ensure the malware is not introduced onto the system or network.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;System Administrator&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target McAfee AntiVirus Locally Configured Client</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>McAfee AntiVirus Locally Configured Client</dc:subject><dc:identifier>605</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-001243</ident><fixtext fixref="F-49125r1_fix">Access the local VirusScan console by clicking Start-&gt;All Programs-&gt;McAfee-&gt;VirusScan Console.
In the console window, under Task, with the assistance of the System Administrator, identify the weekly on-demand client scan task.
Right-click the Task and select Properties.
 
Under the Actions tab, locate the "When a threat is found:" label. From the "Perform this action first:" pull down menu, select "Clean".
 
Click OK to Save. </fixtext><fix id="F-49125r1_fix" /><check system="C-49321r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_McAfee_VirusScan88_Local_Client.xml" /><check-content>Access the local VirusScan console by clicking Start-&gt;All Programs-&gt;McAfee-&gt;VirusScan Console.
In the console window, under Task, with the assistance of the System Administrator, identify the weekly on-demand client scan task.
Right-click the Task and select Properties.
 
Under the Actions tab, locate the "When a threat is found:" label. Ensure that from the "Perform this action first:" pull down menu, "Clean" is selected.
 
Criteria: If "Clean" is selected for "Perform this action first", this is not a finding.
 
On the client machine, use the Windows Registry Editor to navigate to the following key:
HKLM\Software\McAfee\ (32-bit)
HKLM\Software\Wow6432Node\McAfee\ (64-bit)
DesktopProtection\Tasks
 
Under the DesktopProtection\Tasks, and with the assistance of the System Administrator, review each GUID key's szTaskName to find the GUID key associated with weekly on-demand client scan task.
 
Criteria: If, under the applicable GUID key, the uAction does not have a value of 5, this is a finding.</check-content></check></Rule></Group><Group id="V-6617"><title>DTAM057-McAfee VirusScan secondary action </title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-56414r1_rule" severity="medium" weight="10.0"><version>DTAM057</version><title>McAfee VirusScan On-Demand scan actions, When a threat is found must be configured to delete files automatically if first action fails.</title><description>&lt;VulnDiscussion&gt;Malware may have infected a file that is necessary to the user. By configuring the antivirus software to first attempt cleaning the infected file, availability to the file is not sacrificed. If a cleaning attempt is not successful, however, deleting the file is the only safe option so as to ensure the malware is not introduced onto the system or network.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;System Administrator&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target McAfee AntiVirus Locally Configured Client</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>McAfee AntiVirus Locally Configured Client</dc:subject><dc:identifier>605</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-001243</ident><fixtext fixref="F-49126r1_fix">
Access the local VirusScan console by clicking Start-&gt;All Programs-&gt;McAfee-&gt;VirusScan Console.
In the console window, under Task, with the assistance of the System Administrator, identify the weekly on-demand client scan task.
Right-click the Task and select Properties.
 
Under the Actions tab, locate the "When a threat is found:" label. From the "If the first action fails, then perform this action:" pull down menu, select "Delete".
 
Click OK to Save. </fixtext><fix id="F-49126r1_fix" /><check system="C-49322r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_McAfee_VirusScan88_Local_Client.xml" /><check-content>Access the local VirusScan console by clicking Start-&gt;All Programs-&gt;McAfee-&gt;VirusScan Console.
In the console window, under Task, with the assistance of the System Administrator, identify the weekly on-demand client scan task.
Right-click the Task and select Properties.
 
Under the Actions tab, locate the "When a threat is found:" label. Ensure that from the "If the first action fails, then perform this action:" pull down menu, "Delete" is selected.
 
Criteria: If "Delete" is selected for "If the first action fails, then perform this action:", this is not a finding.
 
On the client machine, use the Windows Registry Editor to navigate to the following key:
HKLM\Software\McAfee\ (32-bit)
HKLM\Software\Wow6432Node\McAfee\ (64-bit)
DesktopProtection\Tasks
 
Under the DesktopProtection\Tasks, and with the assistance of the System Administrator, review each GUID key's szTaskName to find the GUID key associated with weekly on-demand client scan task.
 
Criteria: If, under the applicable GUID key, the uSecAction does not have a value of 4, this is a finding.</check-content></check></Rule></Group><Group id="V-6618"><title>DTAM059-McAfee VirusScan log to file parameter</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-56422r1_rule" severity="medium" weight="10.0"><version>DTAM059</version><title>McAfee VirusScan On-Demand scan must be configured to record scanning activity in a log file.</title><description>&lt;VulnDiscussion&gt;Log management is essential to ensuring computer security records are stored in sufficient detail for an appropriate period of time. Routine log analysis is beneficial for identifying security incidents, policy violations, fraudulent activity, and operational problems. Logs are also useful when performing auditing and forensic analysis, supporting internal investigations, establishing baselines, and identifying operational trends and long-term problems.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;System Administrator&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target McAfee AntiVirus Locally Configured Client</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>McAfee AntiVirus Locally Configured Client</dc:subject><dc:identifier>605</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-001241</ident><fixtext fixref="F-49128r1_fix">Access the local VirusScan console by clicking Start-&gt;All Programs-&gt;McAfee-&gt;VirusScan Console.
In the console window, under Task, with the assistance of the System Administrator, identify the weekly on-demand client scan task.
Right-click the Task and select Properties.
 
Under the Reports tab, locate the "Log file" label. Select the "Enable activity logging and accept the default location for the log file or specify a new location" option.
 
 
Click OK to Save.</fixtext><fix id="F-49128r1_fix" /><check system="C-49324r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_McAfee_VirusScan88_Local_Client.xml" /><check-content>Access the local VirusScan console by clicking Start-&gt;All Programs-&gt;McAfee-&gt;VirusScan Console.
In the console window, under Task, with the assistance of the System Administrator, identify the weekly on-demand client scan task.
Right-click the Task and select Properties.
 
Under the Reports tab, locate the "Log File" label. Ensure the "Enable activity logging and accept the default location for the log file or specify a new location" option is selected.
 
Criteria: If "Enable activity logging and accept the default location for the log file or specify a new location" is selected, this is not a finding.
 
On the client machine, use the Windows Registry Editor to navigate to the following key:
HKLM\Software\McAfee\ (32-bit)
HKLM\Software\Wow6432Node\McAfee\ (64-bit)
DesktopProtection\Tasks
 
Under the DesktopProtection\Tasks, and with the assistance of the System Administrator, review each GUID key's szTaskName to find the GUID key associated with weekly on-demand client scan task.
 
Criteria: If, under the applicable GUID key, the bLogToFile does not have a value of 1, this is a finding.</check-content></check></Rule></Group><Group id="V-6620"><title>DTAM060-McAfee VirusScan log file limit parameter</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-56425r1_rule" severity="medium" weight="10.0"><version>DTAM060</version><title>McAfee VirusScan On-Demand scan log file size must be restricted, but be configured to at least 10MB.</title><description>&lt;VulnDiscussion&gt;While logging is imperative to forensic analysis, logs could grow to the point of impacting disk space on the system. In order to avoid the risk of logs growing to the size of impacting the operating system, the log size will be restricted, but must also be large enough to retain forensic value.
.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;System Administrator&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target McAfee AntiVirus Locally Configured Client</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>McAfee AntiVirus Locally Configured Client</dc:subject><dc:identifier>605</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-001241</ident><fixtext fixref="F-49129r1_fix">
Access the local VirusScan console by clicking Start-&gt;All Programs-&gt;McAfee-&gt;VirusScan Console.
In the console window, under Task, with the assistance of the System Administrator, identify the weekly on-demand client scan task.
Right-click the Task and select Properties.
 
Under the Reports tab, locate the "Log file" label.
Select the "Limit the size of log file" option.
Under "Maximum log file size:", choose a value of at least 10MB.
 
 
Click OK to Save.</fixtext><fix id="F-49129r1_fix" /><check system="C-49325r2_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_McAfee_VirusScan88_Local_Client.xml" /><check-content>Access the local VirusScan console by clicking Start-&gt;All Programs-&gt;McAfee-&gt;VirusScan Console.
In the console window, under Task, with the assistance of the System Administrator, identify the weekly on-demand client scan task.
Right-click the Task and select Properties.
 
Under the Reports tab, locate the "Log file" label.
 
Criteria: If the "Limit the size of log file" option is selected and the "Maximum log file size:" is at least 10MB, this is not a finding.
 
On the client machine, use the Windows Registry Editor to navigate to the following key:
HKLM\Software\McAfee\ (32-bit)
HKLM\Software\Wow6432Node\McAfee\ (64-bit)
DesktopProtection\Tasks
 
Under the DesktopProtection\Tasks, and with the assistance of the System Administrator, review each GUID key's szTaskName to find the GUID key associated with weekly on-demand client scan task.
 
Criteria: If, under the applicable GUID key, the bLimitSize value is not 1, this is a finding.
If the uKilobytes is less than 10240 (Decimal), this is a finding.
If the bLimitSize value is 1 and the uKilobytes value is 10240 (Decimal) or more, this is not a finding.</check-content></check></Rule></Group><Group id="V-6625"><title>DTAM063-McAfee VirusScan failure on encrypted file</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-56423r1_rule" severity="medium" weight="10.0"><version>DTAM063</version><title>McAfee VirusScan On-Demand scan must be configured to log any failure to scan encrypted files.</title><description>&lt;VulnDiscussion&gt;Log management is essential to ensuring that computer security records are stored in sufficient detail for an appropriate period of time. Routine log analysis is beneficial for identifying security incidents, policy violations, fraudulent activity, and operational problems. Logs are also useful when performing auditing and forensic analysis, supporting internal investigations, establishing baselines, and identifying operational trends and long-term problems.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;System Administrator&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target McAfee AntiVirus Locally Configured Client</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>McAfee AntiVirus Locally Configured Client</dc:subject><dc:identifier>605</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-001241</ident><fixtext fixref="F-49130r1_fix">Access the local VirusScan console by clicking Start-&gt;All Programs-&gt;McAfee-&gt;VirusScan Console.
In the console window, under Task, with the assistance of the System Administrator, identify the weekly on-demand client scan task.
Right-click the Task and select Properties.
 
Under the Reports tab, locate the "What to log in addition to scanning activity:" label. Select the "Failure to scan encrypted files" option.
 
Click OK to Save</fixtext><fix id="F-49130r1_fix" /><check system="C-49326r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_McAfee_VirusScan88_Local_Client.xml" /><check-content>Access the local VirusScan console by clicking Start-&gt;All Programs-&gt;McAfee-&gt;VirusScan Console.
In the console window, under Task, with the assistance of the System Administrator, identify the weekly on-demand client scan task.
Right-click the Task and select Properties.
 
Under the Reports tab, locate the "What to log in addition to scanning activity:" label. Ensure the "Failure to scan encrypted files" option is selected.
 
Criteria: If the "Failure to scan encrypted files" option is selected, this is not a finding.
 
On the client machine, use the Windows Registry Editor to navigate to the following key:
HKLM\Software\McAfee\ (32-bit)
HKLM\Software\Wow6432Node\McAfee\ (64-bit)
DesktopProtection\Tasks
 
Under the DesktopProtection\Tasks, and with the assistance of the System Administrator, review each GUID key's szTaskName to find the GUID key associated with weekly on-demand client scan task.
 
Criteria: If, under the applicable GUID key, the value bLogScanEncryptFail is not set to 1, this is a finding.
</check-content></check></Rule></Group><Group id="V-6627"><title>DTAM070-McAfee VirusScan schedule </title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-56426r1_rule" severity="medium" weight="10.0"><version>DTAM070</version><title>McAfee VirusScan On-Demand scan must be scheduled to be executed at least on a weekly basis.</title><description>&lt;VulnDiscussion&gt;Antivirus software is the mostly commonly used technical control for malware threat mitigation. Antivirus software on hosts should be configured to scan all hard drives regularly to identify any file system infections and to scan any removable media, if applicable, before media is inserted into the system. Not scheduling a regular scan of the hard drives of a system and/or not configuring the scan to scan all files and running processes, introduces a higher risk of threats going undetected.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;System Administrator&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target McAfee AntiVirus Locally Configured Client</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>McAfee AntiVirus Locally Configured Client</dc:subject><dc:identifier>605</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-001241</ident><fixtext fixref="F-49131r1_fix">Access the local VirusScan console by clicking Start-&gt;All Programs-&gt;McAfee-&gt;VirusScan Console.
In the console window, under Task, with the assistance of the System Administrator, identify the weekly on-demand client scan task.
Right-click the Task and select Properties.
 
Click on the Schedule button.
Under the Task tab, select "Enabled".
Under the Schedule tab, find the "Run Task: " label and set to at least "Weekly".
 
 
Click OK to Save.</fixtext><fix id="F-49131r1_fix" /><check system="C-49327r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_McAfee_VirusScan88_Local_Client.xml" /><check-content>Access the local VirusScan console by clicking Start-&gt;All Programs-&gt;McAfee-&gt;VirusScan Console.
In the console window, under Task, with the assistance of the System Administrator, identify the weekly on-demand client scan task.
Right-click the Task and select Properties.
 
Click on the Schedule button.
Under the Task tab, under "Schedule Settings", ensure the "Enable (scheduled task runs at a specified time)" option is selected.
Under the Schedule tab, ensure the "Run Task:" option is set to at "Weekly" or more frequent.
 
Criteria: If the "Enable (scheduled task runs at a specified time)" option is selected and the "Schedule Type:" is at least "Weekly", or more frequent, this is not a finding.
 
On the client machine, use the Windows Registry Editor to navigate to the following key:
HKLM\Software\McAfee\ (32-bit)
HKLM\Software\Wow6432Node\McAfee\ (64-bit)
DesktopProtection\Tasks
 
Under the DesktopProtection\Tasks, and with the assistance of the System Administrator, review each GUID key's szTaskName to find the GUID key associated with weekly on demand client scan task.
 
Criteria: If the value for bSchedEnabled is not 1, this is a finding.
If the value for eScheduletype is not either 0 or 1, this is a finding.
If the value for bSchedEnabled is 1 and the value for eScheduletype is 0 or 1 this is not a finding.</check-content></check></Rule></Group><Group id="V-14618"><title>DTAM090-McAfee VirusScan on-access script scan parameter</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-56400r1_rule" severity="medium" weight="10.0"><version>DTAM090</version><title>McAfee VirusScan On-Access Scanner General Settings must be configured to enable scanning of scripts.</title><description>&lt;VulnDiscussion&gt;Interpreted viruses are executed by an application. Within this subcategory, macro viruses take advantage of the capabilities of applications' macro programming language to infect application documents and document templates, while scripting viruses infect scripts that are understood by scripting languages processed by services on the OS. Many attackers use toolkits containing several different types of utilities and script that can be used to probe and attack hosts. (NIST SP 800-83) The scanning of scripts is crucial in preventing these attacks.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;System Administrator&lt;/Responsibility&gt;&lt;Responsibility&gt;Information Assurance Officer&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target McAfee AntiVirus Locally Configured Client</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>McAfee AntiVirus Locally Configured Client</dc:subject><dc:identifier>605</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-001242</ident><fixtext fixref="F-49132r1_fix">Access the local VirusScan console by clicking Start-&gt;All Programs-&gt;McAfee-&gt;VirusScan Console.
On the menu bar, click Task-&gt;On-Access Scanner Properties.
Select the General Settings.
 
Under the ScriptScan tab, locate the "ScriptScan:" label. Select the "Enable scanning of scripts" option.
 
Click OK to Save.</fixtext><fix id="F-49132r1_fix" /><check system="C-49328r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_McAfee_VirusScan88_Local_Client.xml" /><check-content>Access the local VirusScan console by clicking Start-&gt;All Programs-&gt;McAfee-&gt;VirusScan Console.
On the menu bar, click Task-&gt;On-Access Scanner Properties.
Select the General Settings.
 
Under the ScriptScan tab, locate the "ScriptScan:" label. Ensure the "Enable scanning of scripts" option is selected.
 
Criteria: If the "Enable scanning of scripts" option is selected, this is not a finding.
 
On the client machine, use the Windows Registry Editor to navigate to the following key:
HKLM\Software\McAfee\ (32-bit)
HKLM\Software\Wow6432Node\McAfee\ (64-bit)
SystemCore\VSCore\Script Scanner
 
Criteria: If the value of ScriptScanEnabled is 1, this is not a finding. If the value is 0, this is a finding.
</check-content></check></Rule></Group><Group id="V-14619"><title>DTAM091-McAfee VirusScan on-access scan blocking</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-56402r1_rule" severity="medium" weight="10.0"><version>DTAM091</version><title>McAfee VirusScan On-Access Scanner General Settings must be configured to block the connection when a threatened file is detected in a shared folder.</title><description>&lt;VulnDiscussion&gt;Containment during a virus outbreak is crucial. Infected hosts may attempt to spread malware and will use every network path available to them when spreading that infection. By containing the system when a detection is found, the malware will be restricted to that one system. Likewise, if malware is detected in a shared folder, maintaining the connection between a system and the shared folder would allow the malware to spread. Placing temporary restrictions on network connectivity is an effective mitigation mechanism.
 
These block connection settings will most often be used on a server housing shared folders and files, and will block the connection from any network user on a remote computer who attempts to read from, or write to, a threatened file in the shared folder. In addition, it will block the connection from any user on a remote computer who attempts to write an unwanted program to the computer. The connection will be unblocked after the specified amount of time, re-allowing access to the other shared files and folders, but will be re-blocked should those same file accesses be attempted.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;System Administrator&lt;/Responsibility&gt;&lt;Responsibility&gt;Information Assurance Officer&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target McAfee AntiVirus Locally Configured Client</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>McAfee AntiVirus Locally Configured Client</dc:subject><dc:identifier>605</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-001242</ident><fixtext fixref="F-49133r1_fix">
Access the local VirusScan console by clicking Start-&gt;All Programs-&gt;McAfee-&gt;VirusScan Console.
On the menu bar, click Task-&gt;On-Access Scanner Properties.
Select the General Settings.
 
