I'm confused about how endpoints connect to the Artemis server, if they are connected to a network that is shielded from the internet by a firewall and proxy server.
McAfee knowledgebase https://kc.mcafee.com/corporate/index?page=content&id=KB53782 states:Why use DNS?
DNS provides a quick and efficient mechanism to query small amounts of data. For more information on this process, see KB53735 - How much will McAfee Artemis Technology improve malware detectionTesting connectivity
Perform a manual lookup using nslookup to verify that your computer can see the McAfee Artemis Technology server.
- Click Start, Run, type cmd and press ENTER.
- Type nslookup 4z9p5tjmcbnblehp4557z1d136.avqs.mcafee.com and press ENTER.
You see a response similar to the following:
Our nslookup test was successful. However, does that necessarily mean that our endpoints will be able to query Artemis? I would think that just because endpoints are able to resolve a DNS address, that doesn't necessarily mean that they will be able to send or receive data. If a company's network is separated by a firewall, wouldn't firewall rules need to be created for the Artemis servers? Or, if the endpoints make HTTP connections to the Artemis, wouldn't proxy settings would need to be considered?
Artemis is using the existing rules already in place for DNS. Since DNS (53/tcp and 53/udp) exists in any TCP/IP network, the services needed to communicate with the Artemis server are already in place. (How that happens gets displayed when you did the NsLookup command.)
If the endpoint device does not have access to the Internet, it still must have access to a DNS server or service in order to operate within your local network. So, VirusScan uses this.
VirusScan sends out the signature info within a DNS packet (port 53), which is picked up by whatever DNS server or service that is available. If this is a local server running in your network, likely it has access to the Internet. Regardless of where the DNS server is located, it does not have a resolution to the DNS 'query' and passes the query along to it's upstream DNS server, recursively, until the Artemis server is found. The Artemis server responds back and this is likely passed on to the local endpoint device, which has been waiting for the reply.
This is Not exactly how DNS was intended to be used, but it works. Interesting 'Security Issue' in my humble opinion.
If extreme security issues are paramount, I would suggest turning Off Artemis (not 'low' or 'very low,' OFF). This way security auditors will show no outbound communications which cannot be 'accounted.'
Hope this helps.