CCI-001240

Kona Site Defender providing content filtering must update malicious code protection mechanisms and signature definitions whenever new releases are available in accordance with organizational configuration management policy and procedures.

The ALG providing content filtering must update malicious code protection mechanisms and signature definitions whenever new releases are available in accordance with organizational configuration management policy and procedures.

The CA API Gateway providing content filtering must integrate with an ICAP-enabled Intrusion Detection System that updates malicious code protection mechanisms and signature definitions whenever new releases are available in accordance with organizational configuration management policy and procedures.

The DBN-6300 must install system updates when new releases are available in accordance with organizational configuration management policy and procedures.

The IDPS must verify the integrity of updates obtained directly from the vendor.

The IDPS must install updates for application software files, signature definitions, detection heuristics, and vendor-provided rules when new releases are available in accordance with organizational configuration management policy and procedures.

The Juniper Networks SRX Series Gateway IDPS must install updates for predefined signature objects, applications signatures, IDPS policy templates, and device software when new releases are available in accordance with organizational configuration management policy and procedures.

The Mainframe Product must update malicious code protection mechanisms whenever new releases are available in accordance with organizational configuration management policy and procedures.

Microsoft Defender AV spyware definition age must not exceed 7 days.

Microsoft Defender AV virus definition age must not exceed 7 days.

The SMS must install updates on the TPS for application software files, signature definitions, detection heuristics, and vendor-provided rules when new releases are available in accordance with organizational configuration management policy and procedures.

The Cisco ASA must be configured to install updates for signature definitions and vendor-provided rules.

The application must update malicious code protection mechanisms whenever new releases are available in accordance with organizational configuration management policy and procedures.

The Palo Alto Networks security platform must update malicious code protection mechanisms and signature definitions whenever new releases are available in accordance with organizational configuration management policy and procedures.

The Palo Alto Networks security platform must install updates for application software files, signature definitions, detection heuristics, and vendor-provided rules when new releases are available in accordance with organizational configuration management policy and procedures.

The Trellix Application Control Options Advanced Threat Defense (ATD) settings, if being used, must be confined to the organizations enclave.

The Trellix Application Control Options Reputation setting must be configured to use the Trellix Global Threat Intelligence (Trellix GTI) option.

The Trellix Application Control Options Advanced Threat Defense (ATD) settings must not be enabled unless an internal ATD is maintained by the organization.

The Trellix Application Control Options Advanced Threat Defense (ATD) settings, if being used, must be configured to send all binaries with a reputation of Might be Trusted and below for analysis.

The Trellix Application Control Options Advanced Threat Defense (ATD) settings, if being used, must be configured to only send binaries with a size of 5MB or less.

The BIG-IP ASM module must be configured to update malicious code protection mechanisms and signature definitions when providing content filtering to virtual servers for whenever new releases are available in accordance with organizational configuration management policy and procedures.