cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted
Level 7
Report Inappropriate Content
Message 1 of 13

False positive Artemis 504B514461FA

Hi,

Starting today we get false positives, where the filename is different at all pc's:

EVENT DETAILS:

Number of Events: 1

First Event Time: 03/05/20 08:04:07 UTC

received utc:  03/05/20 08:04:15 UTC

Threat Type: Trojan

Threat Name: Artemis!504B514461FA

Event ID: 1428

Threat Handled: True

ThreatSeverity: Critical

ThreatActionTaken: Delete pending

 

Event Description: Delete pending, a file still exists

 

Affected Objects: C:\Users\EllenM\AppData\Local\Temp\BIT902B.tmp

 

scanner: On-Access Scan

 

Dat version: 4001.0

 

Other filenames with the same detection:

Affected Objects: C:\Users\GabriellaD\AppData\Local\Temp\BIT4FFA.tmp

Affected Objects: C:\Users\FrankH3\AppData\Local\Temp\BIT4937.tmp

Affected Objects: C:\Users\RenateO\AppData\Local\Temp\BITBC7B.tmp

Affected Objects: C:\Users\BerendK\AppData\Local\Temp\BITBEAA.tmp

Is there a way to allow this file?

12 Replies
Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 13

Re: False positive Artemis 504B514461FA

Hi @Auke,

Thank you for reporting this issue.

The detection you have seen here is an "Artemis" or "GTI" detection. These detections are not dependent on DAT in general and are dependent on the reputation of the file that we store in our cloud database.

Basically, the endpoint does a look up of unknown files in our database over the internet and convicts the file based on the result of look up!

These files can actually be malicious and hence I would recommend having these files submitted as a sample via a Service Request.

https://kc.mcafee.com/corporate/index?page=content&id=KB68030

Kindly please follow the guidelines on the above KBA to create a support case and submit samples via the same.

Also, for the one detection name you have provided, I was able to get a general lookup in Virus Total as well whose results are shown here:

https://www.virustotal.com/gui/file/8a47202ba79b19f3242198fad10ed6ac5c0ce2178d0f6062a1a47108431fa54e...

Few engines seem to have detection for these files and hence I would request you to help us with more information of the file (how it came into your machine and if it is a known file) so that we can investigate further into mitigating this detections!

Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

Thanks and regards,
Adithyan T
Highlighted
Level 7
Report Inappropriate Content
Message 3 of 13

Re: False positive Artemis 504B514461FA

Hi Adithyan T,

 

Thanks for your response, the problem is that at the time we see the message and connect to the pc the file is already gone.  (Event Description: Delete pending, a file still exists) 

We don't know what is creating this file and where it comes from.

In the logs on the pc (McTray_pcnr.log, UpdaterUI_pcnr.log) there is no indication of any detection

Regards, Auke

Highlighted
Level 7
Report Inappropriate Content
Message 4 of 13

Re: False positive Artemis 504B514461FA

I just got another one, but this time the event description is different:

Event Description: File infected.  Undetermined clean error, deleted successfully

Affected Objects: C:\Users\MalouR\AppData\Local\Temp\BIT4EBF.tmp

 

But all the time the file is deleted before we can find it

Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 5 of 13

Re: False positive Artemis 504B514461FA

Hi @Auke,

The deleted files can be viewed under quarantine folder of McAfee Endpoint Security if the file was deleted by McAfee. However, As I see this is a temp file, the chances are high that the file got deleted by itself before our AV could quarantine it! The deletion activity may fail from our owing to the browser process having an open file handle on them!

Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

Thanks and regards,
Adithyan T
Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 6 of 13

Re: False positive Artemis 504B514461FA

Hi @Auke,

Thank you for your update. To answer this specific query, the log file to look into details of the files that are convicted during "On Access Scan" are stored inside "C:\ProgramData\McAfee\Endpoint Security\Logs"

Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

Thanks and regards,
Adithyan T
Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 7 of 13

Re: False positive Artemis 504B514461FA

Hi @Auke,

Apologies for the delay on my response. The latest update is that this is a False positive detection that was widely reported by several users via Service Requests. hence these detections have been suppressed by McAfee and should no longer be seen for you! I sincerely hope it is no more occurring for you as well!

Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

Thanks and regards,
Adithyan T
Highlighted
Level 7
Report Inappropriate Content
Message 8 of 13

Re: False positive Artemis 504B514461FA

The problem with the 504B514461FA is solved, but now we get a lot of Artemis!50E6F8568313

 

2020-03-20 07:15:04.741Z|Activity|oasbl |mfetp | 4044| 5168|OAS |oasbl.cpp(2515) | NT AUTHORITY\SYSTEM ran C:\Windows\System32\svchost.exe, which attempted to access C:\Users\PeterV3\AppData\Local\Temp\BITF56F.tmp. The threat Trojan named Artemis!50E6F8568313 was detected but the file can't be deleted because it's locked. The file will be deleted when the file isn't locked. To identify the process locking the file, see KB85494.

 

Highlighted

Re: False positive Artemis 504B514461FA

Hello,

 

I'm seeing the same issue with a different Artemis number on a user's system. Is this a false positive as well?

NT AUTHORITY\SYSTEM ran C:\Windows\System32\svchost.exe, which tried to access C:\Users\<user>\AppData\Local\Temp\BIT3A01.tmp. The threat Trojan named Artemis!539199AE698D was detected but the file can't be deleted because it's locked. The file will be deleted when the file isn't locked. To identify the process locking the file, see KB85494.

 

 

Highlighted

Re: False positive Artemis 504B514461FA

Have you rebooted after detection that might allow it to be deleted. Just a thought

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community