1 Reply Latest reply on May 30, 2017 6:26 PM by rmetzger

    Detection Method - PUP

    smacklay

      Just a quick question:

       

      Is potentially Unwanted Program (PUP) detected based on signature / Artemis?

        • 1. Re: Detection Method - PUP
          rmetzger

          Hi Shiv,

           

          Shiv L wrote:

           

          Is potentially Unwanted Program (PUP) detected based on signature / Artemis?

          Signature? Yes.

          Artemis? Possibly.

           

          Artemis!, or more formerly Global Threat Intelligence (GTI) File Reputation, detections are based on unknown 'threat behavior' where characteristics are not yet well known. So no information is available yet.

          GTI File Reputation Best Practices Guide for McAfee VirusScan® Enterprise Software wrote:

          see https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/ 24000/PD24043/en_US/48302wp_gti-best-practices_0812_fnl.pdf

           

          With traditional protection, malware is discovered, verified by a security vendor, made available and ultimately deployed. This

          process can take place over several hours (or even longer), creating a protection gap.

          ...

          Rather than rely solely on signature-based detection of malware where the time from discovery to protection could be hours or

          even longer, McAfee GTI File Reputation service provides near real-time protection by providing reputation scores for files as they

          are accessed or when a system is scanned, compressing the protection gap.

          The GTI detections are done in the cloud by McAfee. When enough info is available, a real threat is then given a formal name, added to the signature databases, and removed from GTI detections as the signature databases are distributed to end-nodes. (Detections determined to be 'Non-threats' are simply removed from Artemis!)

           

          Until a threat has been analyzed and given a name, it's only characteristic is an Artemis!1234567890AB (12 digit hex number) based on heuristic behaviors.

           

          PUPs are Known applications. Detection by GTI is based on behavior only, not yet as a known PUP. Under default conditions, the detection of a 'future' PUP would require a behavior that is egregious enough to be considered more than just a PUP. If GTI detection levels are set higher than normal, behaviors to other known PUPs may be detected, but expect false positives in the process.

           

          Not sure this is your intent, but if I can anticipate your next question: How to exclude PUPs? PUPs are excluded by PUP Name. Once the program is scanned, found in the Signature set, and identified, the PUP Name is compared to the list of excluded PUP Names. GTI based detections only occur when Not found in the Signature set.

           

          This also means that GTI detections cannot be excluded, since they are yet to be classified, yet to be included in a Signature set.

           

          Hope that helps.

           

          Ron Metzger

          4 of 4 people found this helpful