Under the Blocking tab, locate the "Block" label. Select the "Block the connection when a threat is detected in a shared folder" option.
 
Click OK to Save.
</fixtext><fix id="F-49133r1_fix" /><check system="C-49329r2_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_McAfee_VirusScan88_Local_Client.xml" /><check-content>Access the local VirusScan console by clicking Start-&gt;All Programs-&gt;McAfee-&gt;VirusScan Console.
On the menu bar, click Task-&gt;On-Access Scanner Properties.
Select the General Settings.
 
Under the Blocking tab, locate the "Block" label. Ensure the "Block the connection when a threat is detected in a shared folder" option is selected.
 
Criteria: If the "Block the connection when a threat is detected in a shared folder" option is selected, this is not a finding.
 
On the client machine, use the Windows Registry Editor to navigate to the following key:
HKLM\Software\McAfee\ (32-bit)
HKLM\Software\Wow6432Node\McAfee\ (64-bit)
SystemCore\VSCore\On Access Scanner\BehaviourBlocking
 
Criteria: If the value of VSIDBlock is 1, this is not a finding. If the value is 0, this is a finding.
</check-content></check></Rule></Group><Group id="V-14620"><title>DTAM092-McAfee VirusScan on-access scan blocking</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-56406r1_rule" severity="medium" weight="10.0"><version>DTAM092</version><title>McAfee VirusScan On-Access Scanner General Settings must be configured to unblock connections after a minimum of 30 minutes.</title><description>&lt;VulnDiscussion&gt;Containment during a virus outbreak is crucial. Infected hosts may attempt to spread malware and will use every network path available to them when spreading that infection. By containing the system when a detection is found, the malware will be restricted to that one system. Likewise, if malware is detected in a shared folder, maintaining the connection between a system and the shared folder would allow the malware to spread. Placing temporary restrictions on network connectivity is an effective mitigation mechanism.
 
These block connection settings will most often be used on a server housing shared folders and files, and will block the connection from any network user on a remote computer who attempts to read from, or write to, a threatened file in the shared folder. In addition, it will block the connection from any user on a remote computer who attempts to write an unwanted program to the computer. The connection will be unblocked after the specified amount of time, re-allowing access to the other shared files and folders, but will be re-blocked should those same file accesses be attempted.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;System Administrator&lt;/Responsibility&gt;&lt;Responsibility&gt;Information Assurance Officer&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target McAfee AntiVirus Locally Configured Client</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>McAfee AntiVirus Locally Configured Client</dc:subject><dc:identifier>605</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-001242</ident><fixtext fixref="F-49134r1_fix">Access the local VirusScan console by clicking Start-&gt;All Programs-&gt;McAfee-&gt;VirusScan Console.
On the menu bar, click Task-&gt;On-Access Scanner Properties.
Select the General Settings.
 
Under the Blocking tab, locate the "Block" label. Enter a value in "Unblock connections after (minutes)" where x is set to no less than 30 minutes.
 
Click OK to Save.</fixtext><fix id="F-49134r1_fix" /><check system="C-49330r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_McAfee_VirusScan88_Local_Client.xml" /><check-content>Access the local VirusScan console by clicking Start-&gt;All Programs-&gt;McAfee-&gt;VirusScan Console.
On the menu bar, click Task-&gt;On-Access Scanner Properties.
Select the General Settings.
 
Under the Blocking tab, locate the "Block" label. Ensure the "Unblock connections after (minutes)" is set to no less than 30 minutes.
 
Criteria: If the "Unblock connections after (minutes)" option is configured to no less than 30 minutes, this is not a finding.
 
On the client machine, use the Windows Registry Editor to navigate to the following key:
HKLM\Software\McAfee\ (32-bit)
HKLM\Software\Wow6432Node\McAfee\ (64-bit)
SystemCore\VSCore\On Access Scanner\BehaviourBlocking
 
Criteria: If the value of VSIDBlockTimeout &gt;= to HEX 1E, this is not a finding.
</check-content></check></Rule></Group><Group id="V-14621"><title>DTAM093-McAfee VirusScan on-access scan blocking</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-56408r1_rule" severity="medium" weight="10.0"><version>DTAM093</version><title>McAfee VirusScan On-Access Scanner General Settings must be configured to block the connection when a file with a potentially unwanted program is detected in a shared folder.</title><description>&lt;VulnDiscussion&gt;Containment during a virus outbreak is crucial. Infected hosts may attempt to spread malware and will use every network path available to them when spreading that infection. By containing the system when a detection is found, the malware will be restricted to that one system. Likewise, if malware is detected in a shared folder, maintaining the connection between a system and the shared folder would allow the malware to spread. Placing temporary restrictions on network connectivity is an effective mitigation mechanism.
 
These block connection settings will most often be used on a server housing shared folders and files, and will block the connection from any network user on a remote computer who attempts to read from, or write to, a threatened file in the shared folder. In addition, it will block the connection from any user on a remote computer who attempts to write an unwanted program to the computer. The connection will be unblocked after the specified amount of time, re-allowing access to the other shared files and folders, but will be re-blocked should those same file accesses be attempted.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;System Administrator&lt;/Responsibility&gt;&lt;Responsibility&gt;Information Assurance Officer&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target McAfee AntiVirus Locally Configured Client</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>McAfee AntiVirus Locally Configured Client</dc:subject><dc:identifier>605</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-001242</ident><fixtext fixref="F-49135r1_fix">Access the local VirusScan console by clicking Start-&gt;All Programs-&gt;McAfee-&gt;VirusScan Console.
On the menu bar, click Task-&gt;On-Access Scanner Properties.
Select the General Settings.
 
Under the Blocking tab, locate the "Block" label. Select the "Block the connection when a file with a potentially unwanted program is detected in a shared folder" option.
 
Click OK to Save.</fixtext><fix id="F-49135r1_fix" /><check system="C-49331r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_McAfee_VirusScan88_Local_Client.xml" /><check-content>Access the local VirusScan console by clicking Start-&gt;All Programs-&gt;McAfee-&gt;VirusScan Console.
On the menu bar, click Task-&gt;On-Access Scanner Properties.
Select the General Settings.
 
Under the Blocking tab, locate the "Block" label. Ensure the "Block the connection when a file with a potentially unwanted program is detected in a shared folder" is checked.
 
Criteria: If the "Block the connection when a file with a potentially unwanted program is detected in a shared folder" option is selected, this is not a finding.
 
On the client machine, use the Windows Registry Editor to navigate to the following key:
HKLM\Software\McAfee\ (32-bit)
HKLM\Software\Wow6432Node\McAfee\ (64-bit)
SystemCore\VSCore\On Access Scanner\BehaviourBlocking
 
Criteria: If the value of VSIDBlockOnNonVirus is 1, this is not a finding. If the value is 0, this is a finding.</check-content></check></Rule></Group><Group id="V-14622"><title>DTAM100-McAfee VirusScan scan default values</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-56410r1_rule" severity="medium" weight="10.0"><version>DTAM100</version><title>McAfee VirusScan On-Access Scanner All Processes settings must be configured to use only one scanning policy for all processes, unless the use of Low-Risk Processes/High-Risk Processes has been documented with, and approved by, the IAO/IAM.</title><description>&lt;VulnDiscussion&gt;Organizations should use centrally managed antivirus software that is controlled and monitored regularly by antivirus administrators, who are also typically responsible for acquiring, testing, approving, and delivering antivirus signatures and software updates through the organizations. (FISMA SP 800-83) Some processes are known to be higher risk, while others are low risk. By restricting policy configuration to the Default Processes policy, all processes will be interpreted equally when applying the policy settings and will provide the highest level of protection. Best practice dictates configuring Low Risk and/or High Risk policies only when it is necessary to improve system performance, and will focus the scanning where it is most likely to detect malware. There is risk associated with configuring the Low Risk and/or High Risk policies for the purpose of specifically excluding processes from scanning, and should only be done after evaluating other policy settings and determining risk.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;System Administrator&lt;/Responsibility&gt;&lt;Responsibility&gt;Information Assurance Officer&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target McAfee AntiVirus Locally Configured Client</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>McAfee AntiVirus Locally Configured Client</dc:subject><dc:identifier>605</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-001242</ident><fixtext fixref="F-49136r1_fix">Access the local VirusScan console by clicking Start-&gt;All Programs-&gt;McAfee-&gt;VirusScan Console.
On the menu bar, click Task-&gt;On-Access Scanner Properties.
Select All Processes.
 
Under the Processes tab, select the "Configure one scanning policy for all processes" option.
 
Click OK to Save.</fixtext><fix id="F-49136r1_fix" /><check system="C-49332r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_McAfee_VirusScan88_Local_Client.xml" /><check-content>Access the local VirusScan console by clicking Start-&gt;All Programs-&gt;McAfee-&gt;VirusScan Console.
On the menu bar, click Task-&gt;On-Access Scanner Properties.
Select All Processes.
 
Under the Processes tab, ensure the "Configure one scanning policy for all processes" is selected.
 
Criteria: If the "Configure one scanning policy for all processes" option is selected, this is not a finding.
If the "Configure one scanning policy for all processes" option is not selected, and the use of Low-Risk Processes/High-Risk processes has been documented with, and approved by, the IAO/IAM, this is not a finding.
If the "Configure one scanning policy for all processes" option is not selected, and the use of Low-Risk Processes/High-Risk processes has not been documented/approved by the IAO/IAM, this is a finding.
 
On the client machine, use the Windows Registry Editor to navigate to the following key:
HKLM\Software\McAfee\ (32-bit)
HKLM\Software\Wow6432Node\McAfee\ (64-bit)
SystemCore\VSCore\On Access Scanner\McShield\Configuration
 
Criteria: If the value OnlyUseDefaultConfig is 1, this is not a finding.
If the value is 0 and the use of Low-Risk Processes/High-Risk processes has not been documented and approved by the IAO/IAM, this is a finding.</check-content></check></Rule></Group><Group id="V-14623"><title>DTAM101-McAfee VirusScan scan when writing disk</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-56413r1_rule" severity="medium" weight="10.0"><version>DTAM101</version><title>McAfee VirusScan On-Access Scanner All Processes settings must be configured to scan when writing to disk.</title><description>&lt;VulnDiscussion&gt;Antivirus software is the most commonly used technical control for malware threat mitigation. Real-time scanning of files as they are written to disk is a crucial first line of defense from malware attacks.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;System Administrator&lt;/Responsibility&gt;&lt;Responsibility&gt;Information Assurance Officer&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target McAfee AntiVirus Locally Configured Client</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>McAfee AntiVirus Locally Configured Client</dc:subject><dc:identifier>605</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-001242</ident><fixtext fixref="F-49137r1_fix">Access the local VirusScan console by clicking Start-&gt;All Programs-&gt;McAfee-&gt;VirusScan Console.
On the menu bar, click Task-&gt;On-Access Scanner Properties.
Select All Processes.
 
Under the Scan Items tab, locate the "Scan files:" label. Select the "When writing to disk" option.
 
Click OK to Save.</fixtext><fix id="F-49137r1_fix" /><check system="C-49333r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_McAfee_VirusScan88_Local_Client.xml" /><check-content>Access the local VirusScan console by clicking Start-&gt;All Programs-&gt;McAfee-&gt;VirusScan Console.
On the menu bar, click Task-&gt;On-Access Scanner Properties.
Select All Processes.
 
Under the Scan Items tab, locate the "Scan files:" label. Ensure the "When writing to disk" is selected.
 
Criteria: If the "When writing to disk" option is selected, this is not a finding.
 
On the client machine, use the Windows Registry Editor to navigate to the following key:
HKLM\Software\McAfee\ (32-bit)
HKLM\Software\Wow6432Node\McAfee\ (64-bit)
SystemCore\VSCore\On Access Scanner\McShield\Configuration\Default
 
Criteria: If the value bScanIncoming is 1, this is not a finding. If the value is 0, this is a finding.
</check-content></check></Rule></Group><Group id="V-14624"><title>DTAM102-McAfee VirusScan scan when reading</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-56429r1_rule" severity="medium" weight="10.0"><version>DTAM102</version><title>McAfee VirusScan On-Access Scanner All Processes settings must be configured to scan when reading from disk.</title><description>&lt;VulnDiscussion&gt;Antivirus software is the most commonly used technical control for malware threat mitigation. Real-time scanning of files as they are read from disk is a crucial first line of defense from malware attacks.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;System Administrator&lt;/Responsibility&gt;&lt;Responsibility&gt;Information Assurance Officer&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target McAfee AntiVirus Locally Configured Client</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>McAfee AntiVirus Locally Configured Client</dc:subject><dc:identifier>605</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-001242</ident><fixtext fixref="F-49138r1_fix">Access the local VirusScan console by clicking Start-&gt;All Programs-&gt;McAfee-&gt;VirusScan Console.
On the menu bar, click Task-&gt;On-Access Scanner Properties.
Select All Processes.
 
Under the Scan Items tab, locate the "Scan files:" label. Select the "When reading from disk" option.
 
Click OK to Save.</fixtext><fix id="F-49138r1_fix" /><check system="C-49334r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_McAfee_VirusScan88_Local_Client.xml" /><check-content>Access the local VirusScan console by clicking Start-&gt;All Programs-&gt;McAfee-&gt;VirusScan Console.
On the menu bar, click Task-&gt;On-Access Scanner Properties.
Select All Processes.
 
Under the Scan Items tab, locate the "Scan files:" label. Ensure the "When reading from disk" is selected.
 
Criteria: If the "When reading from disk" option is selected, this is not a finding.
 
On the client machine, use the Windows Registry Editor to navigate to the following key:
HKLM\Software\McAfee\ (32-bit)
HKLM\Software\Wow6432Node\McAfee\ (64-bit)
SystemCore\VSCore\On Access Scanner\McShield\Configuration\Default
 
Criteria: If the value bScanOutgoing is 1, this is not a finding. If the value is 0, this is a finding.</check-content></check></Rule></Group><Group id="V-14625"><title>DTAM103-McAfee VirusScan scan all files parameter</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-56430r1_rule" severity="medium" weight="10.0"><version>DTAM103</version><title>McAfee VirusScan On-Access Scanner All Processes settings must be configured to scan all files.</title><description>&lt;VulnDiscussion&gt;When scanning for malware, excluding specific file types will increase the risk of a malware-infected file going undetected. By configuring antivirus software to scan all file types, the scanner has a higher success rate at detecting and eradicating malware.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;System Administrator&lt;/Responsibility&gt;&lt;Responsibility&gt;Information Assurance Officer&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target McAfee AntiVirus Locally Configured Client</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>McAfee AntiVirus Locally Configured Client</dc:subject><dc:identifier>605</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-001242</ident><fixtext fixref="F-49139r1_fix">Access the local VirusScan console by clicking Start-&gt;All Programs-&gt;McAfee-&gt;VirusScan Console.
On the menu bar, click Task-&gt;On-Access Scanner Properties.
Select All Processes.
 
Under the Scan Items tab, locate the "What to scan:" label. Select the "All Files" radio button option.
 
Click OK to Save.</fixtext><fix id="F-49139r1_fix" /><check system="C-49335r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_McAfee_VirusScan88_Local_Client.xml" /><check-content>Access the local VirusScan console by clicking Start-&gt;All Programs-&gt;McAfee-&gt;VirusScan Console.
On the menu bar, click Task-&gt;On-Access Scanner Properties.
Select All Processes.
 
Under the Scan Items tab, locate the "What to scan:" label. Ensure the "All Files" radio button is selected.
 
Criteria: If the "All Files" radio button is selected, this is not a finding.
 
On the client machine, use the Windows Registry Editor to navigate to the following key:
HKLM\Software\McAfee\ (32-bit)
HKLM\Software\Wow6432Node\McAfee\ (64-bit)
SystemCore\VSCore\On Access Scanner\McShield\Configuration\Default
 
Criteria: If the value LocalExtensionMode is 1 and the value of NetworkExtensionMode is 1 this is not a finding. If either of these is not 1, this is a finding.</check-content></check></Rule></Group><Group id="V-14626"><title>DTAM104-McAfee VirusScan heuristics program </title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-56431r1_rule" severity="medium" weight="10.0"><version>DTAM104</version><title>McAfee VirusScan On-Access Scanner All Processes settings must be configured to find unknown unwanted programs and trojans.</title><description>&lt;VulnDiscussion&gt;Due to the ability of malware to mutate after infection, standard antivirus signatures may not be able to catch new strains or variants of the malware. Typically, these strains and variants will share unique characteristics with others in their virus family. By using a generic signature to detect the shared characteristics, using wildcards where differences lie, the generic signature can detect viruses even if they are padded with extra, meaningless code. This method of detection is Heuristic detection.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;System Administrator&lt;/Responsibility&gt;&lt;Responsibility&gt;Information Assurance Officer&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target McAfee AntiVirus Locally Configured Client</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>McAfee AntiVirus Locally Configured Client</dc:subject><dc:identifier>605</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-001242</ident><fixtext fixref="F-49140r1_fix">Access the local VirusScan console by clicking Start-&gt;All Programs-&gt;McAfee-&gt;VirusScan Console.
On the menu bar, click Task-&gt;On-Access Scanner Properties.
Select All Processes.
 
Under the Scan Items tab, locate the "Heuristics:" label. Select the "Find unknown unwanted programs and trojans" option.
 
Click OK to Save.</fixtext><fix id="F-49140r1_fix" /><check system="C-49336r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_McAfee_VirusScan88_Local_Client.xml" /><check-content>Access the local VirusScan console by clicking Start-&gt;All Programs-&gt;McAfee-&gt;VirusScan Console.
On the menu bar, click Task-&gt;On-Access Scanner Properties.
Select All Processes.
 
Under the Scan Items tab, locate the "Heuristics:" label. Ensure the "Find unknown unwanted programs and trojans" option is selected.
 
Criteria: If the "Find unknown unwanted programs and trojans" option is selected, this is not a finding.
 
