cancel
Showing results for 
Search instead for 
Did you mean: 
Mal09
Level 12

Artemis - seems to have had false positives reduced

I'm well known here for being an Artemis detractor at times. Quite simply, I loved the technology and what it promised. In reality, I was very disappointed by the number of false positives I was experiencing when using it.

However, my recent perception is that the Artemis database has been cleansed of many of the bad signatures (especially the heuristic ones). Detection rates (of malware) seems to be the same, but the false positives seem to be missing.


Perhaps it's the concerted effort by McAfee to whitelist known good files, perhaps it's something else ... but I definately notice it.

When I roll out 8.7i to Win 7, I will have it enabled (at low). I never had the confidence to roll it out to my 8.5i clients.

0 Kudos
7 Replies
vinoo
Level 13

Re: Artemis - seems to have had false positives reduced

Thanks for the feedback - a lot of hard work has gone in to make our whitelist coverage more comprehensive.

VSE 8.7 patch 2 onwards enables Artemis for On-Access at low by default. You'll have an option in the VSE UI to adjust this setting without having to edit the registry manually to enable the Artemis lookups.

You may want to check out GetSusp - a free utility from McAfee Labs to isolate malware that relies on Artemis technology (now rebranded to McAfee Global Threat Intelligence) to check if the files on your system are whitelisted or blacklisted in our backend. It's a report only tool - so no risk to your machines even if a file is falsely detected. Get it from here: https://community.mcafee.com/thread/27782

Regards,
Vinoo Thomas
Technical Product Manager, McAfee Labs

0 Kudos
SamSwift
Level 12

Re: Artemis - seems to have had false positives reduced

Hi Mal,

Thanks very much for the feedback!

Sam

Message was edited by: Samantha Price on 9/28/10 10:30:57 AM IST
0 Kudos
mendskyz
Level 7

Re: Artemis - seems to have had false positives reduced

I am new to this site so bear with me if this is an inappropriate place to be posting this.  Ran a scan last night on my company computer in conjunction with a Malware Bytes scan.  Malware Bytes didn't find anything but McAfee found the following

9/27/2010 5:07:16 PM Scan Started On-Demand Scan
9/27/2010 5:10:06 PM Deleted  c:\Documents and Settings\All Users\Application Data\Microsoft\leeni4\leeni4un.dll Artemis!E10FE0AB75C2 (Virus)
9/27/2010 6:06:06 PM Delete failed (Clean failed) c:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP939\A0126867.dll Artemis!E10FE0AB75C2 (Virus)

Is this a virus or a false positive?

0 Kudos
vinoo
Level 13

Re: Artemis - seems to have had false positives reduced

The file is confirmed malware and can be deleted.

15 vendors detect it currently. See results below:
http://www.virustotal.com/file-scan/report.html?id=ee13195ebd9b86e52089c85f926a7b58a4d50b00c97515591...

Happy to help!

-Vinoo

0 Kudos
mendskyz
Level 7

Re: Artemis - seems to have had false positives reduced

So how would I go about deleting the file and why could McAfee not delete it?  If you read the post you would see that the file is located in

"c:\System Volume Information"  which I cannot even navigate to.

Message was edited by: mendskyz on 9/28/10 7:09:16 AM CDT
0 Kudos
vinoo
Level 13

Re: Artemis - seems to have had false positives reduced

You would need to disable system restore. Follow the instructions given by the Microsoft KB article:

How antivirus software and System Restore work together
http://support.microsoft.com/kb/831829

0 Kudos
mendskyz
Level 7

Re: Artemis - seems to have had false positives reduced

So I figured out how to navigate to the location where the file is detected but the file is not there.  I have show hidden and protected files turned on in the folder options but this particular DLL doesn't show up.

Disregard this post as I was looking at the old result screen that I had left up.

Message was edited by: mendskyz on 9/28/10 7:19:27 AM CDT
0 Kudos