I moved this from VSE to Artemis. Posting the actual Artemis detection number might catch the eye of a passing McAfee Labs person if posted in this section..
Artemis is the generic name given to unknowns detected on a machine and submitted automatically to McAfee Labs. The number given to that detection identifies the object.
However if you are sure the Artemis detections are wrong you can appeal as follows:
If something is identified, maybe wrongly as "Artemis" then McAfee already knows about it. Merely send an email to firstname.lastname@example.org with the Artemis detection name and the words "False Artemis!++++++" (where ++++ is the code given to it) as the subject line. (Minus the "").
Scott Sadlocha wrote:
I am looking for a way to report on events generated by the Artemis detection method. I have taken several reports and modified them a bit, trying to find something to filter on so that I can narrow down the events to just those detected via Artemis. However, none of the columns seem to address it distinctly. I have tried quite a few, including Analyzer Detection Method, but they don't do a good job of identifying Artemis so that I can filter.
1) I believe I may have found one method that might work, but I need clarification. In looking at Artemis generated threats, it seems that every one of them has Artemis in the threat name.
2) I tried filter on "Threat Name Contains Artemis" and this seems to work. I am just not clear whether everything Artemis detects gets this kind of naming. Can anyone speak to this and clarifiy?
3) Would every Artemis threat be "unknown" and carry an Artemis branded name? I would expect that any known threat would be named, but would also be caught with other components.
4) Also, do Artemis events all carry a single severity? Right now, I am only including the more urgent severities, and all of the Artemis events seem to carry a severity of "Alert".
1, 2) I believe that all GTI detections contain Artemis in it's name. That of course could change in the future, and is up to McAfee to determine.
3) Yes. All GTI detections are by definition, Unknown. They remain Unknown until more information is available and once enough information about a threat (or non-threat) is known, an Artemis name is converted to a threat name (or removed for a non-threat). This may take hours to days, depending on the threat. If a GTI detection becomes 'Known' the threat is given a name and added to the DAT files, where the information for removal, etc. is distributed to GTI enabled endpoints.
4) Since all GTI detections are Unknown, the severity level set to "Alert" is probably the only level McAfee can state. Until it gets converted to a threat name, higher or lower levels would be inappropriate, leading to inappropriate actions for an unknown threats (or non-threats). File Deletion or Quarantine is the only action that would be appropriate. Even that may be dangerous as recent events have shown.
I am guessing that you probably knew all this, but for the lurkers, here is a good source for GTI FAQs: https://kc.mcafee.com/corporate/index?page=content&id=KB53735
Here is an article on how GTI (Artemis) names detections: https://kc.mcafee.com/corporate/index?page=content&id=KB65525&actp=null&viewloca le=en_US&showDraft=false&platinum_status=false&locale=en_US
Hopefully this helps.
Sorry for vagueness as I don't have an artemis event to test this.
In the threat event log, locate an artemis related event, open it. There is a label (left column) where the event name "artemis" is listed (right column).
When you create a query, in the filter section, use the same label and for the value, choose the operator "contains" and in the value, type in artemis.
I have done this before and it will show you all artemis detections. I've even made a line graph query to show me when the artemis detections started and ended for that one time when artemis went a little crazy last year.