2 Replies Latest reply on Oct 30, 2009 12:58 PM by Mindcrime

    Artemis detections...

      I'm curious how others are dealing with Artemis detections in their environments. We're using "Medium" scan settings and the thing that bothers me is I'm seeing detections but there's really no information to go on as to whether or not there's anything to be concerned about. At least with other detections I can go and read about behaviors, risk, etc.

      I realize I can turn the scanning sensitivity down, but I'm more concerned about there not being any actionable information being reported back.
        • 1. RE: Artemis detections...
          The only thing you can really do is to grab a sample of the file off the workstation and submit to McAfee and see what they come back with.

          Otherwise you could google the file name and see if you can download the same file off the Internet somewhere and get the same detection.

          VirusTotal.com would come in handy to scan a detected file against numerous other scanners, which might give you some leads if it is malicious.

          I have wanted McAfee to have some 'smarts' and allow you to access files in the Quarantine area on a machine (ie a task in EPO to "pull" the file back, or an automated send back to EPO if it's a generic detection and no other samples with the same checksum have been sent back etc). The other thing I've wanted for a while is MD5 information sent back to EPO about the detected file, so that you can easily correlate different detections and work out if you have the same sample file or do internet searches on the hash.
          • 2. RE: Artemis detections...
            Well we have about 2200 clients in our environment and so far we have about 25 different Artemis detections. Seems like a total PITA to have to take each one of them and check them out like that. I love the concept of Artemis, but this doesn't seem like a really effective solution in it's current implementation. The majority of these files are .tmp files in the Windows\Temp directory... they seem pretty benign.