On the client machine, use the Windows Registry Editor to navigate to the following key:
HKLM\Software\McAfee\ (32-bit)
HKLM\Software\Wow6432Node\McAfee\ (64-bit)
SystemCore\VSCore\On Access Scanner\McShield\Configuration\Default
 
Criteria: If the value dwProgramHeuristicsLevel is 1, this is not a finding. If the value is 0, this is a finding.</check-content></check></Rule></Group><Group id="V-14627"><title>DTAM105-McAfee VirusScan heuristics macro level</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-56432r1_rule" severity="medium" weight="10.0"><version>DTAM105</version><title>McAfee VirusScan On-Access Scanner All Processes settings must be configured to find unknown macro viruses.</title><description>&lt;VulnDiscussion&gt;Due to the ability of malware to mutate after infection, standard antivirus signatures may not be able to catch new strains or variants of the malware. Typically, these strains and variants will share unique characteristics with others in their virus family. By using a generic signature to detect the shared characteristics, using wildcards where differences lie, the generic signature can detect viruses even if they are padded with extra, meaningless code. This method of detection is Heuristic detection.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;System Administrator&lt;/Responsibility&gt;&lt;Responsibility&gt;Information Assurance Officer&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target McAfee AntiVirus Locally Configured Client</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>McAfee AntiVirus Locally Configured Client</dc:subject><dc:identifier>605</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-001242</ident><fixtext fixref="F-49141r1_fix">Access the local VirusScan console by clicking Start-&gt;All Programs-&gt;McAfee-&gt;VirusScan Console.
Under the Scan Items tab, locate the "Heuristics:" label. Select the "Find unknown macro threats" option.
 
Click OK to Save.</fixtext><fix id="F-49141r1_fix" /><check system="C-49337r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_McAfee_VirusScan88_Local_Client.xml" /><check-content>Access the local VirusScan console by clicking Start-&gt;All Programs-&gt;McAfee-&gt;VirusScan Console
On the menu bar, click Task-&gt;On-Access Scanner Properties.
Under the Scan Items tab, locate the "Heuristics:" label. Ensure the "Find unknown macro threats" option is selected.
 
Criteria: If the "Find unknown macro threats" option is selected, this is not a finding.
 
On the client machine, use the Windows Registry Editor to navigate to the following key:
HKLM\Software\McAfee\ (32-bit)
HKLM\Software\Wow6432Node\McAfee\ (64-bit)
SystemCore\VSCore\On Access Scanner\McShield\Configuration\Default
 
Criteria: If the value dwMacroHeuristicsLevel is 1, this is not a finding. If the value is 0, this is a finding.</check-content></check></Rule></Group><Group id="V-14628"><title>DTAM106-McAfee VirusScan scan inside archive</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-56433r3_rule" severity="medium" weight="10.0"><version>DTAM106</version><title>McAfee VirusScan On-Access Scanner All Processes settings must be configured to scan inside archive files.</title><description>&lt;VulnDiscussion&gt;Malware is often packaged within an archive. In addition, archives might have other archives within. Not scanning archive files introduces the risk of infected files being introduced into the environment.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;Information Assurance Officer&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target McAfee AntiVirus Locally Configured Client</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>McAfee AntiVirus Locally Configured Client</dc:subject><dc:identifier>605</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-001242</ident><fixtext fixref="F-49142r1_fix">Access the local VirusScan console by clicking Start-&gt;All Programs-&gt;McAfee-&gt;VirusScan Console.
On the menu bar, click Task-&gt;On-Access Scanner Properties.
Select All Processes.
 
Under the Scan Items tab, locate the "Compressed files:" label. Select the "Scan inside archives (e.g., .ZIP)" option.
 
Click OK to Save.</fixtext><fix id="F-49142r1_fix" /><check system="C-49338r4_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_McAfee_VirusScan88_Local_Client.xml" /><check-content>NOTE: This requirement can be left not configured and marked as Not Applicable if the regularly scheduled on-demand scan, validated under V-6611, DTAM052, includes the scanning of archive files.
 
Access the local VirusScan console by clicking Start-&gt;All Programs-&gt;McAfee-&gt;VirusScan Console.
On the menu bar, click Task-&gt;On-Access Scanner Properties.
Select All Processes.
 
Under the Scan Items tab, locate the "Compressed files:" label. Ensure the "Scan inside archives (e.g., .ZIP)" option is selected.
 
Criteria: If the "Scan inside archives (e.g., .ZIP)" option is selected, this is not a finding.
 
On the client machine, use the Windows Registry Editor to navigate to the following key:
HKLM\Software\McAfee\ (32-bit)
HKLM\Software\Wow6432Node\McAfee\ (64-bit)
SystemCore\VSCore\On Access Scanner\McShield\Configuration\Default
 
Criteria: If the value ScanArchives is 1, this is not a finding. If the value is 0, this is a finding.</check-content></check></Rule></Group><Group id="V-14630"><title>DTAM110-McAfee VirusScan process primary action</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-56427r1_rule" severity="medium" weight="10.0"><version>DTAM110</version><title>McAfee VirusScan On-Access Scanner All Processes settings actions, When a threat is found must be configured to clean files automatically as first action.</title><description>&lt;VulnDiscussion&gt;Malware may have infected a file that is necessary to the user. By configuring the antivirus software to first attempt cleaning the infected file, availability to the file is not sacrificed. If a cleaning attempt is not successful, however, deleting the file is the only safe option to ensure the malware is not introduced onto the system or network.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;System Administrator&lt;/Responsibility&gt;&lt;Responsibility&gt;Information Assurance Officer&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target McAfee AntiVirus Locally Configured Client</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>McAfee AntiVirus Locally Configured Client</dc:subject><dc:identifier>605</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-001242</ident><fixtext fixref="F-49143r1_fix">Access the local VirusScan console by clicking Start-&gt;All Programs-&gt;McAfee-&gt;VirusScan Console.
On the menu bar, click Task-&gt;On-Access Scanner Properties.
Select All Processes.
 
Under the Actions tab, locate the "When a threat is found:" label. For the "Perform this action first:" pull down menu, select "Clean files automatically".
 
Click OK to Save.</fixtext><fix id="F-49143r1_fix" /><check system="C-49339r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_McAfee_VirusScan88_Local_Client.xml" /><check-content>Access the local VirusScan console by clicking Start-&gt;All Programs-&gt;McAfee-&gt;VirusScan Console.
On the menu bar, click Task-&gt;On-Access Scanner Properties.
Select All Processes.
 
Under the Actions tab, locate the "When a threat is found:" label. Ensure for the "Perform this action first:" pull down menu, "Clean files automatically" is selected.
 
Criteria: If "Clean files automatically" is selected from "Perform this action first", this is not a finding.
 
On the client machine, use the Windows Registry Editor to navigate to the following key:
HKLM\Software\McAfee\ (32-bit)
HKLM\Software\Wow6432Node\McAfee\ (64-bit)
SystemCore\VSCore\On Access Scanner\McShield\Configuration\Default
 
Criteria: If the uAction does not have a value of 5, this is a finding.</check-content></check></Rule></Group><Group id="V-14631"><title>DTAM111-McAfee VirusScan process secondary action</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-56428r1_rule" severity="medium" weight="10.0"><version>DTAM111</version><title>McAfee VirusScan On-Access Scanner All Processes settings actions, When a threat is found must be configured to delete files automatically if first action fails.</title><description>&lt;VulnDiscussion&gt;Malware may have infected a file that is necessary to the user. By configuring the antivirus software to first attempt cleaning the infected file, availability to the file is not sacrificed. If a cleaning attempt is not successful, however, deleting the file is the only safe option to ensure the malware is not introduced onto the system or network.
&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;System Administrator&lt;/Responsibility&gt;&lt;Responsibility&gt;Information Assurance Officer&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target McAfee AntiVirus Locally Configured Client</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>McAfee AntiVirus Locally Configured Client</dc:subject><dc:identifier>605</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-001242</ident><fixtext fixref="F-49144r1_fix">Access the local VirusScan console by clicking Start-&gt;All Programs-&gt;McAfee-&gt;VirusScan Console.
On the menu bar, click Task-&gt;On-Access Scanner Properties.
Select All Processes.
 
Under the Actions tab, locate the "When a threat is found:" label. From the "If the first action fails, then perform this action:" pull down menu, select "Delete files automatically".
 
Click OK to Save.</fixtext><fix id="F-49144r1_fix" /><check system="C-49340r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_McAfee_VirusScan88_Local_Client.xml" /><check-content>Access the local VirusScan console by clicking Start-&gt;All Programs-&gt;McAfee-&gt;VirusScan Console.
On the menu bar, click Task-&gt;On-Access Scanner Properties.
Select All Processes.
 
Under the Actions tab, locate the "When a threat is found:" label. Ensure from the "If the first action fails, then perform this action:" pull down menu, "Delete files automatically" is selected.
 
Criteria: If the "Delete files automatically" is selected for "If the first action fails, then perform this action:", this is not a finding.
 
On the client machine, use the Windows Registry Editor to navigate to the following key:
HKLM\Software\McAfee\ (32-bit)
HKLM\Software\Wow6432Node\McAfee\ (64-bit)
SystemCore\VSCore\On Access Scanner\McShield\Configuration\Default
 
Criteria: If the uSecAction does not have a value of 4, this is a finding.</check-content></check></Rule></Group><Group id="V-14652"><title>DTAM039-McAfee VirusScan unwanted programs action</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-56394r2_rule" severity="medium" weight="10.0"><version>DTAM039</version><title>McAfee VirusScan On Delivery Email Scanner Properties must be configured to clean attachments as the first action for When an unwanted program is found.</title><description>&lt;VulnDiscussion&gt;Email has become one of the most frequently used methods of spreading malware, through embedded HTML code and attachments. User awareness and training, warning users to not open suspicious emails or email attachments and not clicking on hyperlinks, etc., from unknown or known senders, will not fully protect from email-borne malware. Mass mailing worms are similar to an email-borne virus but is self-contained rather than infecting an existing file. Protecting from email-borne viruses and mass mailing worms by scanning email upon delivery mitigates the risk of infection via email.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;System Administrator&lt;/Responsibility&gt;&lt;Responsibility&gt;Information Assurance Officer&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target McAfee AntiVirus Locally Configured Client</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>McAfee AntiVirus Locally Configured Client</dc:subject><dc:identifier>605</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-001243</ident><fixtext fixref="F-49211r4_fix">Access the local VirusScan console by clicking Start &gt;&gt; All Programs &gt;&gt; McAfee &gt;&gt; VirusScan Console.
Under the Task column, select the On-Delivery Email Scanner Option, right-click, and select Properties.
 
Under the Actions tab, locate the "When an unwanted attachment is found:" label. From the "Perform this action first:" pull down menu, select "Clean attachments".
 
Click OK to Save.</fixtext><fix id="F-49211r4_fix" /><check system="C-49311r6_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_McAfee_VirusScan88_Local_Client.xml" /><check-content>Note: If an email client is not running on this system, this check can be marked as Not Applicable.
 
Access the local VirusScan console by clicking Start &gt;&gt; All Programs &gt;&gt; McAfee &gt;&gt; VirusScan Console.
Under the Task column, select the On-Delivery Email Scanner Option, right-click, and select Properties.
 
Under the Actions tab, locate the "When an unwanted attachment is found:" label. Ensure for the "Perform this action first:" pull down menu, "Clean attachments" is selected.
 
Criteria: If "Clean attachments" is selected for "Perform this action first", this is not a finding.
 
On the client machine, use the Windows Registry Editor to navigate to the following key:
HKLM\Software\McAfee\ (32-bit)
HKLM\Software\Wow6432Node\McAfee\ (64-bit)
SystemCore\VSCore\Email Scanner\Outlook\OnDelivery\ActionOptions
 
Criteria: If the value for uAction_Program is not 5, this is a finding.</check-content></check></Rule></Group><Group id="V-14654"><title>DTAM058-McAfee VirusScan check unwanted programs </title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-56416r1_rule" severity="medium" weight="10.0"><version>DTAM058</version><title>McAfee VirusScan On-Demand scan must be configured to detect for unwanted programs.</title><description>&lt;VulnDiscussion&gt;Potentially Unwanted Programs (PUPs) include Spyware, Adware, Remote Administration Tools, Dialers, Password Crackers, Jokes, and Key Loggers. While PUPs do not typically have any infections capability on their own, they rely on malware or other attach mechanisms to be installed onto target hosts, after which they will collect and transfer data from the host to an external host and/or will be used as attach mechanisms. Configuring the antivirus software to attempt to clean the file first will allow for the possibility of a false positive. In most cases, however, the secondary action of delete will be used, mitigating the risk of the PUPs being installed and used maliciously.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;System Administrator&lt;/Responsibility&gt;&lt;Responsibility&gt;Information Assurance Officer&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target McAfee AntiVirus Locally Configured Client</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>McAfee AntiVirus Locally Configured Client</dc:subject><dc:identifier>605</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-001241</ident><fixtext fixref="F-49127r1_fix">
Access the local VirusScan console by clicking Start-&gt;All Programs-&gt;McAfee-&gt;VirusScan Console.
In the console window, under Task, with the assistance of the System Administrator, identify the weekly on-demand client scan task.
Right-click the Task and select Properties.
 
Under the Scan Items tab, locate the "Options:" label. Select the "Detect unwanted programs" option.
 
 
Click OK to Save.</fixtext><fix id="F-49127r1_fix" /><check system="C-49323r2_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_McAfee_VirusScan88_Local_Client.xml" /><check-content>Access the local VirusScan console by clicking Start-&gt;All Programs-&gt;McAfee-&gt;VirusScan Console.
In the console window, under Task, with the assistance of the System Administrator, identify the weekly on-demand client scan task.
Right-click the Task and select Properties.
 
Under the Scan Items tab, locate the "Options:" label. Ensure the "Detect unwanted programs" option is selected.
 
Criteria: If "Detect unwanted programs" option is selected, this is not a finding.
 
On the client machine, use the Windows Registry Editor to navigate to the following key:
HKLM\Software\McAfee\ (32-bit)
HKLM\Software\Wow6432Node\McAfee\ (64-bit)
DesktopProtection\Tasks
 
Under the DesktopProtection\Tasks, and with the assistance of the System Administrator, review each GUID key's szTaskName to find the GUID key associated with weekly on-demand client scan task.
 
Criteria: If, under the applicable GUID key, the ApplyNVP has a value of 0, this is a finding.
</check-content></check></Rule></Group><Group id="V-14657"><title>DTAM130-McAfee VirusScan buffer overflow protection</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-56434r1_rule" severity="medium" weight="10.0"><version>DTAM130</version><title>McAfee VirusScan Buffer Overflow Protection Buffer Overflow Settings must be configured to enable Buffer Overflow Protection.</title><description>&lt;VulnDiscussion&gt;Buffer overflow is an anomaly where a program, while writing data to a buffer, overruns the buffer's boundary and overwrites adjacent memory. This anomaly has been used maliciously, explicitly to craft exploits. Buffer overflow attacks compose greater than 25% of malware attacks. Without buffer overflow protection enabled, systems are more vulnerable to attacks that attempt to overwrite adjacent memory in the stack frame. Buffer overflow protection is only configurable on non-64-bit systems.
&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;System Administrator&lt;/Responsibility&gt;&lt;Responsibility&gt;Information Assurance Officer&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target McAfee AntiVirus Locally Configured Client</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>McAfee AntiVirus Locally Configured Client</dc:subject><dc:identifier>605</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-001242</ident><fixtext fixref="F-49145r2_fix">Access the local VirusScan console by clicking Start-&gt;All Programs-&gt;McAfee-&gt;VirusScan Console.
In the console window, under Task, click Task-&gt;Buffer Overflow Protection, right-click, and select Properties.
 
Under the Buffer Overflow Protection tab, locate the "Buffer Overflow settings:" label. Select the "Enable buffer overflow protection" option.
 
Click OK to Save.</fixtext><fix id="F-49145r2_fix" /><check system="C-49341r2_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_McAfee_VirusScan88_Local_Client.xml" /><check-content>NOTE: Buffer Overflow Protection is not installed on 64-bit systems; this check would be Not Applicable to 64-bit systems.
 
NOTE: On 32-bit systems, when Host Intrusion Prevention is also installed, Buffer Overflow Protection will show as "Disabled because a Host Intrusion Prevention product is installed"; this check would be Not Applicable.
 
Access the local VirusScan console by clicking Start-&gt;All Programs-&gt;McAfee-&gt;VirusScan Console.
 
In the console window, under Task, click Task-&gt;Buffer Overflow Protection, right-click, and select Properties.
 
Under the Buffer Overflow Protection tab, locate the "Buffer Overflow settings:" label. Ensure the "Enable buffer overflow protection" option is selected.
 
Criteria: If the "Enable buffer overflow protection" option is selected, this is not a finding.
 
On the client machine, use the Windows Registry Editor to navigate to the following key:
HKLM\Software\McAfee\ (32-bit)
SystemCore\VSCore\On Access Scanner\BehaviourBlocking
 
Criteria: If the value BOPEnabled is 1, this is not a finding. If the value is 0, this is a finding.</check-content></check></Rule></Group><Group id="V-14658"><title>DTAM131-McAfee VirusScan buffer overflow protection</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-56435r1_rule" severity="medium" weight="10.0"><version>DTAM131</version><title>McAfee VirusScan Buffer Overflow Protection Buffer Overflow Settings must be configured for Protection mode.</title><description>&lt;VulnDiscussion&gt;Buffer overflow is an anomaly where a program, while writing data to a buffer, overruns the buffer's boundary and overwrites adjacent memory. This anomaly has been used maliciously, explicitly to craft exploits. Buffer overflow attacks compose greater than 25% of malware attacks. Without buffer overflow protection enabled, systems are more vulnerable to attacks that attempt to overwrite adjacent memory in the stack frame. Protection mode will ensure buffer overflow is detected and blocked. Otherwise, only a warning message will be logged. Buffer overflow protection is only configurable on non-64-bit systems.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;System Administrator&lt;/Responsibility&gt;&lt;Responsibility&gt;Information Assurance Officer&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target McAfee AntiVirus Locally Configured Client</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>McAfee AntiVirus Locally Configured Client</dc:subject><dc:identifier>605</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-001242</ident><fixtext fixref="F-49146r1_fix">Access the local VirusScan console by clicking Start-&gt;All Programs-&gt;McAfee-&gt;VirusScan Console.
In the console window, under Task, click Task-&gt;Buffer Overflow Protection, right-click, and select Properties.
 
