I sometimes see false Artemis detections in installer files, but when I extract the files out of the installer package often the detection does not occur on the extracted files.
Today, I saw something that I can't understand. I'll use the example of a file in an installer [CAB file] called "file.exe".
File is called file.exe, but is stored in the installer as file.e
If I extract file.e and scan using Artemis, the file is detected as an Artemis detection.
If I rename the file to file.D and scan using Artemis, the file is detected as an Artemis detection.
If I rename the file to file.zip and scan using Artemis, the file is detected as an Artemis detection.
If I rename the file to file.exe and scan using Artemis, the file is no longer detected as an Artemis detection.
If I rename the file to file.scr and scan using Artemis, the file is no longer detected as an Artemis detection.
Looking at the DNS history, I don't believe a Artemis database is done against either file.exe or file.scr
So Artemis seems to be recognising that it is a renamed executable and sending the request to McAfee Avert labs only when the file isn't executable.
Should this be the way Artemis works?
And a bonus question:
How can a file remain in the Artemis detection list and not make it into the production dats? All Artemis detections should be rolled up into the dats on a daily basis shouldn't they?
For example, a file that has been Artemis detected on a machine months ago, continually triggers on the artemis detection, and doesn't appear to ever make it into the dats.
McAfee Artemis Technology is the first always-on, real-time protection that secures enterprises and consumers from threats as they strike. It dramatically shortens the time to detection and resolution, keeping your systems safe and your business up and running.
Want to find out more?
For further analysis, It is best in this case to submit the file in question to <http://www.webimmune.net>
My understanding is that there is a hueristics process that looks at abstract qualities of the file. The combination of how suspicious the file looks and what sensitivity level is configured determines whether or not an Artemis query heppens.
My hunch, (based on your FILE.E example) is that seeing a file that is not named as an executable when it in fact is, would raise the suspicion for the file to a point where it sends a request. However, when extracted and properly renamed, it is no longer that suspicious.
Just my two cents.