It's important to make sure that your products remain up to date with the latest virus content and make sure that GTI File Reputation Cloud Service is correctly configured. Also, make sure that the endpoints can communicate with the GTI Cloud Service.
Recent updates to this article:
Date
Update
November 17, 2021
Updated the "Test GTI-REST using the Artemis test program" section with the detection name after a successful test using the Rest-GTI-Artemis-test.zip test file.
October 11, 2021
Updated for GTI-REST.
August 3, 2021
Updated the "ArtemisTest.exe Test Program" section that GTI File Reputation queries are on sub domains of avqs.mcafee.com or avts.mcafee.com.
To receive email notification when this article is updated, click Subscribe on the right side of the page. You must be logged on to subscribe.
Contents
Click to expand the section you want to view:
ENS for Windows 10.6.1/10.7.0 September 2021 Update and later use GTI-REST by default. GTI File Reputation requires that the computer can communicate with the GTI Cloud Service directly using the internet or indirectly using a proxy server. It’s vital to verify that endpoints can communicate with the GTI Cloud Service to make sure that the endpoint can use the GTI reputation services, which are a critical part of malware detections.
Use Curl.exe or PowerShell to verify that the endpoint can connect to the GTIserver.
To test with PowerShell if there isn't a proxy server, use the following command:
tnc amcore.rest.gti.mcafee.com -port 443
You see a response similar to the following if there’s connectivity to the GTI server:
If there isn't a proxy server: curl -kv https://amcore.rest.gti.mcafee.com:443
If there's a proxy server: curl -kvx proxyaddress:port https://amcore.rest.gti.mcafee.com:443
GTI File Reputation requires that the computer can communicate with the GTI server directly using DNS or indirectly using an internal DNS that forwards the DNS request to mcafee.com. It's vital to verify that endpoints can communicate with the GTI server to make sure that the endpoint remains up to date. For more information, see: KB53782 - Global Threat Intelligence and split Domain Name System (DNS).
Use nslookupto verify that the endpoint can connect to the GTIserver.
Press Windows+R, type cmd, and click OK.
Type or paste nslookup sfqpit75pjh525siewar2dtgt5.avts.mcafee.com and press Enter.
You see a response similar to the following if there’s connectivity to the GTI server:
ENS 10.6.1/10.7.0 September 2021 Update and later use GTI-REST by default. To test GTI, use the password-protected Rest-GTI-Artemis-test.zip file in the Attachment section of this article.
NOTES:
Password protection is applied to the .zip file to make sure that it isn’t blocked when sent using email. Passwords normally meet higher security standards. The password is test_detection and the MD5 is 5db32a316f079fe7947100f899d8db86.
The Rest-GTI-Artmeis-test.exe process is a test program and is harmless.
After you extract Rest-GTI-Artemis-test.exe, you can execute the file to trigger an on-access scan on this file. The sample contains a test detection that only triggers a detection if GTI File Reputation using REST is enabled and working. The detection name Artemis!5DB32A316F07appears in the threat event.
To test GTI, use the password-protected ArtemisTest.zipfile in the Attachment section of this article.
NOTES:
Password protection is applied to the .zip file to make sure that it isn’t blocked when sent using email. Passwords normally meet higher security standards. The password is password.
The ArtemisTest.exe process is a test program and is harmless.
After you extract ArtemisTest.exe, you can run an on-access scan test and an on-demand scan test on this file.
On-access scan test
Make sure that your endpoint protection product (ENS or VSE) is running.
Open Windows Explorer and navigate to the folder that contains the test utility.
To start the program, double-click ArtemisTest.exe. If GTI File Reputation is enabled, ENS or VSE deletes the file or denies access and prevents the file from running. (The action taken depends on the configuration.)
Verify the contents of the DNS client through the command line and check whether the test file has been passed to the GTI server.
To perform the on-access scan test again, double-click ArtemisTest.exe.
At the command prompt, type ipconfig /displaydnsand press Enter. This command shows all recent DNS queries made on the computer, including those queries that GTI File Reputation makes. The GTI File Reputation queries are on sub domains of avqs.mcafee.com or avts.mcafee.com.
On-demand scan test NOTE: To avoid an on-access scan detection, either exclude the file or directory or temporarily disable the on-access scan.
Make sure that your endpoint protection product (ENS or VSE) is running.
Open Windows Explorer and navigate to the folder that contains the test utility.
Right-click the folder or start an on-demand scan through the console for ENS or VSE. If GTI is working correctly, the On-Access Scan Messages dialog (similar to below) reports that ArtemisTest.exe has been detected. Depending on your settings, the test file is deleted and quarantined as malware.
On-Access Scan Messages
Message
VirusScan Alert!
Name:
x:\path\Artemistest.exe
Detected As:
Artemis5DB32A316F07
State:
Deleted
To test GTI, use the password protected ArtemisPDF_test.pdffile in the Attachment section of this article.
NOTES:
Password protection is applied to the .zip file to make sure that it isn’t blocked when sent using email. Passwords normally meet higher security standards. The password is password.
The ArtemisPDF_test process is a test program and is harmless.
For GTI lookups on PDF files to happen, the following conditions must be met:
