Just want to ask on how artemis really works as there are no available documents or articles that really explains the whole process.
If you can see all the articles or documents available on Mcafee site only covers the fingerprint upload process and therefore shortening the protection gap etc. etc. etc.
But no document states on how the artemis server will answer to the query.
We are aware that a PC will send a fingerprint via DNS query to the Artemis server but how do the artemis server responds to the query??
Does it send the virus definitions?? or intended action (delete, block, clean, etc) to the ePO server then the ePO Server will transmit it to the client/s OR the artemis server will send it directly to the PC or will send it via DNS to the PC.
Please advise. Thanks!
Solved! Go to Solution.
Global Threat Intelligence and your information - data sent to McAfee from a computer with GTI
How Global Threat Intelligence improves malware detection
How to verify that an endpoint can communicate with the Global Threat Intelligence server
Thanks vinoo! But what i wanted to know more about is on how the Artemis / GTI Server responds to the client (esp. those w/o internet connection). Most of the articles only explains on how the clients sends data to GTI but none of them explains how GTI responds.
Point products with Artemis lookups enabled will attempt to do cloud lookups directly via DNS protocol unless it is configured to route the DNS lookups via an internal GTI Server.
Depending on the dirtiness of the hash that was queried - a bit is set in the return response that will tell the client to take action depending on what sensitivity level in the product is set to. The mappings to take action are are:
Very high sensitivity level assumed_dirty
High sensitivity level assumed_dirty2
Medium sensitivity level assumed_dirty3
Low sensitivity level assumed_dirty4
Very low sensitivity level (VIRUS) virus
Very low sensitivity level (TROJAN) trojan
Very low sensitivity level (APPLICATION) pup
Very low sensitivity level (APPLICATION) app
For example, if the response bit corresponds to a assumed_dirty3, only if the product setting was set to Medium sensitivity level or higher will a detection occur. ePO does not come into play here as the communication is directly between client and the Artemis/GTI server.Message was edited by: Vinoo Thomas on 12/11/10 12:09:27 PM IST
This is great information vinoo! Just like to clarify one more thing:
" a bit is set in the return response that will tell the client "
- Does this means that the response will be sent by the GTI server directly to the client via DNS as well??
Hi, sorry for hijacking this old post. I am looking to find information on whether increasing the sensitivity level of Artemis in VSE will have an effect on the number of requests send to the GTI or not?
That is correct. As the sensitivity level of Artemis in VSE is turned up, it enables additional selection criteria within the dats which will result in extra files being queried.
The number of queries per day are less than 20 on average for OAS.
Thanks for the prompt reply. Is there a KB article with details on the number of requests per sensitivity level? I know this depends on the software installed on the endpoint and the usage patterns, but an average per sensitivity level will help us plan better.