Starting today we get false positives, where the filename is different at all pc's:
Number of Events: 1
First Event Time: 03/05/20 08:04:07 UTC
received utc: 03/05/20 08:04:15 UTC
Threat Type: Trojan
Threat Name: Artemis!504B514461FA
Event ID: 1428
Threat Handled: True
ThreatActionTaken: Delete pending
Event Description: Delete pending, a file still exists
Affected Objects: C:\Users\EllenM\AppData\Local\Temp\BIT902B.tmp
scanner: On-Access Scan
Dat version: 4001.0
Other filenames with the same detection:
Affected Objects: C:\Users\GabriellaD\AppData\Local\Temp\BIT4FFA.tmp
Affected Objects: C:\Users\FrankH3\AppData\Local\Temp\BIT4937.tmp
Affected Objects: C:\Users\RenateO\AppData\Local\Temp\BITBC7B.tmp
Affected Objects: C:\Users\BerendK\AppData\Local\Temp\BITBEAA.tmp
Is there a way to allow this file?
Thank you for reporting this issue.
The detection you have seen here is an "Artemis" or "GTI" detection. These detections are not dependent on DAT in general and are dependent on the reputation of the file that we store in our cloud database.
Basically, the endpoint does a look up of unknown files in our database over the internet and convicts the file based on the result of look up!
These files can actually be malicious and hence I would recommend having these files submitted as a sample via a Service Request.
Kindly please follow the guidelines on the above KBA to create a support case and submit samples via the same.
Also, for the one detection name you have provided, I was able to get a general lookup in Virus Total as well whose results are shown here:
Few engines seem to have detection for these files and hence I would request you to help us with more information of the file (how it came into your machine and if it is a known file) so that we can investigate further into mitigating this detections!
Hi Adithyan T,
Thanks for your response, the problem is that at the time we see the message and connect to the pc the file is already gone. (Event Description: Delete pending, a file still exists)
We don't know what is creating this file and where it comes from.
In the logs on the pc (McTray_pcnr.log, UpdaterUI_pcnr.log) there is no indication of any detection
I just got another one, but this time the event description is different:
Event Description: File infected. Undetermined clean error, deleted successfully
Affected Objects: C:\Users\MalouR\AppData\Local\Temp\BIT4EBF.tmp
But all the time the file is deleted before we can find it
The deleted files can be viewed under quarantine folder of McAfee Endpoint Security if the file was deleted by McAfee. However, As I see this is a temp file, the chances are high that the file got deleted by itself before our AV could quarantine it! The deletion activity may fail from our owing to the browser process having an open file handle on them!
Thank you for your update. To answer this specific query, the log file to look into details of the files that are convicted during "On Access Scan" are stored inside "C:\ProgramData\McAfee\Endpoint Security\Logs"
Apologies for the delay on my response. The latest update is that this is a False positive detection that was widely reported by several users via Service Requests. hence these detections have been suppressed by McAfee and should no longer be seen for you! I sincerely hope it is no more occurring for you as well!
The problem with the 504B514461FA is solved, but now we get a lot of Artemis!50E6F8568313
2020-03-20 07:15:04.741Z|Activity|oasbl |mfetp | 4044| 5168|OAS |oasbl.cpp(2515) | NT AUTHORITY\SYSTEM ran C:\Windows\System32\svchost.exe, which attempted to access C:\Users\PeterV3\AppData\Local\Temp\BITF56F.tmp. The threat Trojan named Artemis!50E6F8568313 was detected but the file can't be deleted because it's locked. The file will be deleted when the file isn't locked. To identify the process locking the file, see KB85494.
I'm seeing the same issue with a different Artemis number on a user's system. Is this a false positive as well?
|NT AUTHORITY\SYSTEM ran C:\Windows\System32\svchost.exe, which tried to access C:\Users\<user>\AppData\Local\Temp\BIT3A01.tmp. The threat Trojan named Artemis!539199AE698D was detected but the file can't be deleted because it's locked. The file will be deleted when the file isn't locked. To identify the process locking the file, see KB85494.|