Showing results for 
Search instead for 
Did you mean: 
Level 7

Detection Method - PUP

Just a quick question:

Is potentially Unwanted Program (PUP) detected based on signature / Artemis?

0 Kudos
1 Reply
Level 14

Re: Detection Method - PUP

Hi Shiv,

Shiv L wrote:

Is potentially Unwanted Program (PUP) detected based on signature / Artemis?

Signature? Yes.

Artemis? Possibly.

Artemis!, or more formerly Global Threat Intelligence (GTI) File Reputation, detections are based on unknown 'threat behavior' where characteristics are not yet well known. So no information is available yet.

GTI File Reputation Best Practices Guide for McAfee VirusScan® Enterprise Software wrote:

see 24000/PD24043/en_US...

With traditional protection, malware is discovered, verified by a security vendor, made available and ultimately deployed. This

process can take place over several hours (or even longer), creating a protection gap.


Rather than rely solely on signature-based detection of malware where the time from discovery to protection could be hours or

even longer, McAfee GTI File Reputation service provides near real-time protection by providing reputation scores for files as they

are accessed or when a system is scanned, compressing the protection gap.

The GTI detections are done in the cloud by McAfee. When enough info is available, a real threat is then given a formal name, added to the signature databases, and removed from GTI detections as the signature databases are distributed to end-nodes. (Detections determined to be 'Non-threats' are simply removed from Artemis!)

Until a threat has been analyzed and given a name, it's only characteristic is an Artemis!1234567890AB (12 digit hex number) based on heuristic behaviors.

PUPs are Known applications. Detection by GTI is based on behavior only, not yet as a known PUP. Under default conditions, the detection of a 'future' PUP would require a behavior that is egregious enough to be considered more than just a PUP. If GTI detection levels are set higher than normal, behaviors to other known PUPs may be detected, but expect false positives in the process.

Not sure this is your intent, but if I can anticipate your next question: How to exclude PUPs? PUPs are excluded by PUP Name. Once the program is scanned, found in the Signature set, and identified, the PUP Name is compared to the list of excluded PUP Names. GTI based detections only occur when Not found in the Signature set.

This also means that GTI detections cannot be excluded, since they are yet to be classified, yet to be included in a Signature set.

Hope that helps.

Ron Metzger