McAfee Artemis/GTI File Reputation False Positive
We got a couple readers reporting false postive issues with McAffees GTI and Artemis products. According to a knowledgebase article on McAfee's site, it appears that the file reputation system is producing bad results due to a server issue [1]
From our readers:
I've seen an explosion of detections under Artemis on files I wouldn't expect. One machine is trying to delete the autorun on a U3 USB drive's emulated CD. Community.McAfee.com slowed down and went offline. I've been on hold far longer than I'd expect for support. (Michael) ------------ McAfee VirusScan is eating files again. This time it’s their GTI servers. I managed to shut off heuristics via EPO before it got out of hand. Minor OS and app damage. (John) ------------ Artemis is a file reputation checking service from McAfee included in its Virus Scan Enterprise. Today it went on the fritz for my organization around 1600 EST. It was deleting random files such as our Cisco IP Communicator and all kinds of temp files etc. McAfee sent us a notification and will be sending more info out on its SNS mailing list. Advise all turn off Artemis features for home and business users and in the meantime they shut the cloud servers down. (Travis)[1] https://kc.mcafee.com/corporate/index?page=content&id=KB78993
------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter
Keywords:
2 comment(s)
My next class:
| Network Monitoring and Threat Detection In-Depth | Singapore | Nov 18th - Nov 23rd 2024 |
×
![modal content]()
Diary Archives
Comments
McAfee has resolved the Artemis/GTI server issue that caused false-positive detections. It no longer is necessary to disable Artemis/GTI File Reputation.
A remediation tool is now available. Customers with quarantined files should access KB78993 (https://kc.mcafee.com/corporate/index?page=content&id=KB78993) to download the remediation tool and recover the quarantined files.
Anonymous
Aug 1st 2013
1 decade ago
Anonymous
Aug 1st 2013
1 decade ago