Under the Buffer Overflow Protection tab, locate the "Buffer Overflow settings:" label. Select the "Protection mode" option.
 
Click OK to Save.</fixtext><fix id="F-49146r1_fix" /><check system="C-49342r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_McAfee_VirusScan88_Local_Client.xml" /><check-content>NOTE: Buffer Overflow Protection is not installed on 64-bit systems; this check would be Not Applicable to 64-bit systems.
 
NOTE: On 32-bit systems, when Host Intrusion Prevention is also installed, Buffer Overflow Protection will show as "Disabled because a Host Intrusion Prevention product is installed"; this check would be Not Applicable.
 
Access the local VirusScan console by clicking Start-&gt;All Programs-&gt;McAfee-&gt;VirusScan Console.
In the console window, under Task, click Task-&gt;Buffer Overflow Protection, right-click, and select Properties.
 
Under the Buffer Overflow Protection tab, locate the "Buffer Overflow settings:" label. Ensure the "Protection mode" option is selected.
 
Criteria: If the "Protection mode" option is selected, this is not a finding.
 
On the client machine, use the Windows Registry Editor to navigate to the following key:
HKLM\Software\McAfee\ (32-bit)
SystemCore\VSCore\On Access Scanner\BehaviourBlocking
 
Criteria: If the value BOPMode is 1, this is not a finding. If the value is 0, this is a finding.
</check-content></check></Rule></Group><Group id="V-14659"><title>DTAM132-McAfee VirusScan buffer overflow message</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-56424r1_rule" severity="medium" weight="10.0"><version>DTAM132</version><title>McAfee VirusScan Buffer Overflow Protection Buffer Overflow Settings must be configured to display a dialog box when a buffer overflow is detected.</title><description>&lt;VulnDiscussion&gt;An effective awareness program explains proper rules of behavior for use of an organization's IT systems and information. Accordingly, awareness programs should include guidance to users on malware incident prevention, which can help reduce the frequency and severity of malware incidents.
 
Organizations should also make users aware of policies and procedures that apply to malware incident handling, such as how to identify if a host may be infected, how to report a suspected incident, and what users need to do to assist with incident handling.
 
Ensuring the antivirus software alerts the users when a Buffer Overflow is detected will ensure the user is aware of the incident and be able to more closely relate the incident to action being performed by the user at the time of the detection.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;System Administrator&lt;/Responsibility&gt;&lt;Responsibility&gt;Information Assurance Officer&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target McAfee AntiVirus Locally Configured Client</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>McAfee AntiVirus Locally Configured Client</dc:subject><dc:identifier>605</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-001242</ident><fixtext fixref="F-49147r1_fix">Access the local VirusScan console by clicking Start-&gt;All Programs-&gt;McAfee-&gt;VirusScan Console.
In the console window, under Task, click Task-&gt;Buffer Overflow Protection, right-click, and select Properties.
 
Under the Buffer Overflow Protection tab, locate the "Buffer overflow settings" label. Select the "Show the messages dialog box when a buffer overflow is detected" option.
 
Click OK to Save.</fixtext><fix id="F-49147r1_fix" /><check system="C-49343r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_McAfee_VirusScan88_Local_Client.xml" /><check-content>NOTE: Buffer Overflow Protection is not installed on 64-bit systems; this check would be Not Applicable to 64-bit systems.
 
NOTE: On 32-bit systems, when Host Intrusion Prevention is also installed, Buffer Overflow Protection will show as "Disabled because a Host Intrusion Prevention product is installed"; this check would be Not Applicable.
 
Access the local VirusScan console by clicking Start-&gt;All Programs-&gt;McAfee-&gt;VirusScan Console.
In the console window, under Task, click Task-&gt;Buffer Overflow Protection, right-click, and select Properties.
 
Under the Buffer Overflow Protection tab, locate the "Buffer overflow settings" label. Ensure the "Show the messages dialog box when a buffer overflow is detected" option is selected.
 
Criteria: If the "Show the messages dialog box when a buffer overflow is detected" option is selected, this is not a finding.
 
On the client machine, use the Windows Registry Editor to navigate to the following key:
HKLM\Software\McAfee\ (32-bit)
SystemCore\VSCore\On Access Scanner\BehaviourBlocking
 
Criteria: If the value BOPShowMessages is 1, this is not a finding. If the value is 0, this is a finding.</check-content></check></Rule></Group><Group id="V-14660"><title>DTAM133-McAfee VirusScan buffer overflow log</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-56421r1_rule" severity="medium" weight="10.0"><version>DTAM133</version><title>McAfee VirusScan Buffer Overflow Protection Reports Settings must be configured to log buffer overflow protection scan activity.</title><description>&lt;VulnDiscussion&gt;Log management is essential to ensuring computer security records are stored in sufficient detail for an appropriate period of time. Routine log analysis is beneficial for identifying security incidents, policy violations, fraudulent activity, and operational problems. Logs are also useful when performing auditing and forensic analysis, supporting internal investigations, establishing baselines, and identifying operational trends and long-term problems.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;System Administrator&lt;/Responsibility&gt;&lt;Responsibility&gt;Information Assurance Officer&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target McAfee AntiVirus Locally Configured Client</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>McAfee AntiVirus Locally Configured Client</dc:subject><dc:identifier>605</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-001242</ident><fixtext fixref="F-49148r1_fix">Access the local VirusScan console by clicking Start-&gt;All Programs-&gt;McAfee-&gt;VirusScan Console.
In the console window, under Task, click Task-&gt;Buffer Overflow Protection, right-click, and select Properties.
 
Under the Reports tab, locate the "Log file" label. Select the "Enable activity logging and accept the default location for the log file or specify a new location" option.
 
Click OK to Save.</fixtext><fix id="F-49148r1_fix" /><check system="C-49344r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_McAfee_VirusScan88_Local_Client.xml" /><check-content>NOTE: Buffer Overflow Protection is not installed on 64-bit systems; this check would be Not Applicable to 64-bit systems.
 
NOTE: On 32-bit systems, when Host Intrusion Prevention is also installed, Buffer Overflow Protection will show as "Disabled because a Host Intrusion Prevention product is installed"; this check would be Not Applicable.
 
Access the local VirusScan console by clicking Start-&gt;All Programs-&gt;McAfee-&gt;VirusScan Console.
In the console window, under Task, click Task-&gt;Buffer Overflow Protection, right-click, and select Properties.
 
Under the Reports tab, locate the "Log file" label. Ensure the "Enable activity logging and accept the default location for the log file or specify a new location" option is selected.
 
Criteria: If the "Enable activity logging and accept the default location for the log file or specify a new location" option is selected, this is not a finding.
 
On the client machine, use the Windows Registry Editor to navigate to the following key:
HKLM\Software\McAfee\ (32-bit)
SystemCore\VSCore\On Access Scanner\BehaviourBlocking
 
Criteria: If the value bLogToFile_Ent is 1, this is not a finding. If the value is 0, this is a finding.</check-content></check></Rule></Group><Group id="V-14661"><title>DTAM134-McAfee VirusScan log size limitation</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-56418r1_rule" severity="medium" weight="10.0"><version>DTAM134</version><title>McAfee VirusScan Buffer Overflow Protection Reports Settings log file size must be restricted, but be configured to at least 10MB.</title><description>&lt;VulnDiscussion&gt;While logging is imperative to forensic analysis, logs could grow to the point of impacting disk space on the system. In order to avoid the risk of logs growing to the size of impacting the operating system, the log size will be restricted, but must also be large enough to retain forensic value.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;System Administrator&lt;/Responsibility&gt;&lt;Responsibility&gt;Information Assurance Officer&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target McAfee AntiVirus Locally Configured Client</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>McAfee AntiVirus Locally Configured Client</dc:subject><dc:identifier>605</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-001242</ident><fixtext fixref="F-49149r2_fix">Access the local VirusScan console by clicking Start-&gt;All Programs-&gt;McAfee-&gt;VirusScan Console.
In the console window, under Task, click Task-&gt;Buffer Overflow Protection, right-click, and select Properties.
 
Under the Reports tab, locate the "Log file" label. Select the "Limit the size of log file" option. For the "Maximum log file size:", select a value of 10MB or more.
 
Click OK to Save..</fixtext><fix id="F-49149r2_fix" /><check system="C-49345r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_McAfee_VirusScan88_Local_Client.xml" /><check-content>OTE: Buffer Overflow Protection is not installed on 64-bit systems; this check would be Not Applicable to 64-bit systems.
 
NOTE: On 32-bit systems, when Host Intrusion Prevention is also installed, Buffer Overflow Protection will show as "Disabled because a Host Intrusion Prevention product is installed"; this check would be Not Applicable.
 
Access the local VirusScan console by clicking Start-&gt;All Programs-&gt;McAfee-&gt;VirusScan Console.
In the console window, under Task, click Task-&gt;Buffer Overflow Protection, right-click, and select Properties.
 
Under the Reports tab, locate the "Log File" label. Ensure the "Limit the size of log file" option is selected. Ensure the "Maximum log file size" is at least 10MB.
Criteria: If the "Limit the size of log file" option is selected and the "Maximum log file size:" is at least 10MB, this is not a finding.
 
On the client machine, use the Windows Registry Editor to navigate to the following key:
HKLM\Software\McAfee\ (32-bit)
 
SystemCore\VSCore\On Access Scanner\BehaviourBlocking
 
Criteria: If the value of bLimitSize_Ent is 1 and dwMaxLogSizeMB_Ent is configured to Decimal (10) or higher, this is not a finding. If the bLogToFile_Ent is 0 or if dwMaxLogSizeMB_Ent is less than Decimal (10), this is a finding.</check-content></check></Rule></Group><Group id="V-14662"><title>DTAM135-McAfee VirusScan detection of Spyware</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-56415r1_rule" severity="medium" weight="10.0"><version>DTAM135</version><title>McAfee VirusScan Unwanted Programs Policy must be configured to detect spyware.</title><description>&lt;VulnDiscussion&gt;Spyware is software that aids in gathering information about a person or organization without their knowledge, and that may send such information to another entity without the consumer's consent, or that asserts control over a computer without the user's knowledge. Spyware may try to deceive users by bundling itself with desirable software. A spyware infestation can create significant unwanted CPU activity, disk usage, and network traffic. Some types of spyware disable software firewalls and antivirus software. Detecting, blocking, and eradicating malicious spyware or preventing it from being installed will alleviate the negative side effects of the spyware.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;System Administrator&lt;/Responsibility&gt;&lt;Responsibility&gt;Information Assurance Officer&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target McAfee AntiVirus Locally Configured Client</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>McAfee AntiVirus Locally Configured Client</dc:subject><dc:identifier>605</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-001243</ident><fixtext fixref="F-49150r1_fix">Access the local VirusScan console by clicking on Start-&gt;All Programs-&gt;McAfee-&gt;VirusScan Console.
 
Under the Task column, find the Unwanted Programs Policy, right-click, and choose Properties.
In the Scan Items tab, select the Spyware option.
 
Click OK to save.</fixtext><fix id="F-49150r1_fix" /><check system="C-49346r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_McAfee_VirusScan88_Local_Client.xml" /><check-content>Access the local VirusScan console by clicking on Start-&gt;All Programs-&gt;McAfee-&gt;VirusScan Console.
 
Under the Task column, find the Unwanted Programs Policy, right-click, and choose Properties.
In the Scan Items tab, ensure the Spyware option is selected.
 
If the Spyware option is not selected, this is a finding.
If the Spyware option is selected, this is not a finding.
 
On the client machine, use the Windows Registry Editor to navigate to the following key:
HKLM\Software\McAfee\ (32-bit)
HKLM\Software\Wow6432Node\McAfee\ (64-bit)
SystemCore\VSCore\NVP
 
Criteria: If the value DetectSpyware is 1, this is not a finding.
</check-content></check></Rule></Group><Group id="V-14663"><title>DTAM136 - McAfee VirusScan detection of Adware</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-56411r1_rule" severity="medium" weight="10.0"><version>DTAM136</version><title>McAfee VirusScan Unwanted Programs Policy must be configured to detect adware.</title><description>&lt;VulnDiscussion&gt;Adware, like spyware, is, at best, an annoyance by presenting unwanted advertisements to the user of a computer, sometimes in the form of a popup. At worst, it redirects the user to malicious websites. Detecting and blocking will mitigate the likelihood of users being tricked into visiting sites with malicious content.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;System Administrator&lt;/Responsibility&gt;&lt;Responsibility&gt;Information Assurance Officer&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target McAfee AntiVirus Locally Configured Client</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>McAfee AntiVirus Locally Configured Client</dc:subject><dc:identifier>605</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-001243</ident><fixtext fixref="F-49151r1_fix">Access the local VirusScan console by clicking on Start-&gt;All Programs-&gt;McAfee-&gt;VirusScan Console.
 
Under the Task column, find the Unwanted Programs Policy, right-click, and choose Properties.
In the Scan Items tab, select the Adware option.
 
 
Click OK to Save.</fixtext><fix id="F-49151r1_fix" /><check system="C-49347r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_McAfee_VirusScan88_Local_Client.xml" /><check-content>Access the local VirusScan console by clicking on Start-&gt;All Programs-&gt;McAfee-&gt;VirusScan Console.
 
Under the Task column, find the Unwanted Programs Policy, right-click, and choose Properties.
In the Scan Items tab, ensure the Adware option is selected.
 
If the Adware option is not selected, this is a finding.
If the Adware option is selected, this is not a finding.
 
On the client machine, use the Windows Registry Editor to navigate to the following key:
HKLM\Software\McAfee\ (32-bit)
HKLM\Software\Wow6432Node\McAfee\ (64-bit)
SystemCore\VSCore\NVP
 
Criteria: If the value DetectAdware is 1, this is not a finding.</check-content></check></Rule></Group><Group id="V-19910"><title>DTAG008 - The antivirus signature file age exceeds 7 days.</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-56366r2_rule" severity="high" weight="10.0"><version>DTAG008</version><title>The antivirus signature file age must not exceed 7 days.</title><description>&lt;VulnDiscussion&gt;Antivirus signature files are updated almost daily by antivirus software vendors. These files are made available to antivirus clients as they are published. Keeping virus signature files as current as possible is vital to the security of any system.
&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;System Administrator&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target McAfee AntiVirus Locally Configured Client</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>McAfee AntiVirus Locally Configured Client</dc:subject><dc:identifier>605</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-001240</ident><fixtext fixref="F-49199r1_fix">Access the local VirusScan console by clicking Start-&gt;All Programs-&gt;McAfee-&gt;VirusScan Console.
 
Under the Task column, select the AutoUpdate option, right-click, and select "Start".</fixtext><fix id="F-49199r1_fix" /><check system="C-49293r5_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_McAfee_VirusScan88_Local_Client.xml" /><check-content>Access the local VirusScan console by clicking Start &gt;&gt; All Programs &gt;&gt; McAfee &gt;&gt; VirusScan Console.
 
Click Help &gt;&gt; About VirusScan Enterprise.
 
The “About” dialog box will be displayed, showing, among other information, the current DAT version installed and the date of that DAT version.
Guidance in DTAM016 requires updates be run daily, automatically or manually. If compliant, the DAT date will be within 24-48 hours old. Since automated update tasks’ success is not guaranteed, the expectation is for update task success to be frequently monitored and corrected when unsuccessful. To allow for that correction, the minimum acceptable threshold for DAT date is not to exceed 7 days.
 
If the DAT date displayed is more than “7” days old, this is a finding.
 
If the vendor or trusted site's files match the date of the signature files on the machine, this is not a finding.
</check-content></check></Rule></Group><Group id="V-35027"><title>DTAM137-McAfee VirusScan File Reputation Service</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-56405r1_rule" severity="medium" weight="10.0"><version>DTAM137</version><title>McAfee VirusScan On-Access Scanner General Settings Artemis Heuristic network check for suspicious files must be enabled and set to sensitivity level Medium or higher.</title><description>&lt;VulnDiscussion&gt;Antivirus software vendors use collective intelligence from sensors and cross-vector intelligence from web, email, and network threats to compile scores that reflect the likelihood of whether a file in question is malware. The collective intelligence is constantly being updated, more frequently than the typical daily antivirus signature files. With File Reputation lookup, a more real-time response to potential malicious code is realized than with the local-running antivirus software, since by querying the cloud-based database when a file appears to be suspicious, up-to-the-minute intelligence is provided. This type of protection reduces the threat protection time period from days to milliseconds, increases malware detection rates, and reduces downtime and remediation costs associated with malware attacks. Using File Reputation lookup is mandated by US CYBERCOM on DoD systems.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;System Administrator&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target McAfee AntiVirus Locally Configured Client</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>McAfee AntiVirus Locally Configured Client</dc:subject><dc:identifier>605</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-001242</ident><fixtext fixref="F-49213r1_fix">Access the local VirusScan console by clicking Start-&gt;All Programs-&gt;McAfee-&gt;VirusScan Console.
On the menu bar, click Task-&gt;On-Access Scanner Properties.
Select the General Settings.
 
Under the General tab, locate the "Artemis (Heuristic network check for suspicious files):" label. Select the "Medium" option.
 
Click OK to Save.</fixtext><fix id="F-49213r1_fix" /><check system="C-49348r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_McAfee_VirusScan88_Local_Client.xml" /><check-content>NOTE: For systems on the SIPRnet, this check is Not Applicable.
 
