4 Replies Latest reply: Mar 11, 2014 12:29 PM by Namster RSS

    How to Report Artemis Detections

    Scott Sadlocha

      If this question has been answered elsewhere, I apologize. I couldn't find anything that fit my needs anywhere, so I am posting here.

       

      I am looking for a way to report on events generated by the Artemis detection method. I have taken several reports and modified them a bit, trying to find something to filter on so that I can narrow down the events to just those detected via Artemis. However, none of the columns seem to address it distinctly. I have tried quite a few, including Analyzer Detection Method, but they don't do a good job of identifying Artemis so that I can filter.

       

      I believe I may have found one method that might work, but I need clarification. In looking at Artemis generated threats, it seems that every one of them has Artemis in the threat name. I tried filter on "Threat Name Contains Artemis" and this seems to work. I am just not clear whether everything Artemis detects gets this kind of naming. Can anyone speak to this and clarifiy? Would every Artemis threat be "unknown" and carry an Artemis branded name? I would expect that any known threat would be named, but would also be caught with other components. Also, do Artemis events all carry a single severity? Right now, I am only including the more urgent severities, and all of the Artemis events seem to carry a severity of "Alert".

       

      Any information that can be provide would be greatly appreciated!

        • 1. Re: How to Report Artemis Detections
          Ex_Brit

          I moved this from VSE to Artemis.  Posting the actual Artemis detection number might catch the eye of a passing McAfee Labs person if posted in this section..

           

          Artemis is the generic name given to unknowns detected on a machine and submitted automatically to McAfee Labs.  The number given to that detection identifies the object.

           

          However if you are sure the Artemis detections are wrong you can appeal as follows:

           

          If something is identified, maybe wrongly as "Artemis" then McAfee already knows about it.  Merely send an email to virus_research@mcafee.com with the Artemis detection name and the words "False Artemis!++++++" (where ++++ is the code given to it) as the subject line. (Minus the "").

           

          Message was edited by: Ex_Brit on 05/03/14 11:18:33 EST AM
          • 2. Re: How to Report Artemis Detections
            Ex_Brit

            Scott, apologies.  On re-reading your post I realised it was best back in VSE, so have put it back.

             

            Sorry.

            • 3. Re: How to Report Artemis Detections
              rmetzger

              Hi Scott,

              Scott Sadlocha wrote:


              I am looking for a way to report on events generated by the Artemis detection method. I have taken several reports and modified them a bit, trying to find something to filter on so that I can narrow down the events to just those detected via Artemis. However, none of the columns seem to address it distinctly. I have tried quite a few, including Analyzer Detection Method, but they don't do a good job of identifying Artemis so that I can filter.

               

              1) I believe I may have found one method that might work, but I need clarification. In looking at Artemis generated threats, it seems that every one of them has Artemis in the threat name.

               

              2) I tried filter on "Threat Name Contains Artemis" and this seems to work. I am just not clear whether everything Artemis detects gets this kind of naming. Can anyone speak to this and clarifiy?

               

              3) Would every Artemis threat be "unknown" and carry an Artemis branded name? I would expect that any known threat would be named, but would also be caught with other components.

               

              4) Also, do Artemis events all carry a single severity? Right now, I am only including the more urgent severities, and all of the Artemis events seem to carry a severity of "Alert".

              1, 2) I believe that all GTI detections contain Artemis in it's name. That of course could change in the future, and is up to McAfee to determine.

               

              3) Yes. All GTI detections are by definition, Unknown. They remain Unknown until more information is available and once enough information about a threat (or non-threat) is known, an Artemis name is converted to a threat name (or removed for a non-threat). This may take hours to days, depending on the threat. If a GTI detection becomes 'Known' the threat is given a name and added to the DAT files, where the information for removal, etc. is distributed to GTI enabled endpoints.

               

              4) Since all GTI detections are Unknown, the severity level set to "Alert" is probably the only level McAfee can state. Until it gets converted to a threat name, higher or lower levels would be inappropriate, leading to inappropriate actions for an unknown threats (or non-threats). File Deletion or Quarantine is the only action that would be appropriate. Even that may be dangerous as recent events have shown.

               

              I am guessing that you probably knew all this, but for the lurkers, here is a good source for GTI FAQs: https://kc.mcafee.com/corporate/index?page=content&id=KB53735

              and GTI Best Practices: https://kb.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/ 24000/PD24043/en_US/48302wp_gti-best-practices_0812_fnl.pdf

               

              Here is an article on how GTI (Artemis) names detections: https://kc.mcafee.com/corporate/index?page=content&id=KB65525&actp=null&viewloca le=en_US&showDraft=false&platinum_status=false&locale=en_US

               

              Hopefully this helps.

               

              Ron Metzger

              • 4. Re: How to Report Artemis Detections
                Namster

                Sorry for vagueness as I don't have an artemis event to test this.

                 

                In the threat event log, locate an artemis related event, open it. There is a label (left column) where the event name "artemis" is listed (right column).

                 

                When you create a query, in the filter section, use the same label and for the value, choose the operator "contains" and in the value, type in artemis.

                 

                I have done this before and it will show you all artemis detections. I've even made a line graph query to show me when the artemis detections started and ended for that one time when artemis went a little crazy last year.