404 Tech Support

McAfee Artemis/GTI False Positive thrashing files

It is currently advised to turn off the Artemis file reputation checking service of McAfee Virus Scan Enterprise. “Due to a server issue” the service is producing false positives with pretty inconsistent results. People are reporting the U3 Autorun, Cisco Communicator, and other files are being detected as malware and being quarantined. While those files being quarantined won’t lead to the blue screen nightmare a McAfee false positive created three years ago, it doesn’t seem limited to those files either.

A user with the fitting name of PoundKeyboardNow shared the following screenshot of detections on Reddit regarding the spike in detections from the Artemis/GTI (Global Threat Intelligence) service.

McAfee has sent out a message to clarify that the problem is not a bad definition database entry (or a dat file) but is instead caused by specific Global Threat Intelligence servers in North America. Earlier it was being recommended to update past DAT 7152 to at least DAT 7153 as a solution. The current recommendation is to disable GTI temporarily. McAfee KnowledgeBase article KB78993 goes into detail of the problem and currently proposed Workaround.

Problem
McAfee has determined that Artemis/GTI File Reputation is producing some false-positive detections in North America due to a server issue.

IMPORTANT: This is not an issue with the current McAfee DAT files.

Cause
This is an issue with specific Global Threat Intelligence servers.

Solution
McAfee is investigating this issue. This article will be updated as additional information becomes available.

Workaround 1
IMPORTANT: If you have encountered an Artemis-related detection, DO NOT restart your computer, as it may become impossible to restore some files after a restart.

McAfee recommends that customers temporarily disable Global Threat Intelligence File Reputation until this issue is confirmed as resolved.

If you use GTI Proxy in your environment, you might have a cached copy of the false detection information. Perform the following steps to purge the cache:
1. Log on to the ePolicy Orchestrator (ePO) server as an administrator.
2. Open the GTI Proxy Appliance Management interface:

  • In ePO 4.6.4 or later, select Menu, Systems, GTI Proxy Appliance Management.
  • In ePO 5.0, select Menu, then, in the Systems area, select GTI Proxy Appliance Management.

3. Under Configuration, select the GTI Proxy Appliance and select Stop, Restart, or Force-Stop.

This will purge any false positive cached file reputation requests.

Workaround 2
To restore files locally through the VirusScan Enterprise (VSE) 8.x Console:
1. Open the VSE 8.x Console.
2. Double-click Quarantine Manager Policy.
3. Click the Manager tab.
4. Right-click the required item(s) and select Restore.

Workaround 3
For instructions on how to create an ePolicy Orchestrator (ePO) task to restore quarantined items, see KB69918.

NOTE: The ePolicy Orchestrator task can only restore a single file at a time. McAfee is working on an automated solution to restore all false positive detections from this issue. This section will be updated as additional information becomes available.

That article will be updated as McAfee continues their investigation.