Hello community members,
My ePO server sent me an e-mail stating that VirusScan Enterprise succesfully cleaned and deleted a malware file detected on a pc. However, about 2 minutes later, I received a second e-mail from ePO stating that the same detected malware file was not successfully cleaned. A follow up of the infected pc shows that the latter is true. I know that AV isn't 100% effective, but does any one know why this happens? I'm hoping that there is plausible reason for this so I don't lose faith in McAfee.
Has this detection occurred on the same PC or different PCs? What was its name exactly?
It can happen that the same malware is differently handled, just imagine a case when one copy of it is in a "sleeping" state and the other is in an active state (in the latter case chances are the files to be deleted are not available for VirusScan for write access, etc.).
This was reported by ePO on one PC.
The malware detection was found under this threat signature: Artemis!4B63D0BB3C0A
Googling it doesn't land any results... I believe search results would be similar for almost all threat findings categorized starting with Artemis!%...?
I wish more can be learned about the signature from McAfee GTI.
To rebut, I can see that the scenario that you described is plausible.... if the occurrence of events that I described were reversed. But, the first e-mail I received stated that the malware file was succesfully deleted...?
This leads me back to my original question in questioning the integrity of VirusScan's reporting since the file was detected again after it was just removed.
The threat detection was detected by a scheduled monthly scan. This leads me to think that the file was in a "sleeping" state when the alert triggered. I also verified through the PC's application prefetch data to see if the file had executed at the time of alert. Application prefetch tells me that the file didn't execute, confirming my assumptions on the state of the file. Nor was there evidence in prefetch showing that a copy of the file was put into the effected path after the initial detection.
I almost want to label this as a bug with VirusScan.
Do you happen to have the emails (or screenshots of them) and attach it to this thread?
I think cleaning and deleting cannot occur on a single file, just either of them. I'm also wondering if this detection with two outcomes occurred on two separate files (you stated this happened during an on-demand scan)...one of which might have been in use during that scan.