Access the local VirusScan console by clicking Start-&gt;All Programs-&gt;McAfee-&gt;VirusScan Console.
On the menu bar, click Task-&gt;On-Access Scanner Properties.
Select the General Settings.
 
Under the General tab, locate the "Artemis (Heuristic network check for suspicious files):" label. Ensure the Sensitivity level is set to "Medium" or higher.
 
Criteria: If the Sensitivity level of "Medium", or higher, is selected, this is not a finding.
 
On the client machine, use the Windows Registry Editor to navigate to the following key:
HKLM\Software\McAfee\ (32-bit)
HKLM\Software\Wow6432Node\McAfee\ (64-bit)
SystemCore\VSCore\On Access Scanner
 
Criteria: If the value of ArtemisEnabled is REG_DWORD = 0, this is a finding.
If the value of ArtemisLevel is REG_DWORD = 0 or REG_DWORD = 1, this is a finding.
If the value of ArtemisEnabled is REG_DWORD = 1 and the ArtemisLevel is REG_DWORD = 2, 3 or 4, this is not a finding.</check-content></check></Rule></Group><Group id="V-42514"><title>DTAM162-McAfee VirusScan Email on-delivery threat second action</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-55227r2_rule" severity="medium" weight="10.0"><version>DTAM162</version><title>McAfee VirusScan On Delivery Email Scanner Properties, when a threat is found, must be configured to delete attachments if the first action fails.</title><description>&lt;VulnDiscussion&gt;Email has become one of the most frequently used methods of spreading malware, through embedded HTML code and attachments. User awareness and training, warning users to not open suspicious emails or email attachments and not clicking on hyperlinks, etc. from unknown or known senders, will not fully protect from email-borne malware. Mass mailing worms are similar to an email-borne virus but is self-contained rather than infecting an existing file. Protecting from email-borne viruses and mass mailing worms by scanning email upon delivery mitigates the risk of infection via email.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target McAfee AntiVirus Locally Configured Client</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>McAfee AntiVirus Locally Configured Client</dc:subject><dc:identifier>605</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-001243</ident><fixtext fixref="F-48082r3_fix">Access the local VirusScan console by clicking Start &gt;&gt; All Programs &gt;&gt; McAfee &gt;&gt; VirusScan Console.
Under the Task column, select the On-Delivery Email Scanner Option, right-click, and select Properties.
 
Under the Actions tab, locate the "When a threat is found:" label. From the "If the first action fails, then perform this action:" pull down menu, select "Delete attachments".
 
Click OK to Save. </fixtext><fix id="F-48082r3_fix" /><check system="C-48817r4_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_McAfee_VirusScan88_Local_Client.xml" /><check-content>Note: If an email client is not running on this system, this check can be marked as Not Applicable.
 
Access the local VirusScan console by clicking Start &gt;&gt; All Programs &gt;&gt; McAfee &gt;&gt; VirusScan Console.
Under the Task column, select the On-Delivery Email Scanner Option, right-click, and select Properties.
 
Under the Actions tab, locate the "When a threat is found:" label. Ensure that from the "If the first action fails, then perform this action:" pull down menu, "Delete attachments" is selected.
 
Criteria: If "Delete attachments" is selected for "If the first action fails, then perform this action:", this is not a finding.
 
On the client machine, use the Windows Registry Editor to navigate to the following key:
HKLM\Software\McAfee\ (32-bit)
HKLM\Software\Wow6432Node\McAfee\ (64-bit)
SystemCore\VSCore\Email Scanner\Outlook\OnDelivery\ActionOptions
 
Criteria: If the value for uSecAction is not 4, this is a finding.</check-content></check></Rule></Group><Group id="V-42515"><title>DTAM163-McAfee VirusScan Email on-delivery unwanted program second action</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-55229r2_rule" severity="medium" weight="10.0"><version>DTAM163</version><title>McAfee VirusScan On Delivery Email Scanner Properties must be configured to delete attachments if the first action fails for when an unwanted attachment is found.</title><description>&lt;VulnDiscussion&gt;Email has become one of the most frequently used methods of spreading malware, through embedded HTML code and attachments. User awareness and training, warning users to not open suspicious emails or email attachments and not clicking on hyperlinks, etc. from unknown or known senders, will not fully protect from email-borne malware. Mass mailing worms are similar to an email-borne virus but is self-contained rather than infecting an existing file. Protecting from email-borne viruses and mass mailing worms by scanning email upon delivery mitigates the risk of infection via email.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target McAfee AntiVirus Locally Configured Client</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>McAfee AntiVirus Locally Configured Client</dc:subject><dc:identifier>605</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-001243</ident><fixtext fixref="F-48084r8_fix">Access the local VirusScan console by clicking Start &gt;&gt; All Programs &gt;&gt; McAfee &gt;&gt; VirusScan Console.
Under the Task column, select the On-Delivery Email Scanner Option, right-click, and select Properties.
 
Under the Actions tab, locate the "When an unwanted attachment is found:" label. From the "If the first action fails, then perform this action:" pull down menu, select "Delete attachments".
 
Click OK to Save.</fixtext><fix id="F-48084r8_fix" /><check system="C-49374r4_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_McAfee_VirusScan88_Local_Client.xml" /><check-content>Note: If an email client is not running on this system, this check can be marked as Not Applicable.
 
Access the local VirusScan console by clicking Start &gt;&gt; All Programs &gt;&gt; McAfee &gt;&gt; VirusScan Console.
Under the Task column, select the On-Delivery Email Scanner Option, right-click, and select Properties.
 
Under the Actions tab, locate the "When an unwanted attachment is found:" label. Ensure that from the "If the first action fails, then perform this action:" pull down menu, "Delete attachments" is selected.
 
Criteria: If "Delete attachments" is selected for "If the first action fails, then perform this action:", this is not a finding.
 
On the client machine, use the Windows Registry Editor to navigate to the following key:
HKLM\Software\McAfee\ (32-bit)
HKLM\Software\Wow6432Node\McAfee\ (64-bit)
SystemCore\VSCore\Email Scanner\Outlook\OnDelivery\ActionOptions
 
Criteria: If the value for uSecAction_Program is not 4, this is a finding.</check-content></check></Rule></Group><Group id="V-42549"><title>DTAM138 - Access Protection McAfee services protection</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-55277r2_rule" severity="high" weight="10.0"><version>DTAM138</version><title>McAfee VirusScan Access Protection Rules must be configured to prevent McAfee services from being stopped.</title><description>&lt;VulnDiscussion&gt;When the "Prevent McAfee services from being stopped" check box is selected under Access Protection, VSE will prevent anyone except the System account from terminating McAfee services. This protects VirusScan from being disabled by malicious programs that seek to circumvent virus protection programs by terminating their services.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target McAfee AntiVirus Locally Configured Client</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>McAfee AntiVirus Locally Configured Client</dc:subject><dc:identifier>605</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-001242</ident><fixtext fixref="F-48131r3_fix">Access the local VirusScan console by clicking Start-&gt;All Programs-&gt;McAfee-&gt;VirusScan Console.
Under the Task column, select Access Protection, right-click, and select Properties.
 
Under the Access Protection tab, select the "Prevent McAfee services from being stopped" option.
 
Click OK to save.</fixtext><fix id="F-48131r3_fix" /><check system="C-49349r4_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_McAfee_VirusScan88_Local_Client.xml" /><check-content>Note: If the HIPS signature 3892 is enabled to provide the "Prevent termination of McAfee processes" protection, this check is not applicable.
 
Access the local VirusScan console by clicking Start-&gt;All Programs-&gt;McAfee-&gt;VirusScan Console.
Under the Task column, select Access Protection, right-click, and select Properties.
 
Under the Access Protection tab, ensure the "Prevent McAfee services from being stopped" option is selected.
 
Criteria: If the "Prevent McAfee services from being stopped" option is selected, this is not a finding.
 
On the client machine, use the Windows Registry Editor to navigate to the following key:
HKLM\Software\McAfee\ (32-bit)
HKLM\Software\Wow6432Node\McAfee\ (64-bit)
SystemCore\VSCore\On Access Scanner\BehaviourBlocking
 
Criteria: If the value of PVSPTEnabled is REG_DWORD = 1, this is not a finding.</check-content></check></Rule></Group><Group id="V-42550"><title>DTAM139 - Access Protection logging of scan activity</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-55278r2_rule" severity="medium" weight="10.0"><version>DTAM139</version><title>McAfee VirusScan Access Protection Reports settings must be configured to record scanning activity in a log file.</title><description>&lt;VulnDiscussion&gt;Log management is essential to ensuring computer security records are stored in sufficient detail for an appropriate period of time. Routine log analysis is beneficial for identifying security incidents, policy violations, fraudulent activity, and operational problems. Logs are also useful when performing auditing and forensic analysis, supporting internal investigations, establishing baselines, and identifying operational trends and long-term problems.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target McAfee AntiVirus Locally Configured Client</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>McAfee AntiVirus Locally Configured Client</dc:subject><dc:identifier>605</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000130</ident><fixtext fixref="F-48132r2_fix">Access the local VirusScan console by clicking Start-&gt;All Programs-&gt;McAfee-&gt;VirusScan Console.
Under the Task column, select Access Protection, right-click, and select Properties.
 
Under the Reports tab, locate the "Log file" label. Select the "Enable activity logging and accept the default location for the log file or specify a new location" option.
 
Click OK to save.</fixtext><fix id="F-48132r2_fix" /><check system="C-49350r5_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_McAfee_VirusScan88_Local_Client.xml" /><check-content>Note: If DTAM161 "McAfee VirusScan Access Protection Policies must be configured to enable access protection" has been marked as "Not Applicable", this requirement is not applicable.
 
Access the local VirusScan console by clicking Start-&gt;All Programs-&gt;McAfee-&gt;VirusScan Console.
Under the Task column, select Access Protection, right-click, and select Properties.
 
Under the Reports tab, locate the "Log File" label. Ensure the "Enable activity logging and accept the default location for the log file or specify a new location" option is selected.
 
Criteria: If the "Enable activity logging and accept the default location for the log file or specify a new location" option is selected, this is not a finding.
 
On the client machine, use the Windows Registry Editor to navigate to the following key:
HKLM\Software\McAfee\ (32-bit)
HKLM\Software\Wow6432Node\McAfee\ (64-bit)
SystemCore\VSCore\On Access Scanner\BehaviourBlocking
 
Criteria: If the value of bLogToFile is REG_DWORD = 1, this is not a finding.
</check-content></check></Rule></Group><Group id="V-42551"><title>DTAM140 - Access Protection log file restriction</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-55279r2_rule" severity="medium" weight="10.0"><version>DTAM140</version><title>McAfee VirusScan Access Protection Reports log file size must be restricted and be configured to at least 10MB.</title><description>&lt;VulnDiscussion&gt;While logging is imperative to forensic analysis, logs could grow to the point of impacting disk space on the system. In order to avoid the risk of logs growing to the size of impacting the operating system, the log size will be restricted, but must also be large enough to retain forensic value.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target McAfee AntiVirus Locally Configured Client</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>McAfee AntiVirus Locally Configured Client</dc:subject><dc:identifier>605</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000140</ident><fixtext fixref="F-48133r2_fix">Access the local VirusScan console by clicking Start-&gt;All Programs-&gt;McAfee-&gt;VirusScan Console.
Under the Task column, select Access Protection, right-click, and select Properties.
 
Under the Reports tab, locate the "Log File" label. Select the "Limit the size of log file" option. For the "Maximum log file size:", select a value of 10MB or more.
 
Click OK to save.</fixtext><fix id="F-48133r2_fix" /><check system="C-49351r4_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_McAfee_VirusScan88_Local_Client.xml" /><check-content>Note: If DTAM161 "McAfee VirusScan Access Protection Policies must be configured to enable access protection" has been marked as "Not Applicable", this check is not applicable.
 
Access the local VirusScan console by clicking Start-&gt;All Programs-&gt;McAfee-&gt;VirusScan Console.
Under the Task column, select Access Protection, right-click, and select Properties.
 
Under the Reports tab, locate the "Log File:" label.
Ensure the "Limit the size of log file" option is selected. Ensure the "Maximum log file size" is 10MB or more.
 
Criteria: If the "Limit the size of log file" option is selected and the "Maximum log file size:" is 10MB or more, this is not a finding.
 
On the client machine, use the Windows Registry Editor to navigate to the following key:
HKLM\Software\McAfee\ (32-bit)
HKLM\Software\Wow6432Node\McAfee\ (64-bit)
SystemCore\VSCore\On Access Scanner\BehaviourBlocking
 
Criteria: If the value of bLimitSize is 1 and dwMaxLogSizeMB is configured to Decimal (10) or higher, this is not a finding.
</check-content></check></Rule></Group><Group id="V-42552"><title>DTAM141 - Access Protection prevent modification of McAfee files and settings</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-55280r2_rule" severity="medium" weight="10.0"><version>DTAM141</version><title>McAfee VirusScan Access Protection Rules Common Standard Protection must be set to prevent modification of McAfee files and settings.</title><description>&lt;VulnDiscussion&gt;Many malicious programs have attempted to disable VirusScan by stopping services and processes and leaving the system vulnerable to attack. Self-protection is an important feature of VSE that prevents malicious programs from disabling VirusScan or any of its services or processes. Many trojans and viruses will attempt to terminate or even delete security products. VSE's self-protection features protect VirusScan registry values and processes from being altered or deleted by malicious code. This rule protects the McAfee security product from modification by any process not listed in the policy's exclusion list.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target McAfee AntiVirus Locally Configured Client</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>McAfee AntiVirus Locally Configured Client</dc:subject><dc:identifier>605</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-001813</ident><fixtext fixref="F-48134r3_fix">Access the local VirusScan console by clicking Start-&gt;All Programs-&gt;McAfee-&gt;VirusScan Console.
Under the Task column, select Access Protection, right-click, and select Properties.
 
Under the Access Protection tab, locate the "Access protection rules:" label.
In the "Categories" box, select "Common Standard Protection".
Select "Prevent modification of McAfee files and settings" (Block and Report) options.
 
Click OK to Save.</fixtext><fix id="F-48134r3_fix" /><check system="C-49352r3_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_McAfee_VirusScan88_Local_Client.xml" /><check-content>Note: If the HIPS signature 3898 is enabled to provide this same protection, this check is not applicable.
 
Access the local VirusScan console by clicking Start-&gt;All Programs-&gt;McAfee-&gt;VirusScan Console.
Under the Task column, select Access Protection, right-click, and select Properties.
 
Under the Access Protection tab, locate the "Access protection rules:" label.
In the "Categories" box, select "Common Standard Protection".
Ensure "Prevent modification of McAfee files and settings" (Block and Report) options are selected.
 
Criteria: If "Prevent modification of McAfee files and settings" (Block and Report) options are both selected, this is not a finding.</check-content></check></Rule></Group><Group id="V-42553"><title>DTAM142 - Access Protection preventing modification of McAfee CMA</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-55281r2_rule" severity="medium" weight="10.0"><version>DTAM142</version><title>McAfee VirusScan Access Protection Rules Common Standard Protection must be set to prevent modification of McAfee Common Management Agent files and settings.</title><description>&lt;VulnDiscussion&gt;Many malicious programs have attempted to disable VirusScan by stopping services and processes and leaving the system vulnerable to attack. Self-protection is an important feature of VSE that prevents malicious programs from disabling VirusScan or any of its services or processes. Many trojans and viruses will attempt to terminate or even delete security products. VSE's self-protection features protect VirusScan registry values and processes from being altered or deleted by malicious code. This rule protects the McAfee security product from modification by any process not listed in the policy's exclusion list.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target McAfee AntiVirus Locally Configured Client</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>McAfee AntiVirus Locally Configured Client</dc:subject><dc:identifier>605</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-001813</ident><fixtext fixref="F-48135r3_fix">Access the local VirusScan console by clicking Start-&gt;All Programs-&gt;McAfee-&gt;VirusScan Console.
Under the Task column, select Access Protection, right-click, and select Properties.
 
Under the Access Protection tab, locate the "Access protection rules:" label. In the "Categories" box, select "Common Standard Protection". Select "Prevent modification of McAfee Common Management Agent files and settings" (Block and Report) options.
 
Click OK to Save.</fixtext><fix id="F-48135r3_fix" /><check system="C-49353r3_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_McAfee_VirusScan88_Local_Client.xml" /><check-content>Note: If the HIPS signature 3899 is enabled to provide this same protection, this check is not applicable.
 
Access the local VirusScan console by clicking Start-&gt;All Programs-&gt;McAfee-&gt;VirusScan Console.
Under the Task column, select Access Protection, right-click, and select Properties.
 
Under the Access Protection tab, locate the "Access protection rules:" label.
In the "Categories" box, select "Common Standard Protection".
Ensure "Prevent modification of McAfee Common Management Agent files and settings" (Block and Report) options are selected.
 
Criteria: If "Prevent modification of McAfee Common Management Agent files and settings" (Block and Report) options are both selected, this is not a finding.
</check-content></check></Rule></Group><Group id="V-42554"><title>DTAM143 - Access Protection prevent modification of McAfee scan engine</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-55282r2_rule" severity="medium" weight="10.0"><version>DTAM143</version><title>McAfee VirusScan Access Protection Rules Common Standard Protection must be set to prevent modification of McAfee Scan Engine files and settings.</title><description>&lt;VulnDiscussion&gt;Many malicious programs have attempted to disable VirusScan by stopping services and processes and leaving the system vulnerable to attack. Self-protection is an important feature of VSE that prevents malicious programs from disabling VirusScan or any of its services or processes. Many trojans and viruses will attempt to terminate or even delete security products. VSE's self-protection features protect VirusScan registry values and processes from being altered or deleted by malicious code. This rule protects the McAfee security product from modification by any process not listed in the policy's exclusion list.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target McAfee AntiVirus Locally Configured Client</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>McAfee AntiVirus Locally Configured Client</dc:subject><dc:identifier>605</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-001813</ident><fixtext fixref="F-48136r2_fix">Access the local VirusScan console by clicking Start-&gt;All Programs-&gt;McAfee-&gt;VirusScan Console.
Under the Task column, select Access Protection, right-click, and select Properties.
 
