4 Replies Latest reply on Dec 17, 2010 8:04 AM by runcmd

    Artemis Heuristic Detections - Mandatory File Deletion?

    runcmd

      Has anyone else noticed that when you launch a Full Scan in VirusScan with heuristics enabled but actions configured as "Clean" first and then "Prompt for action", it deletes files heuristically detected anyway--without prompting you?  In my case, a Full Scan detected a file named "dsTermServProxy.dll" (MD5: b03400951f412cd283a73e73c85e3fe0) as "Artemis!B03400951F41" and then simply deleted it.  However, in the same scan, the detection of an EICAR prompted me for action.  I pulled the DLL file off of another computer and submitted it to WebImmune with the hopes of it being identified as a false positive; however, I'm more concerned about VirusScan automatically deleting the detection when I have it configured to prompt me.  Is there a separate "Action" setting for heuristic detections?  Thanks.

        • 1. Re: Artemis Heuristic Detections - Mandatory File Deletion?

          I'd say Artemis will always delete the file as the action taken. Same applies to trojan horses. If you have a trojan detected by VSE, it will always delete that file even if the VSE settings are set to Clean/Deny for example. Thus because deleting a trojan is the 'clean' mechanism for trojans since this type of malware is always the malicious code itself.

           

          Hope this helps.

          Bruno

          • 2. Re: Artemis Heuristic Detections - Mandatory File Deletion?
            runcmd

            Yeah, I noticed that it appears to apply to malware also...  Having the same configuration applied to another machine, VSE detected and deleted a virus on that computer.  I might need to open a case about this one.  If the configuration is to clean the file with a fallback action of "deny access" then it should not delete anything.  Because the organization I work for is in healthcare, on some systems I can't risk VSE deleting files because it thinks it is a virus.  I need it to quarantine detected files in some way so that the files in question are around for further investigation after the detection.  If a computer is used for patient care and McAfee deletes a file that's integral to the application, it could be hours before that system is back up.  If it quarantines the file, the file can be moved back and added as an exclusion.

            • 3. Re: Artemis Heuristic Detections - Mandatory File Deletion?

              All of the files that are detected by VSE 8.5 or later (doesn't matter if it's a trojan, an artemis detection or a virus) will be always quarantined before any action is taken. You can find a list of *.bup files under the folder C:\quarantine. In order to restore those files needed you can use the VSE Console / Quarantine Manager Policy. You can also restore quarantined files from ePO, there is a specific task for this.

               

              HTH

              Bruno

              • 4. Re: Artemis Heuristic Detections - Mandatory File Deletion?
                runcmd

                Excellent!  You learn something new every day.  :-)  Thanks Bruno!