1 Reply Latest reply on May 19, 2010 2:11 PM by showvik

    Possible False Positive - Artemis!BF1B4CD0DFFB

      The file below has been a problem for us.  We are running the version of their software that comes from a thumb drive.  I called the company http://www.kurzweiledu.com/ and spoke with technical support.  They said to just allow the file name an exception in our AV that they have seen this before.  I took another thumb drive right out of the box and plugged it into a different computer with the same result.  It also seems to be placing something in the system restore which is getting tagged later on.  I would send you a copy of the file, but when you run the program from the thumb drive it extracts the program to the C: and then the AV deletes it so the file is gone.

      Threat Event Log Information
      Server ID:epo-server
      Event Received Time (UTC):5/10/10 2:45:40 PM
      Event Generated Time (UTC):5/10/10 2:44:32 PM
      Agent GUID:9E5DFCAE-8BA2-4DF2-9463-FC49B14A69C8
      Detecting Prod ID (deprecated):VIRUSCAN8700
      Detecting Product Name:VirusScan Enterprise
      Detecting Product Version:8.7
      Detecting Product Host Name:
      Detecting Product IPv4 Address:
      Detecting Product IP Address:
      Detecting Product MAC Address:
      DAT Version:5977.0000
      Engine Version:5400.1158
      Threat Source Host Name:
      Threat Source IPv4 Address:
      Threat Source IP Address:
      Threat Source MAC Address:
      Threat Source User Name:
      Threat Source Process Name:
      Threat Source URL:
      Threat Target Host Name:
      Threat Target IPv4 Address:
      Threat Target IP Address:
      Threat Target MAC Address:
      Threat Target User Name:
      Threat Target Port Number:
      Threat Target Network Protocol:
      Threat Target Process Name:
      Threat Target File Path:C:\Documents and Settings\odalab\Application Data\Thinstall\KB884016\40000082700002i\Kurzweil 3000.exe.920624.tmp
      Event Category:Malware detected
      Event ID:1027
      Threat Severity:Alert
      Threat Name:Artemis!BF1B4CD0DFFB
      Threat Type:Trojan
      Action Taken:Deleted
      Threat Handled:true
      Analyzer Detection Method:OAS
      Threat Event Descriptions
      Event Description:Infected file deleted.

       

      Threat Event Log Information

      Server ID:epo-server
      Event Received Time (UTC):5/10/10 1:33:11 PM
      Event Generated Time (UTC):5/10/10 1:29:45 PM
      Agent GUID:6B528FBA-DE67-4192-832E-8CE9D4F907B5
      Detecting Prod ID (deprecated):VIRUSCAN8700
      Detecting Product Name:VirusScan Enterprise
      Detecting Product Version:8.7
      Detecting Product Host Name:
      Detecting Product IPv4 Address:
      Detecting Product IP Address:
      Detecting Product MAC Address:
      DAT Version:5977.0000
      Engine Version:5400.1158
      Threat Source Host Name:
      Threat Source IPv4 Address:
      Threat Source IP Address:
      Threat Source MAC Address:
      Threat Source User Name:
      Threat Source Process Name:
      Threat Source URL:
      Threat Target Host Name:
      Threat Target IPv4 Address:
      Threat Target IP Address:
      Threat Target MAC Address:
      Threat Target User Name:SYSTEM
      Threat Target Port Number:
      Threat Target Network Protocol:
      Threat Target Process Name:
      Threat Target File Path:c:\System Volume Information\_restore{38A5DB13-A00C-4099-AA0A-6BB638E808D9}\RP256\A0035627.exe
      Event Category:Malware detected
      Event ID:1027
      Threat Severity:Alert
      Threat Name:Artemis!BF1B4CD0DFFB
      Threat Type:Trojan
      Action Taken:Deleted
      Threat Handled:true
      Analyzer Detection Method:(managed) Managed Daily Scan
      Threat Event Descriptions
      Event Description:Infected file deleted.

        • 1. Re: Possible False Positive - Artemis!BF1B4CD0DFFB

          Hi,

           

          McAfee(R) Artemis technology provides real-time protection that secures enterprises and consumers from threats as they strike and much quicker than traditional signatures can be deployed. As Artemis is updated in real-time there is no requirement to wait for a full DAT update nor to use an EXTRA.DAT intermediate solution. Simply wait approximately 30 minutes and this false will no longer exist or trigger on your system. Depending on the network settings you have or the caching involved between your system and ours it may take slightly longer for this false alarm to be resolved.

          Regards,

          Showvik Chakraborty

          McAfee® Labs
          -------------------------
          McAfee® Labs Blog <http://www.avertlabs.com/research/blog/>
          AudioParasitics - The Official PodCast of McAfee®  Avert® Labs <http://podcasts.mcafee.com/audioparasitics>
          --------------------------
          Safe online? Avoid dangerous web sites using McAfee SiteAdvisor™ -  a FREE download from http://www.siteadvisor.com?cid=27092. Don't search or surf without it!