Under the Access Protection tab, locate the "Access protection rules:" label.
In the "Categories" box, select "Common Standard Protection".
Select "Prevent modification of McAfee Scan Engine files and settings" (Block and Report) options.
 
Click OK to save.</fixtext><fix id="F-48136r2_fix" /><check system="C-49354r3_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_McAfee_VirusScan88_Local_Client.xml" /><check-content>Note: If the HIPS signature 3900 is enabled to provide this same protection, this check is not applicable.
 
Access the local VirusScan console by clicking Start-&gt;All Programs-&gt;McAfee-&gt;VirusScan Console.
Under the Task column, select Access Protection, right-click, and select Properties.
 
Under the Access Protection tab, locate the "Access protection rules:" label.
In the "Categories" box, select "Common Standard Protection".
Ensure "Prevent modification of McAfee Scan Engine files and settings" (Block and Report) options are both selected.
 
Criteria: If "Prevent modification of McAfee Scan Engine files and settings" (Block and Report) options are both selected, this is not a finding.
</check-content></check></Rule></Group><Group id="V-42555"><title>DTAM144 - Access Protection prevent termination of McAfee processes</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-55283r2_rule" severity="medium" weight="10.0"><version>DTAM144</version><title>McAfee VirusScan Access Protection Rules Common Standard Protection must be set to prevent termination of McAfee processes.</title><description>&lt;VulnDiscussion&gt;Many malicious programs have attempted to disable VirusScan by stopping services and processes and leaving the system vulnerable to attack. Self-protection is an important feature of VSE that prevents malicious programs from disabling VirusScan or any of its services or processes. Many trojans and viruses will attempt to terminate or even delete security products. VSE's self-protection features protect VirusScan registry values and processes from being altered or deleted by malicious code. This rule protects the McAfee security product from modification by any process not listed in the policy's exclusion list.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target McAfee AntiVirus Locally Configured Client</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>McAfee AntiVirus Locally Configured Client</dc:subject><dc:identifier>605</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000213</ident><fixtext fixref="F-48137r2_fix">Access the local VirusScan console by clicking Start-&gt;All Programs-&gt;McAfee-&gt;VirusScan Console.
Under the Task column, select Access Protection, right-click and select Properties.
 
Under the Access Protection tab, locate the "Access protection rules:" label. In the "Categories" box, select "Common Standard Protection". Select "Prevent termination of McAfee processes" (Block and Report) options.
 
Click OK to save.</fixtext><fix id="F-48137r2_fix" /><check system="C-49355r3_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_McAfee_VirusScan88_Local_Client.xml" /><check-content>Note: If the HIPS signature 3892 is enabled to provide this same protection, this check is not applicable.
 
Access the local VirusScan console by clicking Start-&gt;All Programs-&gt;McAfee-&gt;VirusScan Console.
Under the Task column, select Access Protection, right-click, and select Properties.
 
Under the Access Protection tab, locate the "Access protection rules:" label. In the "Categories" box, select "Common Standard Protection". Ensure both "Prevent termination of McAfee processes" (Block and Report) options are selected.
 
Criteria: If both "Prevent termination of McAfee processes" (Block and Report) options are selected, this is not a finding.</check-content></check></Rule></Group><Group id="V-42556"><title>DTAM145 - Access Protection detect programs run from Temp folder</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-55284r5_rule" severity="medium" weight="10.0"><version>DTAM145</version><title>McAfee VirusScan Access Protection Rules Common Standard Protection must be set to block and report when common programs are run from the Temp folder.</title><description>&lt;VulnDiscussion&gt;This rule will block any common programs from running from the Temp directory; however, this rule is much more restrictive in that it stops nearly all processes from launching in the Temp folder. Most viruses need to be run once by a person before infecting a computer. This can be done in many ways, such as opening an executable attachment in an email or downloading a program from the Internet. An executable needs to exist on the disk before Windows can run it. A common way for applications to achieve this is to save the file in the user's or system's Temp directory and then run it. One purpose of this rule is to enforce advice that is frequently given to users: "do not open attachments from email." The other purpose of this rule is to close security holes introduced by application bugs. Older versions of Outlook and Internet Explorer are notorious for automatically executing code without the user needing to do anything but preview an email or view a website.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target McAfee AntiVirus Locally Configured Client</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>McAfee AntiVirus Locally Configured Client</dc:subject><dc:identifier>605</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-001243</ident><fixtext fixref="F-48138r3_fix">Access the local VirusScan console by clicking Start-&gt;All Programs-&gt;McAfee-&gt;VirusScan Console.
 
Under the Task column, select Access Protection, right-click, and select Properties.
 
Under the Access Protection tab, locate the "Access protection rules:" label. In the "Categories" box, select "Common Standard Protection". Select the "Prevent common programs from running files from the temp folder" (Block and Report) option.
 
Click OK to save.
</fixtext><fix id="F-48138r3_fix" /><check system="C-49356r6_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_McAfee_VirusScan88_Local_Client.xml" /><check-content>Note: If the HIPS signatures 7010 and 7035 are enabled to provide this same protection, this check is Not Applicable.Access the local VirusScan console by clicking Start-&gt;All Programs-&gt;McAfee-&gt;VirusScan Console.
 
Under the Task column, select Access Protection, right-click, and select Properties.
 
Under the Access Protection tab, locate the "Access protection rules:" label. In the "Categories" box, select "Common Standard Protection".
 
Ensure the "Prevent common programs from running files from the Temp folder" (Block and Report) option is selected.
 
Criteria: If the "Prevent common programs from running files from the Temp folder" (Block and Report) option is selected, this is not a finding.
</check-content></check></Rule></Group><Group id="V-42557"><title>DTAM146 - Access Protection prevent hooking of McAfee processes</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-55285r2_rule" severity="medium" weight="10.0"><version>DTAM146</version><title>McAfee VirusScan Access Protection Rules Common Standard Protection must be set to prevent hooking of McAfee processes.</title><description>&lt;VulnDiscussion&gt;Hooking covers a range of techniques used to alter or augment the behavior of an operating system, of applications, or of other software components by intercepting function calls or messages or events passed between software components. Code that handles such intercepted function calls, events, or messages is called a "hook". Hooking can also be used by malicious code. For example, rootkits, pieces of software that try to make themselves invisible by faking the output of API calls that would otherwise reveal their existence, often use hooking techniques. This rule prevents other processes from hooking of McAfee processes.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target McAfee AntiVirus Locally Configured Client</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>McAfee AntiVirus Locally Configured Client</dc:subject><dc:identifier>605</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-001243</ident><fixtext fixref="F-48139r2_fix">Access the local VirusScan console by clicking Start-&gt;All Programs-&gt;McAfee-&gt;VirusScan Console.
Under the Task column, select Access Protection, right-click, and select Properties.
 
Under the Access Protection tab, locate the "Access protection rules:" label. In the "Categories" box, select "Common Standard Protection". Select both "Prevent hooking of McAfee processes" (Block and Report) options.
 
Click OK to save.</fixtext><fix id="F-48139r2_fix" /><check system="C-49357r3_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_McAfee_VirusScan88_Local_Client.xml" /><check-content>Note: If the HIPS signature 6051 is enabled to provide this same protection, this check is not applicable.
 
Access the local VirusScan console by clicking Start-&gt;All Programs-&gt;McAfee-&gt;VirusScan Console.
Under the Task column, select Access Protection, right-click, and select Properties.
 
Under the Access Protection tab, locate the "Access protection rules:" label. In the "Categories" box, select "Common Standard Protection". Ensure both "Prevent hooking of McAfee processes" (Block and Report) options are both selected.
 
Criteria: If "Prevent hooking of McAfee processes" (Block and Report) options are both selected, this is not a finding.
</check-content></check></Rule></Group><Group id="V-42558"><title>DTAM147-Access Protection detect and log launching of downloaded programs</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-55286r2_rule" severity="medium" weight="10.0"><version>DTAM147</version><title>McAfee VirusScan Access Protection Rules Common Maximum Protection must be set to detect and log the launching of files from the Downloaded Programs Files folder.</title><description>&lt;VulnDiscussion&gt;A common distribution method for adware and spyware is to have the user download an executable file and run it automatically from the Downloaded Program Files folder. This rule is specific to Microsoft Internet Explorer and prevents software installations through the web browser. Internet Explorer runs code from the Downloaded Program Files directory, notably ActiveX controls. Some vulnerabilities in Internet Explorer and viruses place an .exe file into this directory and run it. This rule closes that attack vector.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target McAfee AntiVirus Locally Configured Client</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>McAfee AntiVirus Locally Configured Client</dc:subject><dc:identifier>605</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-001169</ident><fixtext fixref="F-48140r2_fix">Access the local VirusScan console by clicking Start-&gt;All Programs-&gt;McAfee-&gt;VirusScan Console.
Under the Task column, select Access Protection, right-click, and select Properties.
 
Under the Access Protection tab, locate the "Access protection rules:" label. In the "Categories" box, select "Common Maximum Protection". Select the "Prevent launching of files from the Downloaded Program Files folder" (Report) option.
 
Click OK to Save.</fixtext><fix id="F-48140r2_fix" /><check system="C-49358r3_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_McAfee_VirusScan88_Local_Client.xml" /><check-content>Note: If the HIPS signature 3910 is enabled to provide this same protection, this check is not applicable.
 
Access the local VirusScan console by clicking Start-&gt;All Programs-&gt;McAfee-&gt;VirusScan Console.
Under the Task column, select Access Protection, right-click, and select Properties.
 
Under the Access Protection tab, locate the "Access protection rules:" label. In the "Categories" box, select "Common Maximum Protection". Ensure the "Prevent launching of files from the Downloaded Program Files folder" (Report) option is selected.
 
Criteria: If the "Prevent launching of files from the Downloaded Program Files folder" (Report) option is selected, this is not a finding.
</check-content></check></Rule></Group><Group id="V-42559"><title>DTAM148 - Access Protection log execution of scripts from Temp folder</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-55287r6_rule" severity="medium" weight="10.0"><version>DTAM148</version><title>McAfee VirusScan Access Protection Rules Anti-Spyware Maximum Protection must be set to block and log execution of scripts from the Temp folder.</title><description>&lt;VulnDiscussion&gt;This rule prevents the Windows scripting host from running VBScript and JavaScript scripts from the Temp directory. This would protect against a large number of trojans and questionable web installation mechanisms that are used by many adware and spyware applications.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target McAfee AntiVirus Locally Configured Client</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>McAfee AntiVirus Locally Configured Client</dc:subject><dc:identifier>605</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-001243</ident><fixtext fixref="F-48141r4_fix">Access the local VirusScan console by clicking Start &gt;&gt; All Programs &gt;&gt; McAfee &gt;&gt; VirusScan Console.
Under the Task column, select Access Protection, right-click, and select Properties.
 
Under the Access Protection tab, locate the "Access protection rules:" label. In the "Categories" box, select "Anti-Spyware Maximum Protection". Select the "Prevent execution of scripts from the Temp folder" (Block and Report) option.
 
Click OK to save.
</fixtext><fix id="F-48141r4_fix" /><check system="C-49359r8_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_McAfee_VirusScan88_Local_Client.xml" /><check-content>Note: If the HIPS signature 7035 is enabled to provide this same protection, this check is Not Applicable.
 
Access the local VirusScan console by clicking Start &gt;&gt; All Programs &gt;&gt; McAfee &gt;&gt; VirusScan Console.
Under the Task column, select Access Protection, right-click, and select Properties.
 
Under the Access Protection tab, locate the "Access protection rules:" label. In the "Categories" box, select "Anti-Spyware Maximum Protection". Ensure the "Prevent execution of scripts from the Temp folder" (Block and Report) option is selected.
 
Criteria: If the "Prevent execution of scripts from the Temp folder" (Block and Report) option is selected, this is not a finding.
</check-content></check></Rule></Group><Group id="V-42560"><title>DTAM149 - Access Protection prevent remote creation of autorun files</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-55288r2_rule" severity="medium" weight="10.0"><version>DTAM149</version><title>McAfee VirusScan Access Protection Rules Anti-Virus Standard Protection must be set to prevent remote creation of autorun files.</title><description>&lt;VulnDiscussion&gt;Autorun files are used to automatically launch program files, typically setup files from CDs. Preventing other computers from making a connection and creating or altering autorun.inf files can prevent spyware and adware from being executed. There are many spyware and virus programs distributed on CDs.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target McAfee AntiVirus Locally Configured Client</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>McAfee AntiVirus Locally Configured Client</dc:subject><dc:identifier>605</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-001242</ident><fixtext fixref="F-48142r2_fix">Access the local VirusScan console by clicking Start-&gt;All Programs-&gt;McAfee-&gt;VirusScan Console.
Under the Task column, select Access Protection, right-click, and select Properties.
 
Under the Access Protection tab, locate the "Access protection rules:" label. In the "Categories" box, select "Anti-Virus Standard Protection".
Select "Prevent remote creation of autorun files" (Block and Report) options.
 
Click OK to save.</fixtext><fix id="F-48142r2_fix" /><check system="C-49360r3_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_McAfee_VirusScan88_Local_Client.xml" /><check-content>Note: If the HIPS signature 3886 is enabled to provide this same protection, this check is Not Applicable.
 
Access the local VirusScan console by clicking Start-&gt;All Programs-&gt;McAfee-&gt;VirusScan Console.
Under the Task column, select Access Protection, right-click, and select Properties.
 
Under the Access Protection tab, locate the "Access protection rules:" label.
In the "Categories" box, select "Anti-Virus Standard Protection".
Ensure "Prevent remote creation of autorun files" (Block and Report) options are both selected.
 
Criteria: If "Prevent remote creation of autorun files" (Block and Report) options are both selected, this is not a finding.</check-content></check></Rule></Group><Group id="V-42561"><title>DTAM150-Access Protection mass mailing worms</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-55289r2_rule" severity="medium" weight="10.0"><version>DTAM150</version><title>McAfee VirusScan Access Protection Rules Anti-Virus Standard Protection must be set to prevent mass mailing worms from sending mail.</title><description>&lt;VulnDiscussion&gt;Many viruses and worms find email addresses on the infected system and send themselves to these addresses. They do this by connecting directly to the email servers whose names they have harvested from the local system. This rule prevents any process from talking to a foreign email server using SMTP. By blocking this communication, a machine may become infected with a new mass-mailing virus, but that virus will be unable to spread further by email. It prevents outbound access to SMTP ports 25 and 587 on all programs except known email clients listed as an exclusion.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target McAfee AntiVirus Locally Configured Client</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>McAfee AntiVirus Locally Configured Client</dc:subject><dc:identifier>605</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-001170</ident><fixtext fixref="F-48143r2_fix">Access the local VirusScan console by clicking Start-&gt;All Programs-&gt;McAfee-&gt;VirusScan Console.
Under the Task column, select Access Protection, right-click, and select Properties.
 
Under the Access Protection tab, locate the "Access protection rules:" label. In the "Categories" box, select "Anti-Virus Standard Protection". Select both "Prevent mass mailing worms from sending email" (Block and Report) options.
 
Click OK to save.</fixtext><fix id="F-48143r2_fix" /><check system="C-49361r3_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_McAfee_VirusScan88_Local_Client.xml" /><check-content>NOTE: If the system being reviewed has the function of sending email via the SMTP protocol, this setting is not applicable.
 
NOTE: Since there is no HIPS signature to provide this same protection, this check is applicable even if HIPS is enabled.
 
Access the local VirusScan console by clicking Start-&gt;All Programs-&gt;McAfee-&gt;VirusScan Console.
Under the Task column, select Access Protection, right-click, and select Properties.
 
Under the Access Protection tab, locate the "Access protection rules:" label. In the "Categories" box, select "Anti-Virus Standard Protection". Ensure "Prevent mass mailing worms from sending email" (Block and Report) options are both selected. Click Edit. Under the "Processes to exclude:" section, verify no processes are listed. If any processes are listed, they must be documented with, and approved by, the IAO/IAM.
 
Criteria:
If "Prevent mass mailing worms from sending email" (Block and Report) options are not both selected. This is a finding.
If "Prevent mass mailing worms from sending email" (Block and Report) options are both selected, and any listed "Processes to exclude:" are approved by the IAO/IAM, this is not a finding.
If "Prevent mass mailing worms from sending email" (Block and Report) options are both selected, but listed "Processes to exclude:" have not been approved by the IAO/IAM, this is a finding.</check-content></check></Rule></Group><Group id="V-42562"><title>DTAM151-Access Protection prevent IRC communication</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-55290r3_rule" severity="medium" weight="10.0"><version>DTAM151</version><title>McAfee VirusScan Access Protection Rules Anti-Virus Standard Protection must be set to prevent IRC communication.</title><description>&lt;VulnDiscussion&gt;Internet Relay Chat (IRC) is the preferred communication method used by botnet herders and remote-access trojans to control botnets (a set of scripts or an independent program that connects to IRC). IRC allows an attacker to control infected machines that are sitting behind network address translation (NAT), and the bot can be configured to connect back to the command and control server listening on any port.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target McAfee AntiVirus Locally Configured Client</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>McAfee AntiVirus Locally Configured Client</dc:subject><dc:identifier>605</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-001170</ident><fixtext fixref="F-48144r2_fix">Access the local VirusScan console by clicking Start-&gt;All Programs-&gt;McAfee-&gt;VirusScan Console.
Under the Task column, select Access Protection, right-click, and select Properties.
 
Under the Access Protection tab, locate the "Access protection rules:" label. In the "Categories" box, select "Anti-Virus Standard Protection". Select both "Prevent IRC communication" (Block and Report) options.
 
