2 Replies Latest reply on May 21, 2014 1:14 PM by vinoo

    GetSusp in an airgapped environment?

    mvm_101

      Hi everyone,

       

      How does Getsusp determine whether a file is suspicous if GetSusp can't talk to the GTI cloud? -If, for example, GetSusp was run in an air gapped environment?

        • 1. Re: GetSusp in an airgapped environment?
          andrep1

          I'm pretty sure it is the same heuristics rule it uses for Artemis/GTI. The heuristics existed before the "in the cloud." Even with GTI, the product has to determine the file is suspicious before it sends a query up to the cloud.

          For example, is a file uses specific packing methods or unsigned code, or stuff like that. That's my understanding.

          This document, sorry no link, is pretty good at explaining how it works

           

          McAfee® Anti-Malware Engines:

          Values and Technologies

          By Christoph Alme and Declan Eardly, McAfee Labs™

          1 of 1 people found this helpful
          • 2. Re: GetSusp in an airgapped environment?
            vinoo

            GetSusp is GTI Proxy aware. However if no GTI proxy is implemented and it cannot talk to the GTI cloud - then after identifying a list of files to scan it will try to eliminate files identifed based on:

             

            1. Digitally signed with a valid cert

            2. Signed using a route cert

             

            Files that don't meet these two criteria are then attempted to be looked up against the GTI cloud. Since the cloud lookup will fail, they will all be reported as Unknown. Without GTI cloud access, the number of files reported  by GetSusp will be more.