4 Replies Latest reply on Aug 22, 2013 8:56 AM by rmetzger

    Does Threat Center work?

      I’m trying to find out which DAT contains the signature for Artemis!A58241894C3C. I enter Artemis!A58241894C3C in Threat Center as Malware Name and Vulnerability Name and I don’t get anything. In general I have a very hard time finding anything using Threat Center.

        • 1. Re: Does Threat Center work?
          Hayton

          You won't find an Artemis detection listed in the Threat Center because these are heuristic detections - something for which there is nothing previously recorded, and which may perhaps be a false positive.

          • 2. Re: Does Threat Center work?
            rmetzger

            Hi gjohns12,

             

            Welcome to the forums.

             

            gjohns12 wrote:

             

            I’m trying to find out which DAT contains the signature for Artemis!A58241894C3C.

            Well, Artemis detections are not in a DAT, by definition. Artemis (or it's official name GTI, Global Threat Intelligence) is only used when a questionable behavior occurs AND No DAT signature is defined for the behavior. At that point, the scan engine creates a hash of the file in question and sends the hash to the on-line server at McAfee, to see if other systems have discovered the same. When a match has occurred, the GTI server sends back a number, in your case A58241894C3C, which states that this has been detected before.

             

            Unfortunately, this is not much information for you or I to go on. Additionally, the Artemis number issued only specifies that a quarantine should take place, as there is not enough information from the hash given, to define operations, like Clean.

             

            When enough information is gathered regarding a suspicious behavior or file, and enough testing is done, the Artemis detection is then added to the DAT file. At that time, more operations, like Clean, are available and a more traditional infection Name is given. Until this happens, the Threat Center is not able to help much.

             

            At the beginning of this process, the scan engine goes to Artemis when the issue is not defined within a DAT. Once the new DAT file contains the signature and process for cleanup, the Artemis lookup is not done.

             

            Artemis is useful to handling zero-day outbreaks, stopping the spread before full knowledge and understanding of the malware is known. Information about a detection (by Artemis number) is only available to McAfee. Once the malware is better defined and added to the DAT file, information about that detection can be looked up by the traditional name issued by McAfee.

             

            Hope this has been helpful.

            Ron Metzger

            • 3. Re: Does Threat Center work?

              Ron,

               

              Thanks for the excellent explanation

              So, would HIPS or any other McAfee end point product catch this  file at the point in the process where the file has been assigned an Artemis number but has not been defined to the point where it can be added to a DAT file ?

              • 4. Re: Does Threat Center work?
                rmetzger

                Hi gjohns12,

                 

                gjohns12 wrote:

                So, would HIPS or any other McAfee end point product catch this  file at the point in the process where the file has been assigned an Artemis number but has not been defined to the point where it can be added to a DAT file ?

                Yes, GTI is available and can be enabled on Host IPS v8.0 and later, as well as other products.

                 

                Here is a good starting point for your question:

                How to enable Global Threat Intelligence Technology in your McAfee product

                https://kc.mcafee.com/corporate/index?page=content&id=KB70130&pmv=print

                 

                According to the GTI Best Practices Guide:

                http://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/2 4000/PD24043/en_US/48302wp_gti-best-practices_0812_fnl.pdf

                GTI Best Practices Guide wrote:

                False positives

                The historic false positive rate that McAfee has recorded for McAfee GTI File Reputation service is 0.00001 percent.

                 

                Though, recent events have thrown this low false positive number out the window. Search the forums for "Artemis / GTI / heuristics" for further discussions on this event.

                see: https://community.mcafee.com/thread/58541?start=0&tstart=0

                and: http://service.mcafee.com/faqdocument.aspx?lc=1033&id=TS101891

                 

                Good luck,

                Ron Metzger

                 

                Message was edited by: rmetzger on 8/22/13 9:56:35 AM EDT