5 Replies Latest reply on Mar 19, 2014 5:26 AM by rmetzger

    Artemis! detected threat detailed info

    klukacs

      How to get more info about Artemis! detections (e.g characteristic)

       

      Thanks

        • 1. Re: Artemis! detected threat detailed info
          rmetzger

          Hi klukacs,

           

          Welcome to the forums.

          klukacs wrote:

           

          How to get more info about Artemis! detections (e.g characteristic)

          The short answer: There are no publicly available 'characteristics' yet.

           

          The Long answer:

           

          Artemis!, or more formerly Global Threat Intelligence (GTI) File Reputation, detections are based on unknown 'threat behavior' where characteristics are not yet well known. So no information is available yet.

          GTI File Reputation Best Practices Guide for McAfee VirusScan® Enterprise Software wrote:

          see https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/ 24000/PD24043/en_US/48302wp_gti-best-practices_0812_fnl.pdf

           

          With traditional protection, malware is discovered, verified by a security vendor, made available and ultimately deployed. This

          process can take place over several hours (or even longer), creating a protection gap.

          ...

          Rather than rely solely on signature-based detection of malware where the time from discovery to protection could be hours or

          even longer, McAfee GTI File Reputation service provides near real-time protection by providing reputation scores for files as they

          are accessed or when a system is scanned, compressing the protection gap.

          The GTI detections are done in the cloud by McAfee. When enough info is available, a real threat is then given a formal name, added to the signature databases, and removed from GTI detections as the signature databases are distributed to end-nodes. (Detections determined to be 'Non-threats' are simply removed from Artemis!)

           

          Until a threat has been analyzed and given a name, it's only characteristic is an Artemis!1234567890AB (12 digit hex number) based on heuristic behaviors.

           

          Hope that helps.

           

          Ron Metzger

           

          Message was edited by: rmetzger (clarification) on 3/19/14 5:42:38 AM EDT

           

          Message was edited by: rmetzger (spelling) on 3/19/14 5:46:56 AM EDT

           

          on 3/19/14 5:52:50 AM EDT

           

          on 3/19/14 5:55:08 AM EDT
          • 2. Re: Artemis! detected threat detailed info
            klukacs

            Hi metzger,

             

            Thanks for that!

             

            Krisztián Lukács

            • 3. Re: Artemis! detected threat detailed info
              rmetzger

              Your welcome. Do you have a specific problem or detection?

               

              Ron Metzger

              • 4. Re: Artemis! detected threat detailed info
                klukacs

                No specific problem.. . just wanted to know "who" I'm facing

                 

                ..When Artemis detections researched and categorized (name given, etc...), do they put a reference for the artemis!code, the researched  threat derived from?

                 

                Thx,

                Krisztián Lukács

                • 5. Re: Artemis! detected threat detailed info
                  rmetzger

                  Not to my knowledge. The naming sequence for Artemis! numbers is simply the MD5 hash of that file. Make's it almost impossible to replicate. However, it says nothing about the actual file in question.

                   

                  If I wanted to know more about that threat, I would submit that file to VirusTotal.com and see what the 45 to 50 scan engines there say about that file. (Each company seems to like to give each threat their own name, so you have to go to each company's site to get details.)

                   

                  Thanks,

                  Ron Metzger