5 Replies Latest reply on Sep 8, 2009 5:48 AM by Peter M

    Do I get the analysis report for quarantined file(s)?

      Thank you for your checking.

      During last full system scan, I got the Artemis alert on the following 3 files:
      Artemis!AA4A6B56CF78(Trojan), Artemis!AA4A6B56CF78(Trojan)
      C:\Tools\GIMP\GIMP-GAP_2.4\GIMP-GAP-2.4.0-SETUP.EXE
      Artemis!AA4A6B56CF78(Trojan), Artemis!AA4A6B56CF78(Trojan)
      C:\Program Files\GIMP-2.0\LIB\GIMP\2.0\Plug-ins\GAP_PLUGINS.EXE
      Artemis!AA4A6B56CF78(Trojan), Artemis!AA4A6B56CF78(Trojan)
      C:\Tools\GIMP\GAP2_4_FOR_GIMP2_4_WINDOWS_BY_PHOTOCOMIX_RESOURCES.ZIMP

      Those files have been for about a year on system, and until now the monthly full system scans did not detect those. So, I'm wondering if these are false alert or not by new Artemis feature.

      Via the Security Center UI, I sent GAP_PLUGINS.EXE and GIMP-GAP-2.4.0-SETUP.EXE to the Avert Labs (Security Center UI could not send GAP2_4_FOR_GIMP2_4_WINDOWS_BY_PHOTOCOMIX_RESOURCES.ZIMP file since it was too big.)
      When I sent those files via the Security Center UI, I had the expectation to get the analysis report later, so I would be able to know of if those were the false alerts with the report.
      However, the Security Center informed me only about the successful submissions and nothing about if I would get the analysis report on those files later or not.
      Now, I'm wondering if I will get the report or not, and if so, how do I get?

      Regards
        • 1. RE: Do I get the analysis report for quarantined file(s)?
          BalaSGS
          Hi

          You should be getting the email notification from the AVERT team regarding the analyzing report. If you haven’t then you can also submit the file through the Email
          Document ID: TS100095
          Email: All files submitted via email must be packaged in a .ZIP archive. The archive must be less than 3 megabytes in size and can contain no more than 30 files. Additionally, you must password-protect the archive with the password infected. Failure to follow these guidelines will cause your submission to be rejected.

          NOTE: If you are submitting a Spyware sample, the subject of the email must be MAS Content.

          Email submissions should be sent to virus_research@avertlabs.com. If you submit a sample via email, include the additional information below to help speed the sample review process:
          o A list of all files contained in the sample submission, including a brief description of where or how the files were found.
          o What symptoms cause you to suspect that your computer is infected.
          o Whether any products detected a virus or spyware (version number, company, virus/spyware name given).
          o Your McAfee Product information (Product, Engine and DAT versions).
          o System details that may be relevant (Operating System, Service Packs).
          o Your name, company name, phone number and email address if possible.
          You can send the sample to the global address at virus_research@avertlabs.com, or you can send the sample to one of the regional addresses below:

          UK: vsample@avertlabs.com
          Germany: virus_research_de@avertlabs.com
          Japan: virus_research_japan@mcafee.com
          Australia: virus_research_apac@avertlabs.com
          Netherlands: virus_research_europe@avertlabs.com
          • 2. RE: Do I get the analysis report for quarantined file(s)?
            Thank you for your reply, Bala.

            It's good to know that I will get the analysis report from the Avert team for the quarantined files submitted to the Avert lab via the Security Center GUI.
            I will wait a few days for the email notification from the AVERT team. And if I do not get the notification e-mail after a few days, then I will send the files by different way like you instructed (although I feel reluctant to restore the quarantined files in order to submit to the Avert lab, since those were alerted as Trojan.)

            Thank you and regards
            • 3. RE: Do I get the analysis report for quarantined file(s)?
              Peter M
              If they were only just identified as trojans after being installed for some time then the chances are it's a false positive. "Artemis" in the detection tells you that it's only a possible infection, basically unknown at this point.

              There's a sticky on dealing with Artemis detections here: http://community.mcafee.com/showthread.php?t=228162
              • 4. RE: Do I get the analysis report for quarantined file(s)?
                Thank you, Peter.

                It's good hear the positive professional words.
                I surely hope that it will be false positive.
                And thank you for the link of the generic Artemis.

                Regards