cancel
Showing results for 
Search instead for 
Did you mean: 
McDuff
Level 10
Report Inappropriate Content
Message 1 of 2

How do Endpoints Access Artemis?

Hello,

I'm confused about how endpoints connect to the Artemis server, if they are connected to a network that is shielded from the internet by a firewall and proxy server.

McAfee knowledgebase https://kc.mcafee.com/corporate/index?page=content&id=KB53782 states:

Why use DNS?
DNS provides a quick and efficient mechanism to query small amounts of data. For more information on this process, see
KB53735 - How much will McAfee Artemis Technology improve malware detection
Testing connectivity
Perform a manual lookup using nslookup to verify that your computer can see the McAfee Artemis Technology server.
  1. Click Start, Run, type cmd and press ENTER.
  2. Type nslookup 4z9p5tjmcbnblehp4557z1d136.avqs.mcafee.com and press ENTER.

    You see a response similar to the following:

    Server: <mylocaldnsserver.org>
    Address: 10.10.135.201
    Name: 4z9p5tjmcbnblehp4557z1d136.avqs.mblmcafee.com
    Address: 127.0.4.8

Our nslookup test was successful.  However, does that necessarily mean that our endpoints will be able to query Artemis?  I would think that just because endpoints are able to resolve a DNS address, that doesn't necessarily mean that they will be able to send or receive data.  If a company's network is separated by a firewall, wouldn't firewall rules need to be created for the Artemis servers?  Or, if the endpoints make HTTP connections to the Artemis, wouldn't proxy settings would need to be considered?

Please advise,

Thanks,

Message was edited by: McDuff on 6/15/10 12:15:06 PM CDT
1 Reply
Reliable Contributor rmetzger
Reliable Contributor
Report Inappropriate Content
Message 2 of 2

Re: How do Endpoints Access Artemis?

McDuff wrote:

Hello,

I'm confused about how endpoints connect to the Artemis server, if they are connected to a network that is shielded from the internet by a firewall and proxy server.

McAfee knowledgebase https://kc.mcafee.com/corporate/index?page=content&id=KB53782 states:

Why use DNS?
DNS provides a quick and efficient mechanism to query small amounts of data. For more information on this process, see
KB53735 - How much will McAfee Artemis Technology improve malware detection
Testing connectivity
Perform a manual lookup using nslookup to verify that your computer can see the McAfee Artemis Technology server.
  1. Click Start, Run, type cmd and press ENTER.
  2. Type nslookup 4z9p5tjmcbnblehp4557z1d136.avqs.mcafee.com and press ENTER.

    You see a response similar to the following:

    Server: <mylocaldnsserver.org>
    Address: 10.10.135.201
    Name: 4z9p5tjmcbnblehp4557z1d136.avqs.mblmcafee.com
    Address: 127.0.4.8

Our nslookup test was successful.  However, does that necessarily mean that our endpoints will be able to query Artemis?  I would think that just because endpoints are able to resolve a DNS address, that doesn't necessarily mean that they will be able to send or receive data.  If a company's network is separated by a firewall, wouldn't firewall rules need to be created for the Artemis servers?  Or, if the endpoints make HTTP connections to the Artemis, wouldn't proxy settings would need to be considered?

Please advise,

Thanks,

Message was edited by: McDuff on 6/15/10 12:15:06 PM CDT

Hi McDuff,

Artemis is using the existing rules already in place for DNS. Since DNS (53/tcp and 53/udp) exists in any TCP/IP network, the services needed to communicate with the Artemis server are already in place. (How that happens gets displayed when you did the NsLookup command.)

If the endpoint device does not have access to the Internet, it still must have access to a DNS server or service in order to operate within your local network. So, VirusScan uses this.

VirusScan sends out the signature info within a DNS packet (port 53), which is picked up by whatever DNS server or service that is available. If this is a local server running in your network, likely it has access to the Internet. Regardless of where the DNS server is located, it does not have a resolution to the DNS 'query' and passes the query along to it's upstream DNS server, recursively, until the Artemis server is found. The Artemis server responds back and this is likely passed on to the local endpoint device, which has been waiting for the reply.

This is Not exactly how DNS was intended to be used, but it works. Interesting 'Security Issue' in my humble opinion.

If extreme security issues are paramount, I would suggest turning Off Artemis (not 'low' or 'very low,' OFF). This way security auditors will show no outbound communications which cannot be 'accounted.'

Hope this helps.

Ron Metzger

Message was edited by: rmetzger (grammar) on 6/15/10 5:19:35 PM GMT-05:00
Thanks,
Ron Metzger

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?
More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community