Documentation Center
AlienVault® USM Appliance™

PCI DSS 3.2 Requirement 5: Protect All Systems Against Malware and Regularly Update Anti-Virus Software or Programs

Applies to Product: USM Appliance™ AlienVault OSSIM®

Testing Procedure

How USM Appliance Delivers

USM Appliance Instructions

USM Appliance Documentation

5.1 For a sample of system components including all operating system types commonly affected by malicious software, verify that anti-virus software is deployed if applicable anti-virus technology exists.

USM Appliance detects the presence of running processes such as anti-virus software.

Enable the plugin for your anti-virus software, and enable forwarding of the syslog events from the anti-virus manager.

Enable Plugins

Run the anti-virus Raw Logs report to verify the anti-virus software is running.

How to Run Reports

5.2.b Examine anti-virus configurations, including the master installation of the software to verify anti-virus mechanisms are
• Configured to perform automatic updates, and
• Configured to perform periodic scans.

The Vulnerability Scan in USM Appliance can test configurations to make sure that antivirus settings are enabled to perform automatic updates and periodic scans.

Create a custom scan profile, and in the "Autoenable plugins option", select the "Autoenable by family" option.  Then enable the following checks in the scanning profile for the target host:

  • Family: Windows

Creating a Custom Scan Profile

Run a Vulnerability Scan using the custom scan profile that was created.

Performing Vulnerability Scans

Export successful scan results and identify findings to determine if system is configured correctly.

Viewing the Scan Results

View the anti-virus logs in SIEM Events.

Security Events View

5.2.c Examine a sample of system components, including all operating system types commonly affected by malicious software, to verify that
• The anti-virus software and definitions are current.
• Periodic scans are performed.

The Vulnerability Scan in USM Appliance can test configuration to make sure that antivirus settings are enabled to perform automatic updates and periodic scans.

Create a custom scan profile, and in the "Autoenable plugins option", select the "Autoenable by family" option.  Then enable the following checks in the scanning profile for the target host:

  • Family: Windows

Creating a Custom Scan Profile

Run a Vulnerability Scan using the custom scan profile that was created.

Creating Vulnerability Scan Jobs

Export successful scan results and identify findings to determine if system is configured correctly.

Viewing the Scan Results

View the anti-virus logs in SIEM Events.

Security Events View

5.2.d Examine anti-virus configurations, including the master installation of the software and a sample of system components, to verify that
• Anti-virus software log generation is enabled, and
• Logs are retained in accordance with PCI DSS Requirement 10.7.

USM Appliance detects the presence of running processes such as anti-virus software.

USM Appliance also collects and retains logs sent using AlienVault HIDS, in accordance with requirement 5.2.d

Run the anti-virus “Raw Logs” report to verify the anti-virus software is running and generating logs.

 

How to Run Reports

 

View the anti-virus logs in SIEM Events.

Security Events View

5.3.a Examine anti-virus configurations, including the master installation of the software and a sample of system components, to verify the anti-virus software is actively running.

USM Appliance detects the presence of running processes such as anti-virus software.

Run the existing “Antivirus Disabled” PCI report to verify anti-virus software is actively running.

How to Run Reports

5.3.b Examine anti-virus configurations, including the master installation of the software and a sample of system components, to verify that the anti-virus software cannot be disabled or altered by users.

USM Appliance detects the presence of running processes such as anti-virus software.

Run the existing “Antivirus Disabled” PCI report to verify anti-virus software has not been disabled by users.

How to Run Reports