V-206890

Discussion

Configuring the network element to block, drop, and/or quarantine based on local organizational incident handling procedures minimizes the impact of this code on the network. Malicious code includes, but is not limited to, viruses, worms, Trojan horses, and spyware. The code provides the ability for a malicious user to read from and write to files and folders on a computer's hard drive. Malicious code could run and attach programs, which may allow the unauthorized distribution of malicious mobile code. Sometimes it is necessary to generate a log event and then automatically drop or block the malicious code; however, for critical attacks or where forensic evidence is deemed necessary, the preferred action is for the file to be quarantined for further investigation. This requirement is limited to network elements that perform security functions, such as ALG and IPS.

Check Content

If the device being reviewed is an IDS, this is not applicable.

Verify the IPS quarantines blocks malicious code.

If the IPS does not quarantine or blocks malicious code, this is a finding.