Click OK to Save.</fixtext><fix id="F-48144r2_fix" /><check system="C-49362r5_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_McAfee_VirusScan88_Local_Client.xml" /><check-content>NOTE: If IRC Communication is enabled on a Classified network, in accordance with published Ports, Protocols, and Services Management (PPSM) guidelines, this requirement is not applicable.
 
NOTE: Since there is no HIPS signature to provide this same protection, this check is applicable even if HIPS is enabled.
 
Access the local VirusScan console by clicking Start-&gt;All Programs-&gt;McAfee-&gt;VirusScan Console.
Under the Task column, select Access Protection, right-click, and select Properties.
 
Under the Access Protection tab, locate the "Access protection rules:" label. In the "Categories" box, select "Anti-Virus Standard Protection". Ensure both "Prevent IRC communication" (Block and Report) options are selected.
 
Criteria: If both "Prevent IRC communication" (Block and Report) options are selected, this is not a finding.</check-content></check></Rule></Group><Group id="V-42563"><title>DTAM152--McAfee VirusScan on-access script exclusions</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-55291r2_rule" severity="medium" weight="10.0"><version>DTAM152</version><title>McAfee VirusScan On-Access Scanner General Settings must be configured to not exclude any script processes from being scanned unless the process exclusions have been documented with, and approved by, the ISSO/ISSM/DAA.</title><description>&lt;VulnDiscussion&gt;Many attackers use toolkits containing several different types of utilities and scripts that can be used to probe and attack hosts. All scripts should be scanned and none should be excluded from scanning.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target McAfee AntiVirus Locally Configured Client</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>McAfee AntiVirus Locally Configured Client</dc:subject><dc:identifier>605</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-001242</ident><fixtext fixref="F-48145r3_fix">Access the local VirusScan console by clicking Start-&gt;All Programs-&gt;McAfee-&gt;VirusScan Console.
On the menu bar, click Task-&gt;On-Access Scanner Properties.
Select the General Settings.
 
Under the ScriptScan tab, locate the "ScriptScan process exclusions" label. Remove any exclusions listed in the Process field.</fixtext><fix id="F-48145r3_fix" /><check system="C-49363r2_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_McAfee_VirusScan88_Local_Client.xml" /><check-content>Access the local VirusScan console by clicking Start-&gt;All Programs-&gt;McAfee-&gt;VirusScan Console.
On the menu bar, click Task-&gt;On-Access Scanner Properties.
Select the General Settings.
 
Under the ScriptScan tab, locate the "ScriptScan process exclusions:" label. Ensure there are no exclusions listed in the Process field.
 
Criteria: If there are no exclusions listed in the Process field, this is a not finding.
If there are exclusions listed in the Process field, and the exclusions have been documented with, and approved by, the ISSO/ISSM/DAA, this is not a finding.
If there are exclusions listed in the Process field, and the exclusions have not been documented with, and approved by, the ISSO/ISSM/DAA, this is a finding.
 
On the client machine, use the Windows Registry Editor to navigate to the following key:
HKLM\Software\McAfee\ (32-bit)
HKLM\Software\Wow6432Node\McAfee\ (64-bit)
SystemCore\VSCore\Script Scanner
 
Criteria: If the ExcludedProcesses REG_MULTI_SZ has any entries, and the excluded processes have not been documented with, and approved by, the ISSO/ISSM/DAA, this is a finding.</check-content></check></Rule></Group><Group id="V-42564"><title>DTAM153--McAfee VirusScan on-access file exclusions</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-55292r3_rule" severity="medium" weight="10.0"><version>DTAM153</version><title>McAfee VirusScan On-Access Scanner All Processes settings must be configured to not exclude any files from being scanned unless exclusions have been documented with, but also be approved by the ISSO/ISSM/AO.</title><description>&lt;VulnDiscussion&gt;When scanning for malware, excluding specific files will increase the risk of a malware-infected file going undetected. By configuring antivirus software without any exclusions, the scanner has a higher success rate at detecting and eradicating malware.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target McAfee AntiVirus Locally Configured Client</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>McAfee AntiVirus Locally Configured Client</dc:subject><dc:identifier>605</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-001242</ident><fixtext fixref="F-48146r2_fix">Access the local VirusScan console by clicking Start-&gt;All Programs-&gt;McAfee-&gt;VirusScan Console.
On the menu bar, click Task-&gt;On-Access Scanner Properties.
Select All Processes.
 
Under the Exclusions tab, locate the "What not to scan:" label. Remove any exclusions listed.</fixtext><fix id="F-48146r2_fix" /><check system="C-49364r8_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_McAfee_VirusScan88_Local_Client.xml" /><check-content>Access the local VirusScan console by clicking Start-&gt;All Programs-&gt;McAfee-&gt;VirusScan Console.
On the menu bar, click Task-&gt;On-Access Scanner Properties.
Select All Processes.
 
Under the Exclusions tab, locate the "What not to scan:" label. Ensure there are no exclusions listed. If exclusions are listed, verify they have been documented and approved by the ISSO/ISSM/AO.
 
Criteria: If there are no exclusions listed in the "What not to scan:" field, this is a not finding.
If there are exclusions listed in the "What not to scan:" field, and the exclusions have been documented with, and approved by, the ISSO/ISSM/AO, this is not a finding.
If there are exclusions listed in the "What not to scan:" field, and the exclusions have not been documented with, and approved by, the ISSO/ISSM/AO, this is a finding.
 
On the client machine, use the Windows Registry Editor to navigate to the following key:
HKLM\Software\McAfee\ (32-bit)
HKLM\Software\Wow6432Node\McAfee\ (64-bit)
SystemCore\VSCore\On Access Scanner\McShield\Configuration\Default
 
Criteria: If the value NumExcludeItems is 0, this is not a finding.
If NumExcludeItems is not 1 or greater, and exclusions have been not been documented with and approved by the ISSO/ISSM/AO, this is a finding.
If NumExcludeItems is 1 or greater, and exclusions have been approved by the ISSO/ISSM/AO, this is not a finding.</check-content></check></Rule></Group><Group id="V-42565"><title>DTAM154-McAfee VirusScan on-demand memory rootkits</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-55293r1_rule" severity="medium" weight="10.0"><version>DTAM154</version><title>McAfee VirusScan On-Demand scan must be configured to scan memory for rootkits.</title><description>&lt;VulnDiscussion&gt;A rootkit is a stealthy type of software, usually malicious, and is designed to mask the existence of processes or programs from normal methods of detection. Rootkits will often enable continued privileged access to a computer. Scanning and handling detection of rootkits will mitigate the likelihood of rootkits being installed and used maliciously on the system.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target McAfee AntiVirus Locally Configured Client</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>McAfee AntiVirus Locally Configured Client</dc:subject><dc:identifier>605</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-001241</ident><fixtext fixref="F-48147r2_fix">Access the local VirusScan console by clicking Start-&gt;All Programs-&gt;McAfee-&gt;VirusScan Console.
In the console window, under Task, with the assistance of the System Administrator, identify the weekly on-demand client scan task.
Right-click the Task and select Properties.
 
Under the Scan Locations tab, in the box under the "Specify where scanning takes place." label, select "Memory for rootkits" from the drop-down selection box.
 
 
Click OK to Save.</fixtext><fix id="F-48147r2_fix" /><check system="C-48878r2_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_McAfee_VirusScan88_Local_Client.xml" /><check-content>Access the local VirusScan console by clicking Start-&gt;All Programs-&gt;McAfee-&gt;VirusScan Console.
In the console window, under Task, with the assistance of the System Administrator, identify the weekly on-demand client scan task.
Right-click the Task and select Properties.
 
Under the Scan Locations tab, in the box under the "Specify where scanning takes place." label, ensure the "Memory for rootkits" option is displayed.
 
Criteria: If "Memory for rootkits" is displayed in the in the configuration for the daily or weekly On-Demand Scan, this is not a finding.
 
On the client machine, use the Windows Registry Editor to navigate to the following key:
HKLM\Software\McAfee\ (32-bit)
HKLM\Software\Wow6432Node\McAfee\ (64-bit)
 
Under the DesktopProtection\Tasks, and with the assistance of the System Administrator, review each GUID key's szTaskName to find the GUID key associated with weekly on demand client scan task.
 
Criteria: If, under the applicable GUID key, there exists a szScanItem with a REG_SZ value of "SpecialScanForRootkits", this is not a finding. </check-content></check></Rule></Group><Group id="V-42566"><title>DTAM155--McAfee VirusScan on-demand unwanted programs first action</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-55294r1_rule" severity="medium" weight="10.0"><version>DTAM155</version><title>McAfee VirusScan On-Demand scan actions, When an unwanted program is found must be configured to clean files automatically as first action.</title><description>&lt;VulnDiscussion&gt;Malware may have infected a file that is necessary to the user. By configuring the antivirus software to first attempt cleaning the infected file, availability to the file is not sacrificed. If a cleaning attempt is not successful, however, deleting the file is the only safe option to ensure the malware is not introduced onto the system or network.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target McAfee AntiVirus Locally Configured Client</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>McAfee AntiVirus Locally Configured Client</dc:subject><dc:identifier>605</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-001243</ident><fixtext fixref="F-48148r2_fix">Access the local VirusScan console by clicking Start-&gt;All Programs-&gt;McAfee-&gt;VirusScan Console.
In the console window, under Task, with the assistance of the System Administrator, identify the weekly on-demand client scan task.
Right-click the Task and select Properties.
 
Under the Actions tab, locate the "When an unwanted program is found:" label. For the "Perform this action first:" pull down menu, select "Clean".
 
 
Click OK to Save. </fixtext><fix id="F-48148r2_fix" /><check system="C-49366r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_McAfee_VirusScan88_Local_Client.xml" /><check-content>Access the local VirusScan console by clicking Start-&gt;All Programs-&gt;McAfee-&gt;VirusScan Console.
In the console window, under Task, with the assistance of the System Administrator, identify the weekly on-demand client scan task.
Right-click the Task and select Properties.
 
Under the Actions tab, locate the "When an unwanted program is found:" label. Ensure for the "Perform this action first:" pull down menu, "Clean" is selected.
 
Criteria: If "Clean" is selected for "Perform this action first", this is not a finding.
 
On the client machine, use the Windows Registry Editor to navigate to the following key:
HKLM\Software\McAfee\ (32-bit)
HKLM\Software\Wow6432Node\McAfee\ (64-bit)
DesktopProtection\Tasks
 
Under the DesktopProtection\Tasks, and with the assistance of the System Administrator, review each GUID key's szTaskName to find the GUID key associated with weekly on-demand client scan task.
 
Criteria: If, under the applicable GUID key, the uAction_Program does not have a value of 5, this is a finding.</check-content></check></Rule></Group><Group id="V-42567"><title>DTAM164-McAfee VirusScan Email on-delivery threat second action</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-55295r1_rule" severity="medium" weight="10.0"><version>DTAM164</version><title>McAfee VirusScan On-Demand scan actions, When an unwanted program is found must be configured to delete files automatically if first action fails.</title><description>&lt;VulnDiscussion&gt;Malware may have infected a file that is necessary to the user. By configuring the antivirus software to first attempt cleaning the infected file, availability to the file is not sacrificed. If a cleaning attempt is not successful, however, deleting the file is the only safe option to ensure the malware is not introduced onto the system or network.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target McAfee AntiVirus Locally Configured Client</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>McAfee AntiVirus Locally Configured Client</dc:subject><dc:identifier>605</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-001243</ident><fixtext fixref="F-48149r3_fix">Access the local VirusScan console by clicking Start-&gt;All Programs-&gt;McAfee-&gt;VirusScan Console.
In the console window, under Task, with the assistance of the System Administrator, identify the weekly on-demand client scan task.
Right-click the Task and select Properties.
 
Under the Actions tab, locate the "When an unwanted program is found:" label. From the "If the first action fails, then perform this action:" pull down menu, select "Delete".
 
Click OK to Save.</fixtext><fix id="F-48149r3_fix" /><check system="C-49375r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_McAfee_VirusScan88_Local_Client.xml" /><check-content>Access the local VirusScan console by clicking Start-&gt;All Programs-&gt;McAfee-&gt;VirusScan Console.
In the console window, under Task, with the assistance of the System Administrator, identify the weekly on-demand client scan task.
Right-click the Task and select Properties.
 
Under the Actions tab, locate the "When an unwanted program is found:" label. Ensure from the "If the first action fails, then perform this action:" pull down menu, "Delete" is selected.
 
Criteria: If "Delete" is selected for "If the first action fails, then perform this action:", this is not a finding.
 
On the client machine, use the Windows Registry Editor to navigate to the following key:
HKLM\Software\McAfee\ (32-bit)
HKLM\Software\Wow6432Node\McAfee\ (64-bit)
DesktopProtection\Tasks
 
Under the DesktopProtection\Tasks, and with the assistance of the System Administrator, review each GUID key's szTaskName to find the GUID key associated with weekly on-demand client scan task.
 
Criteria: If, under the applicable GUID key, the uSecAction_Program does not have a value of 4, this is a finding.
</check-content></check></Rule></Group><Group id="V-42569"><title>DTAM157-McAfee VirusScan Email on-delivery Artemis sensitivity level</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-55297r2_rule" severity="medium" weight="10.0"><version>DTAM157</version><title>McAfee VirusScan On-Delivery Email Scanner Artemis sensitivity level must be configured to Medium or higher.</title><description>&lt;VulnDiscussion&gt;Antivirus software vendors use collective intelligence from sensors and cross-vector intelligence from web, email, and network threats to compile scores that reflect the likelihood of whether a file in question is malware. The collective intelligence is constantly being updated, more frequently than the typical daily antivirus signature files. With File Reputation lookup, a more real-time response to potential malicious code is realized than with the local-running antivirus software, since by querying the cloud-based database when a file appears to be suspicious, up-to-the-minute intelligence is provided. This type of protection reduces the threat protection time period from days to milliseconds, increases malware detection rates, and reduces downtime and remediation costs associated with malware attacks. Using File Reputation lookup is mandated by US CYBERCOM on DoD systems.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target McAfee AntiVirus Locally Configured Client</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>McAfee AntiVirus Locally Configured Client</dc:subject><dc:identifier>605</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000366</ident><fixtext fixref="F-48151r3_fix">Access the local VirusScan console by clicking Start &gt;&gt; All Programs &gt;&gt; McAfee &gt;&gt; VirusScan Console.
Under the Task column, select the On-Delivery Email Scanner Option, right-click, and select Properties.
 
Under the Scan Items tab, locate the "Artemis (Heuristic network check for suspicious files):" label. Select the "Medium" option.
 
Click OK to Save.</fixtext><fix id="F-48151r3_fix" /><check system="C-49368r3_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_McAfee_VirusScan88_Local_Client.xml" /><check-content>Note: For systems on the SIPRnet, this check is Not Applicable.
 
Note: If an email client is not running on this system, this check can be marked as Not Applicable.
 
Access the local VirusScan console by clicking Start &gt;&gt; All Programs &gt;&gt; McAfee &gt;&gt; VirusScan Console.
Under the Task column, select the On-Delivery Email Scanner Option, right-click, and select Properties.
 
Under the Scan Items tab, locate the "Artemis (Heuristic network check for suspicious files):" label. Ensure the Sensitivity level is set to "Medium" or higher.
 
Criteria: If the Sensitivity level is set to "Medium" or higher, this is not a finding.
 
On the client machine, use the Windows Registry Editor to navigate to the following key:
HKLM\Software\McAfee\ (32-bit)
HKLM\Software\Wow6432Node\McAfee\ (64-bit)
SystemCore\VSCore\Email Scanner
 
Criteria: If the value of ArtemisEnabled is REG_DWORD = 0, this is a finding.
If the value of ArtemisLevel is REG_DWORD = 0 or REG_DWORD = 1, this is a finding.
If the value of ArtemisEnabled is REG_DWORD = 1 and the ArtemisLevel is REG_DWORD = 2, 3 or 4, this is not a finding.
</check-content></check></Rule></Group><Group id="V-42570"><title>DTAM158-McAfee VirusScan Email on-delivery notification email</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-55298r2_rule" severity="medium" weight="10.0"><version>DTAM158</version><title>McAfee VirusScan On-Delivery Email Scanner must be configured to send a notification email to the IAO, IAM and/or ePO administrator when a threatening email message is detected.</title><description>&lt;VulnDiscussion&gt;Email has become one of the most frequently used methods of spreading malware, through embedded HTML code and attachments. User awareness and training, warning users to not open suspicious emails or email attachments and not clicking on hyperlinks, etc., from unknown or known senders, will not fully protect from email-borne malware. Mass mailing worms are similar to an email-borne virus but is self-contained rather than infecting an existing file. Protecting from email-borne viruses and mass mailing worms by scanning email upon delivery mitigates the risk of infection via email.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target McAfee AntiVirus Locally Configured Client</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>McAfee AntiVirus Locally Configured Client</dc:subject><dc:identifier>605</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-001243</ident><fixtext fixref="F-48152r4_fix">Access the local VirusScan console by clicking Start &gt;&gt; All Programs &gt;&gt; McAfee &gt;&gt; VirusScan Console.
Under the Task column, select the On-Delivery Email Scanner Option, right-click, and select Properties.
 
Under the Alerts tab, locate the "Email alert:" label.
Click on Configure. Select the "Send alert to mail user:" option. Enter the email recipient information for the notification email to be sent to the ISSO, ISSM,ePO administrator, or System Administrator.
 
Click OK to Save.</fixtext><fix id="F-48152r4_fix" /><check system="C-49369r4_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_McAfee_VirusScan88_Local_Client.xml" /><check-content>Note: If an email client is not running on this system, this check can be marked as Not Applicable.
 
Access the local VirusScan console by clicking Start &gt;&gt; All Programs &gt;&gt; McAfee &gt;&gt; VirusScan Console.
Under the Task column, select the On-Delivery Email Scanner Option, right-click, and select Properties.
 
Under the Alerts tab, locate the "Email alert:" label. Ensure "Send alert to mail user:" is selected.
Click on Configure. Verify the email recipient information is configured for a notification email to be sent to the ISSO, ISSM, ePO administrator, or System Administrator.
 
