Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog - McAfee Artemis/GTI File Reputation False Positive InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

McAfee Artemis/GTI File Reputation False Positive

Published: 2013-07-31
Last Updated: 2013-07-31 23:06:26 UTC
by Johannes Ullrich (Version: 1)
2 comment(s)

We got a couple readers reporting false postive issues with McAffees GTI and Artemis products. According to a knowledgebase article on McAfee's site, it appears that the file reputation system is producing bad results due to a server issue [1]

From our readers:

I've seen an explosion of detections under Artemis on files I wouldn't expect. One machine is trying to delete the autorun on a U3 USB drive's emulated CD. Community.McAfee.com slowed down and went offline. I've been on hold far longer than I'd expect for support. (Michael)
------------
McAfee VirusScan is eating files again. This time it’s their GTI servers. I managed to shut off heuristics via EPO before it got out of hand. Minor OS and app damage. (John)
------------
Artemis is a file reputation checking service from McAfee included in its Virus Scan Enterprise. Today it went on the fritz for my organization around 1600 EST. It was deleting random files such as our Cisco IP Communicator and all kinds of temp files etc. McAfee sent us a notification and will be sending more info out on its SNS mailing list. Advise all turn off Artemis features for home and business users and in the meantime they shut the cloud servers down. (Travis)


[1] https://kc.mcafee.com/corporate/index?page=content&id=KB78993

 

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

Keywords:
2 comment(s)
Diary Archives