This content has been marked as final. Show 2 replies
The only thing you can really do is to grab a sample of the file off the workstation and submit to McAfee and see what they come back with.
Otherwise you could google the file name and see if you can download the same file off the Internet somewhere and get the same detection.
VirusTotal.com would come in handy to scan a detected file against numerous other scanners, which might give you some leads if it is malicious.
I have wanted McAfee to have some 'smarts' and allow you to access files in the Quarantine area on a machine (ie a task in EPO to "pull" the file back, or an automated send back to EPO if it's a generic detection and no other samples with the same checksum have been sent back etc). The other thing I've wanted for a while is MD5 information sent back to EPO about the detected file, so that you can easily correlate different detections and work out if you have the same sample file or do internet searches on the hash.
Well we have about 2200 clients in our environment and so far we have about 25 different Artemis detections. Seems like a total PITA to have to take each one of them and check them out like that. I love the concept of Artemis, but this doesn't seem like a really effective solution in it's current implementation. The majority of these files are .tmp files in the Windows\Temp directory... they seem pretty benign.