Mcafee Global Threat Intelligence GTI (Artemis)

Divine_Barakah

Level 29
Thread author
Verified
Top Poster
Well-known
May 10, 2019
1,854
McAfee software uses our Global Threat Intelligence (GTI, formerly Artemis) technology for enhanced detection of unknown threats based on the behavior of the file.

Artemis is included in the detection name for any file that is quarantined or blocked by GTI. Artemis in this case is not the name of a virus or malware; it indicates that something else was quarantined or blocked by GTI

GTI helps to secure your computer from unknown threats by allowing your McAfee software to communicate with McAfee servers in real time to identify new threats and take appropriate action using a combination of signature and behavior analysis with community threat intelligence.

GTI will quickly notify you if the file should be blocked or quarantined through the following steps:

  1. VirusScan detects a suspicious file for which there is no signature in the .DAT database on your computer.
  2. Using Global Threat Intelligence, your computer sends a fingerprint of the file to the comprehensive database at McAfee Labs.
  3. If the fingerprint is identified as known malware, an appropriate response is sent to you to block or quarantine the file.

This additional protection is automatically included with your McAfee software.

Source
 

Divine_Barakah

Level 29
Thread author
Verified
Top Poster
Well-known
May 10, 2019
1,854
Also called JTI? It's correct?

I don't think so that both are the same. If the JTI/suspect detection have a 12-digit Artemis associated with it, then it is a cloud detection, otherwise it is detected locally by some kind of heuristics.


Edit: this type of detection has a possibility of being FP.



 

marcopaone

Level 7
Verified
Well-known
Jul 15, 2016
321
The real question is how often does the cloud synchronize?
Because my McAfee is not detecting this sample with the cloud (JTI/ old Artemis)

1564941557695.png


Here the link: https://www.virustotal.com/gui/file/8d28f544fe92b97fbc56398b5db76d1973dc7283ba69cfe443b4be5789f9f448/detection
 

Mahesh Sudula

Level 17
Verified
Top Poster
Well-known
Sep 3, 2017
818
The real question is how often does the cloud synchronize?
Because my McAfee is not detecting this sample with the cloud (JTI/ old Artemis)

View attachment 218272

Here the link: https://www.virustotal.com/gui/file/8d28f544fe92b97fbc56398b5db76d1973dc7283ba69cfe443b4be5789f9f448/detection
On execution, it works and triggers JTI/Suspect!
Remember this means, the file is already analyzed by their Cloud (manual analysis I mean) and awaiting a signature to get assigned
 

Divine_Barakah

Level 29
Thread author
Verified
Top Poster
Well-known
May 10, 2019
1,854
Did you try Mcafee ?? what is your opinion ??:unsure::unsure:

It is light and it offers good protection. I am very careful so I don't need to pair it with anything else. A friend of mine is using MB premium alongside it and he confirmed that there is no slowdowns at all. Mcafee has improved a lot. It is good but not the best. I have a 4-year subscription, so I believe it is worth to use it.

My McAfee also can't detect it on execution.

According to VT link you provided it should be detected by Mcafee's cloud as "Artemis!2DE23AE8B968 ". Please try to rung the sample again and see what happens.
 

DDE_Server

Level 22
Verified
Top Poster
Well-known
Sep 5, 2017
1,168
It is light and it offers good protection. I am very careful so I don't need to pair it with anything else. A friend of mine is using MB premium alongside it and he confirmed that there is no slowdowns at all. Mcafee has improved a lot. It is good but not the best. I have a 4-year subscription, so I believe it is worth to use it.
maybe be i will try it after my emsisoft subscription Ends which will be in 9/2020 (as i have one year giveaway in addition to my current subscription) but i would recommend to combine it with good behavior blocker such as OSA or Vodooshield (as it is behavior blocker "file inspector is very week against ransomware )
 

Mahesh Sudula

Level 17
Verified
Top Poster
Well-known
Sep 3, 2017
818
@Mahesh Sudula Have you every submitted infected samples to Mcafee labs for analysis? If yes, what was your experience. I mean how much time does the submitted sample to be added to their cloud or signatures?
No.. Most of the times if system is infected
Mcafee would catch it by cloud one to two hours later (Jti/Suspect)similar to Eset
However, first person should sacrifice!
 
B

BVLon

I don't think so that both are the same. If the JTI/suspect detection have a 12-digit Artemis associated with it, then it is a cloud detection, otherwise it is detected locally by some kind of heuristics.


Edit: this type of detection has a possibility of being FP.




You don't think, but I do...
That's because they are...

After McAfee announced the Artemis modules, it signed quite a lot of contracts with partners. These partners feed McAfee with data (which they use in the most ineffective way possible) and the whole alliance is called Joint Threat Intelligence.
McAfee is light, web filtering is great, if not the best, but in terms of file and behavioural detection they are probably the worst.
On my tests, it missed around 8 out of 20 infections... not a great performance at all.

Also, it doesn't take 2-3 hours as it was mentioned above, if you submit the samples to them, it still takes 8-10 hours. Also, submitting a sample is a whole ritual and they expect you to feed them tons of data, kinda like you are the virus analyst. And even if you do, still no good.
McAfee is great for my mum that works with 5 websites, their business line is powerfull, thanks to application containment, but gamers and people in a need of strong security, better not rely on JTI to keep them safe.
 
B

BVLon

maybe be i will try it after my emsisoft subscription Ends which will be in 9/2020 (as i have one year giveaway in addition to my current subscription) but i would recommend to combine it with good behavior blocker such as OSA or Vodooshield (as it is behavior blocker "file inspector is very week against ransomware )
McAfee doesn't have a technology called "file inspector". FileWalker is an Avira thing. The McAfee scanner is codenamed Casper. Behavioural blocking is known as RealProtect, codenamed Raptor and is very weak indeed. An interesting fact about McAfee is that many times it won't detect a piece of malware, but if you submit it to virustotal, McAfee actually detects JTI/something.something. This baffled me up for 2-3 months while I was testing and using it. It offers no settings whatsoever, so it runs with some low configuration probably, to avoid false positives.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top