DTAM145 - McAfee VirusScan Access Protection Rules Common Standard Protection must be set to block and report when common programs are run from the Temp folder.

Information

This rule will block any common programs from running from the Temp directory; however, this rule is much more restrictive in that it stops nearly all processes from launching in the Temp folder. Most viruses need to be run once by a person before infecting a computer. This can be done in many ways, such as opening an executable attachment in an email or downloading a program from the Internet. An executable needs to exist on the disk before Windows can run it. A common way for applications to achieve this is to save the file in the user's or system's Temp directory and then run it. One purpose of this rule is to enforce advice that is frequently given to users: 'do not open attachments from email.' The other purpose of this rule is to close security holes introduced by application bugs. Older versions of Outlook and Internet Explorer are notorious for automatically executing code without the user needing to do anything but preview an email or view a website.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Access the local VirusScan console by clicking Start->All Programs->McAfee->VirusScan Console.

Under the Task column, select Access Protection, right-click, and select Properties.

Under the Access Protection tab, locate the 'Access protection rules:' label. In the 'Categories' box, select 'Common Standard Protection'. Select the 'Prevent common programs from running files from the temp folder' (Block and Report) option.

Click OK to save.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_McAfee_VirusScan88_Local_Client_V6R1_STIG.zip

Item Details

Category: SYSTEM AND INFORMATION INTEGRITY

References: 800-53|SI-3c.2., CAT|II, CCI|CCI-001243, Rule-ID|SV-243419r722596_rule, STIG-ID|DTAM145, STIG-Legacy|SV-56391, STIG-Legacy|V-6592, Vuln-ID|V-243419

Plugin: Windows

Control ID: 74e2add555b7a2aaec6c5615e3292d195c6274df042c7cccf9799dd308b25438