Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
3688 Views 3 Replies Latest reply: Nov 8, 2011 10:34 AM by joeleisenlipz RSS
Mal09 Champion 428 posts since
Feb 18, 2009
Currently Being Moderated

Dec 9, 2009 11:27 AM

Artemis detection question

I sometimes see false Artemis detections in installer files, but when I extract the files out of the installer package often the detection does not occur on the extracted files.

 

Today, I saw something that I can't understand. I'll use the example of a file in an installer [CAB file] called "file.exe".

 

File is called file.exe, but is stored in the installer as file.e

 

If I extract file.e and scan using Artemis, the file is detected as an Artemis detection.

If I rename the file to file.D and scan using Artemis, the file is detected as an Artemis detection.

If I rename the file to file.zip and scan using Artemis, the file is detected as an Artemis detection.

 

If I rename the file to file.exe and scan using Artemis, the file is no longer detected as an Artemis detection.

If I rename the file to file.scr and scan using Artemis, the file is no longer detected as an Artemis detection.

 

Looking at the DNS history, I don't believe a Artemis database is done against either file.exe or file.scr

 

So Artemis seems to be recognising that it is a renamed executable and sending the request to McAfee Avert labs only when the file isn't executable.

 

Should this be the way Artemis works?

  • McAfee SME 212 posts since
    Nov 3, 2009
    Currently Being Moderated
    2. Dec 14, 2009 2:53 PM (in response to Mal09)
    Re: Artemis detection question

    Hi


    McAfee Artemis Technology is the first always-on, real-time protection that secures enterprises and consumers from threats as they strike. It dramatically shortens the time to detection and resolution, keeping your systems safe and your business up and running.

    Want to find out more?

    Click here to watch a Video

    Click here to watch a Demo

    Click here to read about Artemis


     

    For further analysis, It is best in this case to submit the file in question to <http://www.webimmune.net>


    Regards

    Neha

  • joeleisenlipz Champion 194 posts since
    Oct 18, 2010
    Currently Being Moderated
    3. Nov 8, 2011 10:34 AM (in response to Mal09)
    Re: Artemis detection question

    My understanding is that there is a hueristics process that looks at abstract qualities of the file. The combination of how suspicious the file looks and what sensitivity level is configured determines whether or not an Artemis query heppens.

     

    My hunch, (based on your FILE.E example) is that seeing a file that is not named as an executable when it in fact is, would raise the suspicion for the file to a point where it sends a request. However, when extracted and properly renamed, it is no longer that suspicious.

     

    Just my two cents.

     

    --Joel

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • Correct Answers - 5 points
  • Helpful Answers - 3 points