1 of 1 people found this helpful
On a machine with VirusScan installed and configured to send the file reputation queries via GTI Proxy, the GTI Proxy server ip address(es) is specified under the following registry key.
[HKEY_LOCAL_MACHINE\SOFTWARE\McAfee\GTI Enterprise Server]
When GetSusp is run, it looks for this key pre-populated to check for the presence of GTI Proxy in the environment.
If the client AV is not McAfee but you have GTI Proxy, you can create this registry key on the client to make GetSusp direct all DNS queries to the proxy.
Thanks. I'll look into options for a GTI proxy.
I'm curious though... I see connections through my web proxy to getclean.mcafee.com and list.smartfilter.com. What functionality is happening via DNS, and what functionality is happening via HTTP? How is the tool's output impacted if the dns queries don't go through?
DNS queries over UDP port 53 to *.avqs.mcafee.com are the file reputation queries for hashes that meet a certain suspicious or unknown criteria.
The GetSusp_*.zip that is created containing the harvested suspect files and logs is uploaded to https://getclean.mcafee.com post a scan.
If the DNS queries fails - it will result in a noisy report / bloated zip file as files identified during scan are not eliminated.