1 of 1 people found this helpful
I'm pretty sure it is the same heuristics rule it uses for Artemis/GTI. The heuristics existed before the "in the cloud." Even with GTI, the product has to determine the file is suspicious before it sends a query up to the cloud.
For example, is a file uses specific packing methods or unsigned code, or stuff like that. That's my understanding.
This document, sorry no link, is pretty good at explaining how it works
McAfee® Anti-Malware Engines:
Values and Technologies
By Christoph Alme and Declan Eardly, McAfee Labs™
GetSusp is GTI Proxy aware. However if no GTI proxy is implemented and it cannot talk to the GTI cloud - then after identifying a list of files to scan it will try to eliminate files identifed based on:
1. Digitally signed with a valid cert
2. Signed using a route cert
Files that don't meet these two criteria are then attempted to be looked up against the GTI cloud. Since the cloud lookup will fail, they will all be reported as Unknown. Without GTI cloud access, the number of files reported by GetSusp will be more.