I've watched the video, my thoughts:
- first an actual copy operation occurred from Desktop to a harddisk folder. That triggered artemis.
- secondly only directory manipulation of the whereabouts of the file happened, no file operation occurred so no detection.
- on first ODS I'm not sure (was not confirmed) if Detect Unwanted programs checkbox was set (and if any action for Unwanted Programs have been set)
- The guy did not have Antispyware module installed.
- He should have checked the ODS log to see anything after all.
(On other hand I always suppress estimate calculation, the guy did not, apparently he thought ODS is examining the file very thoroughly, hence the delay.)
Ok, so I decided to do my own testing. I setup a secure VM enviroment for my testing.
Captured an Adware program that Artemis detected.
WinXP, VSE 8.7 P4 with Anti-Spyware module installed, Current DAT.
1. Copying the file from one folder to another in explorer does not set off the Artemis detection.
2. Copying the file to the desktop DOES set off the Artemis detection.
3. Ran ODS against the file with Artemis set to "very high" and nothing was detected not matter where the file was located.
4. Ran all the same test with the eicar test file and it was detected as soon as I touched the file no matter where it was located.
5. Also noticed that Artemis does not work at all if there is no network connection.
No sure if this Artemis technology is everything they say it is.
Artemis requires heuristics to be enabled, perhaps that was not so in the ODS.
Eicar test file is a "virus" so Artemis may not apply to it (not a suspicious program, that is.)
Artemis is a reverse DNS lookup so you may be able to capture it in a netmon or get alerted of it from the firewall or other device.
I'd be interested in your test can you direct me to your test file location?
Correct me if I'm wrong, but Artemis is reputation-based software that goes out and looks (I'm guessing on some McAfee servers somewhere) to see if other users have found that file to be either good or bad, and then acts accordingly. If there isn't a network connection, then Artemis will not work.
That seems correct nevertheless in our sitation Artemis worked in OAS...as I noticed...or am I missing something?
I guess we would need a VirusScan engineer to explain.
As soon as this File changes from Artemis into the normal DAT Detection it might be needed to find something similar to reproduce. Normally it would be best to get a SR opened to Replicate this at McAfee if there really is an issue or just something else.
From the look of the Video I would Expect an Detection on Desktop and D Drive if Scan Settings for OAS is the same but the ODS could be indeed something different.
Note: The Console might not update on time when for example the node is ePO Managed and the OAS is off by standard and just manually set in ON mode.
I downloaded this file and scanned with right click scan ods, where
- macro and program heuristics were enabled,
- artemis was set to medium
- scan for unwanted fiels was enabled
- had antispyware module installed
- dat 6235, engine 5400.1158
- no exclusions applied during the ods.
and VSE 8.7 Patch 3 did not detect it as spyware or anything.
OAS should have detect and make action on it, when I was trying to save the file, so I'm curious if in your environment you experienced otherwise (recently).