Criteria: If the option "Email alert:" is selected and the email recipient information is configured for a notification email to be sent to ISSO, ISSM,ePO administrator, or System Administrator, this is not a finding.
 
On the client machine, use the Windows Registry Editor to navigate to the following key:
HKLM\Software\McAfee\ (32-bit)
HKLM\Software\Wow6432Node\McAfee\ (64-bit)
SystemCore\VSCore\Email Scanner\Outlook\OnDelivery\AlertOptions
 
Criteria: If the value bSendMailToUser is 0, this is a finding.
If the value for szSendTo is configured to any recipient other than the ISSO, ISSM,ePO Administrator, or System Administrator, this is a finding.
</check-content></check></Rule></Group><Group id="V-42571"><title>DTAM159-McAfee VirusScan Email on-delivery log session summary</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-55299r3_rule" severity="medium" weight="10.0"><version>DTAM159</version><title>McAfee VirusScan On-Delivery Email Scanner must be configured to log session summary and failure to scan encrypted files.</title><description>&lt;VulnDiscussion&gt;Log management is essential to ensuring that computer security records are stored in sufficient detail for an appropriate period of time. Routine log analysis is beneficial for identifying security incidents, policy violations, fraudulent activity, and operational problems. Logs are also useful when performing auditing and forensic analysis, supporting internal investigations, establishing baselines, and identifying operational trends and long-term problems.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target McAfee AntiVirus Locally Configured Client</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>McAfee AntiVirus Locally Configured Client</dc:subject><dc:identifier>605</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000130</ident><fixtext fixref="F-48153r4_fix">Access the local VirusScan console by clicking Start &gt;&gt; All Programs &gt;&gt; McAfee &gt;&gt; VirusScan Console.
 
Under the “Task” column, select the “On-Delivery Email Scanner” Option, right-click, and select “Properties”.
 
Under the “Reports” tab, locate the "What to log in addition to scanning activity:" label.
 
Select the "Session summary" and "Failure to scan encrypted files" options.
 
Click “OK” to save.
</fixtext><fix id="F-48153r4_fix" /><check system="C-49370r4_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_McAfee_VirusScan88_Local_Client.xml" /><check-content>Note: If an email client is not running on this system, this check can be marked as Not Applicable.
 
Access the local VirusScan console by clicking Start-&gt;All Programs-&gt;McAfee-&gt;VirusScan Console.
Under the Task column, select the On-Delivery Email Scanner Option, right-click, and select Properties.
 
Under the Reports tab, locate the "What to log in addition to scanning activity" label.
Ensure the "Session summary", and "Failure to scan encrypted files", options are both selected.
 
Criteria: If the "Session summary" and "Failure to scan encrypted files" options are selected, this is not a finding.
 
On the client machine, use the Windows Registry Editor to navigate to the following key:
HKLM\Software\McAfee\ (32-bit)
HKLM\Software\Wow6432Node\McAfee\ (64-bit)
SystemCore\VSCore\Email Scanner\Outlook\OnDelivery\ReportOptions
 
Criteria: If the “dwLogEvent” value is not “0x000001a0 (416)”, this is a finding.
</check-content></check></Rule></Group><Group id="V-42572"><title>DTAM160-McAfee VirusScan on-access URL exclusions</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-55300r2_rule" severity="medium" weight="10.0"><version>DTAM160</version><title>McAfee VirusScan On-Access Scanner All Processes settings must be configured to not exclude any script URLs from being scanned unless the URL exclusions have been documented with, and approved by the ISSO/ISSM/DAA.</title><description>&lt;VulnDiscussion&gt;Many attackers use toolkits containing several different types of utilities and scripts that can be used to probe and attack hosts. All scripts should be scanned and none should be excluded from scanning.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target McAfee AntiVirus Locally Configured Client</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>McAfee AntiVirus Locally Configured Client</dc:subject><dc:identifier>605</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-001242</ident><fixtext fixref="F-48154r2_fix">Access the local VirusScan console by clicking Start-&gt;All Programs-&gt;McAfee-&gt;VirusScan Console.
On the menu bar, click Task-&gt;On-Access Scanner Properties.
Select the General Settings.
 
Under the ScriptScan tab, locate the "ScriptScan exclusions" label. Ensure there are no exclusions listed in the URL field.</fixtext><fix id="F-48154r2_fix" /><check system="C-49371r3_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_McAfee_VirusScan88_Local_Client.xml" /><check-content>Access the local VirusScan console by clicking Start-&gt;All Programs-&gt;McAfee-&gt;VirusScan Console.
On the menu bar, click Task-&gt;On-Access Scanner Properties.
Select the General Settings.
 
Under the ScriptScan tab, locate the "ScriptScan URL exclusions:" label. Ensure there are no URL exclusions listed in the URL field.
 
Criteria: If there are no exclusions listed in the URL field, this is a not finding.
If there are exclusions listed in the URL field, and the exclusions have been documented with, and approved by, the ISSO/ISSM/DAA, this is not a finding.
If there are exclusions listed in the URL field, and the exclusions have not been documented with, and approved by, the ISSO/ISSM/DAA, this is a finding.
 
On the client machine, use the Windows Registry Editor to navigate to the following key:
HKLM\Software\McAfee\ (32-bit)
HKLM\Software\Wow6432Node\McAfee\ (64-bit)
SystemCore\VSCore\Script Scanner
 
Criteria: If the ExcludedURLs REG_MULTI_SZ has any entries, and the excluded URLs have not been documented with, and approved by, the ISSO/ISSM/DAA, this is a finding.</check-content></check></Rule></Group><Group id="V-42573"><title>DTAM161-Access Protection enablement</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-55301r3_rule" severity="medium" weight="10.0"><version>DTAM161</version><title>McAfee VirusScan Access Protection Properties must be configured to enable access protection.</title><description>&lt;VulnDiscussion&gt;Access Protection prevents unwanted changes to a computer by restricting access to specified ports, files and folders, shares, and registry keys and values. It prevents users from stopping McAfee processes and services, which are critical before and during outbreaks. Access Protection for VSE uses predefined and user-defined rules to strengthen systems against virus attacks. For instance, rules are used to specify which items can and cannot be accessed. Each rule can be configured to block and/or report access violations when they occur, and rules can also be disabled.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target McAfee AntiVirus Locally Configured Client</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>McAfee AntiVirus Locally Configured Client</dc:subject><dc:identifier>605</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-001243</ident><fixtext fixref="F-48155r2_fix">Access the local VirusScan console by clicking Start-&gt;All Programs-&gt;McAfee-&gt;VirusScan Console.
Under the Task column, select Access Protection, right-click, and select Properties.
 
Under the Access Protection tab, select the "Enable Access Protection" option.
 
Click OK to save.</fixtext><fix id="F-48155r2_fix" /><check system="C-49372r5_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_McAfee_VirusScan88_Local_Client.xml" /><check-content>NOTE: Access Protection must be enabled in order to afford protection identified in DTAM150 and DTAM151.
 
If HIPS signatures are enabled to provide the same protection as DTAM138, DTAM139, DTAM140, DTAM141, DTAM142, DTAM143, DTAM144, DTAM145, DTAM146, DTAM147, DTAM148 and DTAM149, those checks may be individually marked as not applicable.
 
 
Under the Access Protection tab, ensure the "Enable Access Protection" option is selected.
 
Criteria: If the "Enable Access Protection" option is not selected, this is a finding.
 
On the client machine use the Windows Registry Editor to navigate to the following key:
HKLM\Software\McAfee\ (32-bit)
HKLM\Software\Wow6432Node\McAfee\ (64-bit)
SystemCore\VSCore\On Access Scanner\BehaviourBlocking
 
Criteria: If the value APEnabled is not set to "1", this is a finding.</check-content></check></Rule></Group><Group id="V-42574"><title>DTAM165--McAfee VirusScan on-access unwanted programs</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-55302r1_rule" severity="medium" weight="10.0"><version>DTAM165</version><title>McAfee VirusScan On-Access Scanner All Processes settings must be configured to detect unwanted programs.</title><description>&lt;VulnDiscussion&gt;Potentially Unwanted Programs (PUPs) include Spyware, Adware, Remote Administration Tools, Dialers, Password Crackers, Jokes, and Key Loggers. While PUPs do not typically have any infections capability on their own, they rely on malware or other attach mechanisms to be installed onto target hosts, after which they will collect and transfer data from the host to an external host and/or will be used as attach mechanisms. Configuring the antivirus software to attempt to clean the file first will allow for the possibility of a false positive. In most cases, however, the secondary action of delete will be used, mitigating the risk of the PUPs being installed and used maliciously.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target McAfee AntiVirus Locally Configured Client</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>McAfee AntiVirus Locally Configured Client</dc:subject><dc:identifier>605</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-001242</ident><fixtext fixref="F-48156r3_fix">Access the local VirusScan console by clicking Start-&gt;All Programs-&gt;McAfee-&gt;VirusScan Console.
On the menu bar, click Task-&gt;On-Access Scanner Properties.
Select All Processes.
 
Under the Scan Items tab, locate the "Unwanted programs detection:" label.
 
Place a check in the "Detect unwanted programs" checkbox.
 
Click OK.</fixtext><fix id="F-48156r3_fix" /><check system="C-49376r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_McAfee_VirusScan88_Local_Client.xml" /><check-content>Access the local VirusScan console by clicking Start-&gt;All Programs-&gt;McAfee-&gt;VirusScan Console.
On the menu bar, click Task-&gt;On-Access Scanner Properties.
Select All Processes.
 
Under the Scan Items tab, locate the "Unwanted programs detection:" label. Ensure the "Detect unwanted programs" option is selected.
 
Criteria: If the "Detect unwanted programs" option is selected, this is not a finding.
 
On the client machine, use the Windows Registry Editor to navigate to the following key:
HKLM\Software\McAfee\ (32-bit)
HKLM\Software\Wow6432Node\McAfee\ (64-bit)
SystemCore\VSCore\On Access Scanner\McShield\Configuration\Default
 
Criteria: If the value ApplyNVP is 1, this is not a finding. If the value is 0, this is a finding.
</check-content></check></Rule></Group><Group id="V-42575"><title>DTAM166-McAfee VirusScan on-access unwanted program first action</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-55303r1_rule" severity="medium" weight="10.0"><version>DTAM166</version><title>McAfee VirusScan On-Access Scanner All Processes settings actions, When an unwanted program is found must be configured to clean files automatically as first action.</title><description>&lt;VulnDiscussion&gt;Potentially Unwanted Programs (PUPs) include Spyware, Adware, Remote Administration Tools, Dialers, Password Crackers, Jokes, and Key Loggers. While PUPs do not typically have any infections capability on their own, they rely on malware or other attach mechanisms to be installed onto target hosts, after which they will collect and transfer data from the host to an external host and/or will be used as attach mechanisms. Configuring the antivirus software to attempt to clean the file first will allow for the possibility of a false positive. In most cases, however, the secondary action of delete will be used, mitigating the risk of the PUPs being installed and used maliciously.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target McAfee AntiVirus Locally Configured Client</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>McAfee AntiVirus Locally Configured Client</dc:subject><dc:identifier>605</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-001242</ident><fixtext fixref="F-48157r3_fix">Access the local VirusScan console by clicking Start-&gt;All Programs-&gt;McAfee-&gt;VirusScan Console.
On the menu bar, click Task-&gt;On-Access Scanner Properties.
Select All Processes.
 
Under the Actions tab, locate the "When an unwanted program is found:" label. From the "Perform this action first:" pull down menu, select "Clean files automatically".
 
Click OK to Save.</fixtext><fix id="F-48157r3_fix" /><check system="C-49377r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_McAfee_VirusScan88_Local_Client.xml" /><check-content>Access the local VirusScan console by clicking Start-&gt;All Programs-&gt;McAfee-&gt;VirusScan Console.
On the menu bar, click Task-&gt;On-Access Scanner Properties.
Select All Processes.
 
Under the Actions tab, locate the "When an unwanted program is found:" label. Ensure for the "Perform this action first:" pull down menu, "Clean files automatically" is selected.
 
Criteria: If "Clean files automatically" is selected from "Perform this action first", this is not a finding.
 
On the client machine, use the Windows Registry Editor to navigate to the following key:
HKLM\Software\McAfee\ (32-bit)
HKLM\Software\Wow6432Node\McAfee\ (64-bit)
SystemCore\VSCore\On Access Scanner\McShield\Configuration\Default
 
 
Criteria: If the uAction_Program does not have a value of 5, this is a finding.</check-content></check></Rule></Group><Group id="V-42576"><title>DTAM167-McAfee VirusScan on-access unwanted program second action</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-55304r1_rule" severity="medium" weight="10.0"><version>DTAM167</version><title>McAfee VirusScan On-Access Scanner All Processes settings actions, When an unwanted program is found must be configured to delete files automatically if first action fails.</title><description>&lt;VulnDiscussion&gt;Potentially Unwanted Programs (PUPs) include Spyware, Adware, Remote Administration Tools, Dialers, Password Crackers, Jokes, and Key Loggers. While PUPs do not typically have any infections capability on their own, they rely on malware or other attach mechanisms to be installed onto target hosts, after which they will collect and transfer data from the host to an external host and/or will be used as attach mechanisms. Configuring the antivirus software to attempt to clean the file first will allow for the possibility of a false positive. In most cases, however, the secondary action of delete will be used, mitigating the risk of the PUPs being installed and used maliciously.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target McAfee AntiVirus Locally Configured Client</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>McAfee AntiVirus Locally Configured Client</dc:subject><dc:identifier>605</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-001242</ident><fixtext fixref="F-48158r2_fix">Access the local VirusScan console by clicking Start-&gt;All Programs-&gt;McAfee-&gt;VirusScan Console.
On the menu bar, click Task-&gt;On-Access Scanner Properties.
Select All Processes.
 
Under the Actions tab, locate the "When an unwanted program is found:" label. From the "If the first action fails, then perform this action:" pull down menu, select "Delete files automatically".
Click OK to Save.</fixtext><fix id="F-48158r2_fix" /><check system="C-49378r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_McAfee_VirusScan88_Local_Client.xml" /><check-content>Access the local VirusScan console by clicking Start-&gt;All Programs-&gt;McAfee-&gt;VirusScan Console.
On the menu bar, click Task-&gt;On-Access Scanner Properties.
Select All Processes.
 
Under the Actions tab, locate the "When an unwanted program is found:" label. Ensure from the "If the first action fails, then perform this action:" pull down menu, "Delete files automatically" is selected.
 
Criteria: If "Delete files automatically" is selected from "If the first action fails, then perform this action:", this is not a finding.
 
On the client machine, use the Windows Registry Editor to navigate to the following key:
HKLM\Software\McAfee\ (32-bit)
HKLM\Software\Wow6432Node\McAfee\ (64-bit)
SystemCore\VSCore\On Access Scanner\McShield\Configuration\Default
 
Criteria: If the uSecAction_Program does not have a value of 4, this is a finding.
</check-content></check></Rule></Group><Group id="V-59365"><title>DTAM170--Access Protection block execution of all programs from temp folder</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-73795r3_rule" severity="medium" weight="10.0"><version>DTAM170</version><title>McAfee VirusScan Access Protection Rules Anti-spyware Maximum Protection must be set to block and report when block execution of all programs from temp folder.</title><description>&lt;VulnDiscussion&gt;This rule will block any executable from running from the Temp directory; however, this rule is much more restrictive in that it stops nearly all processes from launching in the Temp folder. This provides the most protection, but also has a higher chance of blocking a legitimate application from being installed.
Intention: Most viruses need to be run once by a person before infecting a computer. This can be done in many ways, such as opening an executable attachment in an email, downloading a program from the Internet, etc. For example, &lt;http://vil.nai.com/vil/content/v_101034.htm&gt;.
An executable needs to exist on the disk before Windows can run it. A common way for applications to achieve this is to save the file in the user’s or system’s Temp directory and then run it.
One purpose of this rule is to enforce advice that is frequently given to people: “don’t open attachments from email.” The other purpose of this rule is to close security holes introduced by application bugs. Older versions of Outlook and Internet Explorer are notorious for automatically executing code without the user needing to do anything but preview an email or view a website.
Risks: All applications that are protected by these rules offer alternatives to running executables, such as saving them somewhere else on the disk and running from there. So the downside of the rules is that users may need to learn a few extra steps before doing things they can do more quickly now.
Note: Enabling this rule may prevent some applications from functioning outright.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target McAfee AntiVirus Locally Configured Client</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>McAfee AntiVirus Locally Configured Client</dc:subject><dc:identifier>605</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-001243</ident><fixtext fixref="F-64761r2_fix">Access the local VirusScan console by clicking Start &gt;&gt; All Programs &gt;&gt; McAfee &gt;&gt; VirusScan Console.
Under the Task column, select Access Protection, right-click, and select Properties.
 
Under the Access Protection tab, locate the "Access protection rules:" label. In the "Categories" box, select "Anti-Spyware Maximum Protection". Select the "Prevent all programs from running files from the Temp folder"(Block and Report) option.
 
Click OK to save.</fixtext><fix id="F-64761r2_fix" /><check system="C-60141r4_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_McAfee_VirusScan88_Local_Client.xml" /><check-content>Note: If the HIPS signatures 7010, 7011, 7020 and 7035 are enabled to provide this same protection, this check is Not Applicable.
 
Access the local VirusScan console by clicking Start &gt;&gt; All Programs &gt;&gt; McAfee &gt;&gt; VirusScan Console.
Under the Task column, select Access Protection, right-click, and select Properties.
 
Under the Access Protection tab, locate the "Access protection rules:" label. In the "Categories" box, select "Anti-Spyware Maximum Protection". Ensure the "Prevent all programs from running files from the Temp folder" (Block and Report) option is selected.
 
Criteria: If the "Prevent all programs from running files from the Temp folder" (Block and Report) option is selected, this is not a finding.</check-content></check></Rule></Group></Benchmark>