Loading...

Knowledge Center


How to verify that GTI File Reputation is installed correctly and that endpoints can communicate with the GTI server
Technical Articles ID:  KB53733
Last Modified:  03/18/2014
Rated:


Environment

McAfee Global Threat Intelligence File Reputation
McAfee SaaS Endpoint Protection 5.4
McAfee SaaS Endpoint Protection 6.0
McAfee VirusScan Enterprise 8.x

Summary

It is important to ensure that your products remain up-to-date with the latest virus definitions. Use the information in this article to ensure that Global Threat Intelligence (GTI) File Reputation is current and correctly installed and that endpoints can communicate with the GTI server.

Solution 1

ArtemisTest.exe test program
Use the password protected ArtemisTest.zip file attached to this article to test GTI functionality.

NOTES: 
  • Password = password
  • ArtemisTest.exe is a test program and is harmless.
  • Password protection has been applied to the .zip file to ensure that it is not blocked when sent via email. Passwords normally meet higher security standards.
After you extract ArtemisTest.exe, you can run an On-Access Scan test and an On-Demand Scan test on this file.
  • On-Access Scan Test

    1. Ensure VirusScan Enterprise (VSE) or SaaS Endpoint Protection is running.
    2. Launch Windows Explorer and navigate to the folder that contains the test utility.
    3. Double-click ArtemisTest.exe to launch the program.

      If GTI File Reputation is enabled in VSE or SaaS Endpoint Protection, it will deny access and prevent the file from running.

       
    4. Verify the contents of the DNS client through the command line and check if the test file has been passed to the GTI server:

      1. Click Start, Run, type cmd, and press ENTER.
      2. Double-click ArtemisTest.exe to perform the On-Access Scan Test again.
      3. At the command prompt, type ipconfig /displaydns, and press ENTER. 

         
  • On-Demand Scan Test
    1. Ensure VSE or SaaS Endpoint Protection is running.
    2. Launch Windows Explorer and navigate to the folder containing the test utility.
    3. Click Start, Programs, McAfee.
    4. Click On-Demand Scan, Start.

      If GTI is working correctly, the On-Access Scan Messages dialog reports that ArtemisTest.exe has been detected. Depending on your settings, the Installation Check program is deleted or quarantined as malware.

      NOTE: ArtemisTest.exe is benign and only shows a dialog box, similar to the one below:

      On-Access Scan Messages
      Message
      VirusScan Alert!
      Name:
      x:\path\Artemistest.exe
      Detected As:
      Artemis5DB32A316F07
      State: Deleted

Solution 2

GTI Connectivity Test
GTI File Reputation requires that the computer can communicate with the GTI server directly via the Internet or indirectly via an internal GTI Proxy server. It is vital to verify that your endpoints with a GTI-enabled product are able to communicate with the GTI server to ensure that you remain up-to-date.

Use nslookup to verify that you can see the GTI server from your computer.
  1. Click Start, Run, type cmd, and click OK.
  2. Type or paste nslookup 4z9p5tjmcbnblehp4557z1d136.avqs.mcafee.com and press ENTER.

    You see a response similar to the following:

    Server: <mylocaldnsserver.org>
    Address: 161.69.135.201

    Name: 4z9p5tjmcbnblehp4557z1d136.avqs.mcafee.com
    Address: 127.0.0.8


    Example of failing connectivity:

    Command used:

    nslookup 4z9p5tjmcbnblehp4557z1d136.avqs.mcafee.com

    Result:

    Server: aylcorpdc1.corp.nai.org
    Address: 161.69.135.201

    *** aylcorpdc1.corp.nai.org can't find 4z9p5tjmcbnblehp4557z1d136.avqs.mss
    cafee.com: Non-existent domain
McAfee products that use a version of VSCore 14.4.0.354.17 or later will send the GTI File Reputation queries to an alternate domain: avts.mcafee.com.

NOTE: This change will be part of the DAT update on Jan 22, 2013.

These include:
  • VirusScan Enterprise: VSE 8.8 Patch 1 and VSE 8.7 Patch 5
  • Consumer products: Platinum and Emerald (14.5 and 15.0)
  • SaaS Endpoint Protection 5.2.3
  • Future McAfee GTI File Reputation-based products
All other McAfee products including GTI Proxy will continue to send GTI File Reputation queries to avqs.mcafee.com.

See also KB53782 - Global Threat Intelligence and Split DNS.

Solution 3

PDF lookup test

Use the password protected ArtemisPDF_test.pdf file attached to this article to test GTI functionality.
 
 
NOTES: 
  • Password = password
  • ArtemisPDF_test is a test program and is harmless.
  • Password protection has been applied to the .zip file only to ensure it is not blocked when sent via email. Passwords normally meet higher security standards.
For GTI lookups on PDF files to happen the following conditions must be met:
  • The VSE setting for GTI file reputation must be set to MEDIUM or higher. For instructions, see KB70130.
  • Lookups are limited to PDF files that are read/written to disk via the web browser or email client.
McAfee Labs initially restricted PDF lookups to the above conditions to evaluate the increase in the number of GTI file reputation lookups and will expand the lookup criteria as deemed necessary.

Attachment 1

ArtemisTest.zip
126K • < 1 minute @ 56k, < 1 minute @ broadband


Attachment 2

ArtemisPDF_Test.zip
6K • < 1 minute @ 56k, < 1 minute @ broadband


Rate this document

Did this article resolve your issue?

Please provide any comments below

Languages:

This article is available in the following languages:

English United States
Japanese

Glossary of Technical Terms


Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.
United States - English
© 2003-2013 McAfee, Inc.