My next class:

McAfee Artemis/GTI File Reputation False Positive

Published: 2013-07-31. Last Updated: 2013-07-31 23:06:26 UTC
by Johannes Ullrich (Version: 1)
2 comment(s)

We got a couple readers reporting false postive issues with McAffees GTI and Artemis products. According to a knowledgebase article on McAfee's site, it appears that the file reputation system is producing bad results due to a server issue [1]

From our readers:

I've seen an explosion of detections under Artemis on files I wouldn't expect. One machine is trying to delete the autorun on a U3 USB drive's emulated CD. Community.McAfee.com slowed down and went offline. I've been on hold far longer than I'd expect for support. (Michael)
------------
McAfee VirusScan is eating files again. This time it’s their GTI servers. I managed to shut off heuristics via EPO before it got out of hand. Minor OS and app damage. (John)
------------
Artemis is a file reputation checking service from McAfee included in its Virus Scan Enterprise. Today it went on the fritz for my organization around 1600 EST. It was deleting random files such as our Cisco IP Communicator and all kinds of temp files etc. McAfee sent us a notification and will be sending more info out on its SNS mailing list. Advise all turn off Artemis features for home and business users and in the meantime they shut the cloud servers down. (Travis)


[1] https://kc.mcafee.com/corporate/index?page=content&id=KB78993

 

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

Keywords:
2 comment(s)
My next class:

Comments

Subject: *IMPORTANT* SNS NOTICE: UPDATE — False-positive detections occurring in Artemis/GTI

McAfee has resolved the Artemis/GTI server issue that caused false-positive detections. It no longer is necessary to disable Artemis/GTI File Reputation.

A remediation tool is now available. Customers with quarantined files should access KB78993 (https://kc.mcafee.com/corporate/index?page=content&id=KB78993) to download the remediation tool and recover the quarantined files.
In our experience, it seems that in cases where the system was already shut down, the files cannot be restored either thru the Quarantine Restore Tool or the standalone utility they provided. In our case we had 4 systems affected (fortunately this occurred towards the end of the day with month end so people bugged out earlier than usual), and files deleted did not prevent the systems from booting this morning, but the deleted files were from the system32 directory and so will have to be recovered by other means. Not sure if that was the case for others. What a pain.

Diary Archives