SV-55235r1_rule
V-14657
DTAM130-McAfee VirusScan buffer overflow protection
DTAM130
CAT II
10
From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Policies on a Single System. From the product pull down list, select VirusScan Enterprise 8.8.0. Select from the Policy column the policy associated with the Buffer Overflow Protection Policies. Under the Buffer Overflow Protection tab, locate the "Buffer Overflow settings:" label. Select the "Enable buffer overflow protection" option. Select Save.
NOTE: Buffer Overflow Protection is not installed on 64-bit systems; this check would be Not Applicable to 64-bit systems.
NOTE: On 32-bit systems, when Host Intrusion Prevention is also installed, Buffer Overflow Protection will show as "Disabled because a Host Intrusion Prevention product is installed"; this check would be Not Applicable.
From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Policies on a Single System. From the product pull down list, select VirusScan Enterprise 8.8.0. Select from the Policy column the policy associated with the Buffer Overflow Protection Policies. Under the Buffer Overflow Protection tab, locate the "Buffer Overflow settings:" label. Ensure the "Enable buffer overflow protection" option is selected.
Criteria: If the "Enable buffer overflow protection" option is selected, this is not a finding.
On the client machine, use the Windows Registry Editor to navigate to the following key:
HKLM\Software\McAfee\ (32-bit)
SystemCore\VSCore\On Access Scanner\BehaviourBlocking
Criteria: If the value BOPEnabled is 1, this is not a finding. If the value is 0, this is a finding.
V-14657
False
DTAM130
NOTE: Buffer Overflow Protection is not installed on 64-bit systems; this check would be Not Applicable to 64-bit systems.
NOTE: On 32-bit systems, when Host Intrusion Prevention is also installed, Buffer Overflow Protection will show as "Disabled because a Host Intrusion Prevention product is installed"; this check would be Not Applicable.
From the ePO server console System Tree, select the Systems tab, select the asset to be checked, select Actions, select Agent, and select Modify Policies on a Single System. From the product pull down list, select VirusScan Enterprise 8.8.0. Select from the Policy column the policy associated with the Buffer Overflow Protection Policies. Under the Buffer Overflow Protection tab, locate the "Buffer Overflow settings:" label. Ensure the "Enable buffer overflow protection" option is selected.
Criteria: If the "Enable buffer overflow protection" option is selected, this is not a finding.
On the client machine, use the Windows Registry Editor to navigate to the following key:
HKLM\Software\McAfee\ (32-bit)
SystemCore\VSCore\On Access Scanner\BehaviourBlocking
Criteria: If the value BOPEnabled is 1, this is not a finding. If the value is 0, this is a finding.
M
Information Assurance Officer
2266