cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Former Member
Not applicable
Report Inappropriate Content
Message 1 of 2

Detection Method - PUP

Just a quick question:

Is potentially Unwanted Program (PUP) detected based on signature / Artemis?

1 Reply
rmetzger
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 2 of 2

Re: Detection Method - PUP

Hi Shiv,

Shiv L wrote:

Is potentially Unwanted Program (PUP) detected based on signature / Artemis?

Signature? Yes.

Artemis? Possibly.

Artemis!, or more formerly Global Threat Intelligence (GTI) File Reputation, detections are based on unknown 'threat behavior' where characteristics are not yet well known. So no information is available yet.

GTI File Reputation Best Practices Guide for McAfee VirusScan® Enterprise Software wrote:

see https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/ 24000/PD24043/en_US...

With traditional protection, malware is discovered, verified by a security vendor, made available and ultimately deployed. This

process can take place over several hours (or even longer), creating a protection gap.

...

Rather than rely solely on signature-based detection of malware where the time from discovery to protection could be hours or

even longer, McAfee GTI File Reputation service provides near real-time protection by providing reputation scores for files as they

are accessed or when a system is scanned, compressing the protection gap.

The GTI detections are done in the cloud by McAfee. When enough info is available, a real threat is then given a formal name, added to the signature databases, and removed from GTI detections as the signature databases are distributed to end-nodes. (Detections determined to be 'Non-threats' are simply removed from Artemis!)

Until a threat has been analyzed and given a name, it's only characteristic is an Artemis!1234567890AB (12 digit hex number) based on heuristic behaviors.

PUPs are Known applications. Detection by GTI is based on behavior only, not yet as a known PUP. Under default conditions, the detection of a 'future' PUP would require a behavior that is egregious enough to be considered more than just a PUP. If GTI detection levels are set higher than normal, behaviors to other known PUPs may be detected, but expect false positives in the process.

Not sure this is your intent, but if I can anticipate your next question: How to exclude PUPs? PUPs are excluded by PUP Name. Once the program is scanned, found in the Signature set, and identified, the PUP Name is compared to the list of excluded PUP Names. GTI based detections only occur when Not found in the Signature set.

This also means that GTI detections cannot be excluded, since they are yet to be classified, yet to be included in a Signature set.

Hope that helps.

Ron Metzger

Thanks,
Ron Metzger

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community