cancel
Showing results for 
Search instead for 
Did you mean: 
darkshyre
Level 9

Artemis Process Flow

Jump to solution

Hey guys!

Just want to ask on how artemis really works as there are no available documents or articles that really explains the whole process.

If you can see all the articles or documents available on Mcafee site only covers the fingerprint upload process and therefore shortening the protection gap etc. etc. etc.

But no document states on how the artemis server will answer to the query.

We are aware that a PC will send a fingerprint via DNS query to the Artemis server but how do the artemis server responds to the query??

Does it send the virus definitions?? or intended action (delete, block, clean, etc) to the ePO server then the ePO Server will transmit it to the client/s OR the artemis server will send it directly to the PC or will send it via DNS to the PC.

Please advise. Thanks!

1 Solution

Accepted Solutions
vinoo
Level 13

Re: Artemis Process Flow

Jump to solution

That is correct - you could run WireShark on the client in the background to watch this communication.

0 Kudos
10 Replies
vinoo
Level 13

Re: Artemis Process Flow

Jump to solution

Global Threat Intelligence and your information - data sent to McAfee from a computer with GTI
https://kc.mcafee.com/corporate/index?page=content&id=KB60224

How Global Threat Intelligence improves malware detection
https://kc.mcafee.com/corporate/index?page=content&id=KB53735

How to verify that an endpoint can communicate with the Global Threat Intelligence server
https://kc.mcafee.com/corporate/index?page=content&id=KB53734

Message was edited by: Vinoo Thomas on 11/11/10 11:52:47 PM IST
0 Kudos
darkshyre
Level 9

Re: Artemis Process Flow

Jump to solution

Thanks vinoo! But what i wanted to know more about is on how the Artemis / GTI Server responds to the client (esp. those w/o internet connection). Most of the articles only explains on how the clients sends data to GTI but none of them explains how GTI responds.

0 Kudos
vinoo
Level 13

Re: Artemis Process Flow

Jump to solution

Point products with Artemis lookups enabled will attempt to do cloud lookups directly via DNS protocol unless it is configured to route the DNS lookups via an internal GTI Server.

Depending on the dirtiness of the hash that was queried - a bit is set in the return response that will tell the client to take action depending on what sensitivity level in the product is set to. The mappings to take action are are:

Very high sensitivity level            assumed_dirty

High sensitivity level                assumed_dirty2

Medium sensitivity level            assumed_dirty3

Low sensitivity level                assumed_dirty4

Very low sensitivity level (VIRUS)        virus

Very low sensitivity level (TROJAN)        trojan

Very low sensitivity level (APPLICATION)    pup

Very low sensitivity level (APPLICATION)    app

For example, if the response bit corresponds to a assumed_dirty3, only if the product setting was set to Medium sensitivity level or higher will a detection occur. ePO does not come into play here as the communication is directly between client and the Artemis/GTI server.

Message was edited by: Vinoo Thomas on 12/11/10 12:09:27 PM IST
0 Kudos
darkshyre
Level 9

Re: Artemis Process Flow

Jump to solution

This is great information vinoo! Just like to clarify one more thing:

" a bit is set in the return response that will tell the client "

- Does this means that the response will be sent by the GTI server directly to the client via DNS as well??

0 Kudos
vinoo
Level 13

Re: Artemis Process Flow

Jump to solution

That is correct - you could run WireShark on the client in the background to watch this communication.

0 Kudos
darkshyre
Level 9

Re: Artemis Process Flow

Jump to solution

Thank you very much Vinoo!! You're a life saver!

0 Kudos
pssara
Level 7

Re: Artemis Process Flow

Jump to solution

Hi, sorry for hijacking this old post. I am looking to find information on whether increasing the sensitivity level of Artemis in VSE will have an effect on the number of requests send to the GTI or not?

0 Kudos
vinoo
Level 13

Re: Artemis Process Flow

Jump to solution

That is correct. As the sensitivity level of Artemis in VSE is turned up, it enables additional selection criteria within the dats which will result in extra files being queried.

The number of queries per day are less than 20 on average for OAS.

0 Kudos
pssara
Level 7

Re: Artemis Process Flow

Jump to solution

Thanks for the prompt reply. Is there a KB article with details on the number of requests per sensitivity level? I know this depends on the software installed on the endpoint and the usage patterns, but an average per sensitivity level will help us plan better.

0 Kudos