1 2 Previous Next 10 Replies Latest reply on Apr 3, 2012 9:02 AM by vinoo

    Artemis Process Flow

      Hey guys!

       

      Just want to ask on how artemis really works as there are no available documents or articles that really explains the whole process.

       

      If you can see all the articles or documents available on Mcafee site only covers the fingerprint upload process and therefore shortening the protection gap etc. etc. etc.

      But no document states on how the artemis server will answer to the query.

       

      We are aware that a PC will send a fingerprint via DNS query to the Artemis server but how do the artemis server responds to the query??

       

      Does it send the virus definitions?? or intended action (delete, block, clean, etc) to the ePO server then the ePO Server will transmit it to the client/s OR the artemis server will send it directly to the PC or will send it via DNS to the PC.

       

      Please advise. Thanks!

        • 1. Re: Artemis Process Flow
          vinoo

          Global Threat Intelligence and your information - data sent to McAfee from a computer with GTI
          https://kc.mcafee.com/corporate/index?page=content&id=KB60224

           

          How Global Threat Intelligence improves malware detection
          https://kc.mcafee.com/corporate/index?page=content&id=KB53735

           

          How to verify that an endpoint can communicate with the Global Threat Intelligence server
          https://kc.mcafee.com/corporate/index?page=content&id=KB53734

           

           

          Message was edited by: Vinoo Thomas on 11/11/10 11:52:47 PM IST
          1 of 1 people found this helpful
          • 2. Re: Artemis Process Flow

            Thanks vinoo! But what i wanted to know more about is on how the Artemis / GTI Server responds to the client (esp. those w/o internet connection). Most of the articles only explains on how the clients sends data to GTI but none of them explains how GTI responds.

            • 3. Re: Artemis Process Flow
              vinoo

              Point products with Artemis lookups enabled will attempt to do cloud lookups directly via DNS protocol unless it is configured to route the DNS lookups via an internal GTI Server.

               

              Depending on the dirtiness of the hash that was queried - a bit is set in the return response that will tell the client to take action depending on what sensitivity level in the product is set to. The mappings to take action are are:

               

              Very high sensitivity level            assumed_dirty

              High sensitivity level                assumed_dirty2

              Medium sensitivity level            assumed_dirty3

              Low sensitivity level                assumed_dirty4

              Very low sensitivity level (VIRUS)        virus

              Very low sensitivity level (TROJAN)        trojan

              Very low sensitivity level (APPLICATION)    pup

              Very low sensitivity level (APPLICATION)    app

               

              For example, if the response bit corresponds to a assumed_dirty3, only if the product setting was set to Medium sensitivity level or higher will a detection occur. ePO does not come into play here as the communication is directly between client and the Artemis/GTI server.

               

               

              Message was edited by: Vinoo Thomas on 12/11/10 12:09:27 PM IST
              1 of 1 people found this helpful
              • 4. Re: Artemis Process Flow

                This is great information vinoo! Just like to clarify one more thing:

                 

                " a bit is set in the return response that will tell the client "

                 

                - Does this means that the response will be sent by the GTI server directly to the client via DNS as well??

                • 5. Re: Artemis Process Flow
                  vinoo

                  That is correct - you could run WireShark on the client in the background to watch this communication.

                  • 6. Re: Artemis Process Flow

                    Thank you very much Vinoo!! You're a life saver!

                    • 7. Re: Artemis Process Flow

                      Hi, sorry for hijacking this old post. I am looking to find information on whether increasing the sensitivity level of Artemis in VSE will have an effect on the number of requests send to the GTI or not?

                      • 8. Re: Artemis Process Flow
                        vinoo

                        That is correct. As the sensitivity level of Artemis in VSE is turned up, it enables additional selection criteria within the dats which will result in extra files being queried.

                        The number of queries per day are less than 20 on average for OAS.

                        • 9. Re: Artemis Process Flow

                          Thanks for the prompt reply. Is there a KB article with details on the number of requests per sensitivity level? I know this depends on the software installed on the endpoint and the usage patterns, but an average per sensitivity level will help us plan better.

                          1 2 Previous Next