9 Replies Latest reply on Jul 17, 2009 6:07 PM by exbrit

    Artemis virus



      I recently had two files in my HP Games Folder flagged with an Artemis Virus. I am pretty sure that these are false positives as they were not flagged until just recently and they have been on the system since I purchased it.


      The two files however are 85 megs and 45 megs in size. I can't submit them via email or webimmune.


      How can I get word to them to see if this is a false positive?





      Thread locked because of spammers - Mod



      Message was edited by: Ex_Brit on 21/03/10 7:31:39 EDT AM
        • 1. RE: Artemis virus
          In ths sticky about Artemis and other possibly false findings here: http://community.mcafee.com/showthread.php?t=231173 there's a link about halfway down about an unofficial increase in submission sizes. However, most ISP's impose a size limit on email transmissions.

          Or you could try submitting directly from the Security Center Quarantine section.

          Or, approach the game manufacturer to have them contact McAfee on a corporate level.

          Check any games forums regarding others in the same boat.
          • 2. RE: Artemis virus
            Thanks Ex_Brit,

            I also tested and shutting off the "active" protection also doesn't flagg it. If you keep up to date on .dat files shouldn't that be enough. I guess that every once in awhile you might get burned on a virus if it was newly introduced but I'm finding that "false positives" are becomming more and more common and they aren't flagged when you don't "phone home". How does the average person know when a flagged file is in fact not a virus? They rely on these programs to really know what they are doing. They find out the hard way when a program they have been running all of a sudden stops with error messages because a .dll or other file gets quarantined when it really shouldn't.

            I really wish they would bring back "exclusions" so you can stop it from doing this. But it seems to be falling on deaf ears. You either have to disable features of the program you've paid good money for or keep restoring files every time the system runs a scan.

            • 3. RE: Artemis virus
              Well, one way is to turn off Active Protection. That just means that VirusScan no longer looks for some unknowns. It's a matter of priorities I guess as that feature is relatively new, if one turns it off then it's like it was a few months ago before the change & VirusScan will rely on its normal heuristic detection engine. Artemis takes this a step further by calling into a database to check on a new detection before labelling it.

              The trouble is, as you said, you don't know if there is an infection actually present.

              You could try submitting the file to VirusTotal - linked in my signature, where it then gets scanned by pretty well all the main anti-virus vendors. (20mb max size).

              Or you can try an online scan here: http://www.eset.com/onlinescan/

              Yes, I wish we could exclude files and folders. We used to be able to do so several years ago and the Corporate (Enterprise) products still have that facility. We've asked for it until we are blue in the face, no dice thus far. However, the 2010 products are about to go into public beta testing, so who knows?
              • 4. RE: Artemis virus

                My comment on whether there is a virus or not was not so much for an actual virus...my comment was more toward there being an overabundance of false positives...how does the average person know that. I know that these two files (which are installation files that have never been run) have been scanned a few times and were clean now all of a sudden show as artemis trojans. A novice computer user would just accept that McAfee caught a virus when in fact it didn't. Then when programs start crashing they have no idea why.

                I did as you suggested and ran them through Virus Vendor. Only one (Panda) marked the files as "suspisious". The real questionable thing is: Why did McAfee and McAfee+Artemis (5678) not flag the file? My McAfee installed programs did?? Are they not the same Artemis??

                I'm finding more and more people who seem to feel that we have Virus catching machines that we sometimes run programs on. Security software seems to take over most of a computers resources and then work so mysteriously that an average computer user has no idea what they are doing.

                My other question for you was why run the "active protection"....if there is a virus shouldn't a subsequent .dat file correct it too?

                thanks again

                • 5. RE: Artemis virus
                  I can't even begin to explain why an online scan would be different from the built-in scan, although it is possible that they are using different DAT's or even different engines which would explain the difference in behaviour.

                  My DAT 5679 of today's date suddenly discovered that a perfectly safe application I have had for 3 years is now a trojan....of course it isn't. I personally would rather have an over-cautious scanner than one that ignores things, but it is a nuisance I will agree.

                  Active protection is like a preemptive strike. It's optional whether or not you run it and I believe anything it sends back to the database is subsequently included in a DAT.
                  • 6. RE: Artemis virus

                    Ok, I just did the second file through Virus Total. It now has McAfee and McAfee+Artemis listed as 5679 with todays date.

                    My McAfee installed product shows Virus Scan 13.3 build 13.3.127 DAT version 5679.0000 engine version 5301.4018

                    Virus Total show no virus...my installed programs quarantine that file.

                    Who can I report this to?


                    • 7. RE: Artemis virus
                      Try the email submission method to the Threat Center but one file at a time and zipped etc. as per the usual instructions.

                      Other than that we have no other means of contacting them. I could flag this but it's Friday night and noone will be around until Monday.
                      • 8. RE: Artemis virus
                        Thanks again,

                        I did a chat session and they were stumped too. They requested that I just send an e-mail to avert without the attachments. Most e-mail providers only allow 10mb attachments and both the .exe files being quarantined are over 49MB.

                        The problem has to be with their active protection. Is this just something as a stopgap. IE the active protection catches things not in the dat file? So basically as soon as a .dat file is updated the active protection is not needed except for other new viruses?

                        It seems strange that a new .dat file was issued between 7/16 and 7/17 and neither .dat file flaggs my files...but turning on active protection does.

                        I don't pretend to understand their logic but I sure wish you had the ability to 'exclude' them as restoring them every time a scan is run is a pain.

                        Thanks again for your help

                        • 9. RE: Artemis virus
                          I would say that "the active protection catches things not yet in the dat file" but in some cases even that seems not always to be true.

                          I suppose an email to them asking what options they can offer to you wouldn't go amiss. It never occurred to me that they might just answer an ordinary email....sorry my brain must be shutting down!