Loading...

Knowledge Center

How to verify that GTI File Reputation is installed correctly and that endpoints can communicate with the GTI server
Technical Articles ID:   KB53733
Last Modified:  3/8/2018
Rated:

Environment

McAfee Global Threat Intelligence File Reputation
McAfee SaaS Endpoint Protection 6.0, 5.4
McAfee VirusScan Enterprise 8.x

Summary

It is important to ensure that your products remain up to date with the latest virus definitions. Use the information in this article to ensure that Global Threat Intelligence (GTI) File Reputation is current and correctly installed, and that endpoints can communicate with the GTI server.

Recent updates to this article:
Date Update
March 8, 2018 Added a NOTE statement to the 'On-Demand Scan Test' section.
To receive email notification when this article is updated, click Subscribe on the right side of the page. You must be logged on to subscribe.

Solution

ArtemisTest.exe test program
Use the password protected ArtemisTest.zip file attached to this article to test GTI functionality.

NOTES: 
  • Password = password
  • ArtemisTest.exe is a test program and is harmless.
  • Password protection has been applied to the .zip file to ensure that it is not blocked when sent via email. Passwords normally meet higher security standards.
After you extract ArtemisTest.exe, you can run an On-Access Scan test and an On-Demand Scan test on this file. 
  • On-Access Scan Test
     
    1. Ensure VirusScan Enterprise (VSE) or SaaS Endpoint Protection is running.
    2. Open Windows Explorer and navigate to the folder that contains the test utility.
    3. Double-click ArtemisTest.exe to launch the program.

      If GTI File Reputation is enabled in VSE or SaaS Endpoint Protection, it will deny access and prevent the file from running.

       
    4. Verify the contents of the DNS client through the command line and check if the test file has been passed to the GTI server:
       
      1. Click Start, Run, type cmd, and press ENTER.
      2. Double-click ArtemisTest.exe to perform the On-Access Scan Test again.
      3. At the command prompt, type ipconfig /displaydns, and press ENTER. 

         
  • On-Demand Scan Test
    NOTE: It will be necessary to avoid an On-Access Scan (OAS) detection by either excluding the file or directory that the ODS is scanning or by temporarily disabling the OAS. 
     
    1. Ensure VSE or SaaS Endpoint Protection is running.
    2. Open Windows Explorer and navigate to the folder that contains the test utility.
    3. Click Start, Programs, McAfee.
    4. Click On-Demand Scan, Start.

      If GTI is working correctly, the On-Access Scan Messages dialog reports that ArtemisTest.exe has been detected. Depending on your settings, the Installation Check program is deleted or quarantined as malware.

      NOTE: ArtemisTest.exe is benign and only shows a dialog box, similar to the one below:
       
      On-Access Scan Messages
      Message
      VirusScan Alert!
      Name:
      x:\path\Artemistest.exe
      Detected As:
      Artemis5DB32A316F07
      State: Deleted
 

Solution

GTI Connectivity Test
GTI File Reputation requires that the computer can communicate with the GTI server directly via the Internet or indirectly via an internal GTI Proxy server. It is vital to verify that your endpoints with a GTI-enabled product are able to communicate with the GTI server to ensure that you remain up to date.
 
Use nslookup to verify that you can connect to the GTI server from your computer.
  1. Click Start, Run, type cmd, and click OK.
  2. Type or paste nslookup sfqpit75pjh525siewar2dtgt5.avts.mcafee.com and press ENTER.

    You see a response similar to the following:

    Server: <mylocaldnsserver.org>
    Address: 161.69.135.201

    Name: 4z9p5tjmcbnblehp4557z1d136.avts.mcafee.com
    Address: 127.0.4.8


    Example of failing connectivity:

    Command used:

    nslookup sfqpit75pjh525siewar2dtgt5.avts.mcafee.com

    Result:

    Server: exampleserver.your.domain.org
    Address: xxx.xx.xxx.xxx

    *** exampleserver.your.domain.org can't find sfqpit75pjh525siewar2dtgt5.avts.mss
    mcafee.com: Non-existent domain
McAfee products that use VSCore version 14.4.0.354.17 or later send the GTI File Reputation queries to the domain: avts.mcafee.com. These include:
  • VirusScan Enterprise: VSE 8.8 Patch 1 and VSE 8.7 Patch 5
  • Consumer products: Security Suites for Windows (versions 14.5 and 15.0)
  • SaaS Endpoint Protection 5.4, 6.0
  • Future McAfee GTI File Reputation-based products
All other McAfee products including GTI Proxy will continue to send GTI File Reputation queries to avqs.mcafee.com.

For more information about Global Threat Intelligence connectivity and split DNS, see KB53782.

Solution

PDF lookup test
Use the password protected ArtemisPDF_test.pdf file attached to this article to test GTI functionality.

NOTES: 
  • Password = password
  • ArtemisPDF_test is a test program and is harmless.
  • Password protection has been applied to the .zip file only to ensure it is not blocked when sent via email. Passwords normally meet higher security standards.
For GTI lookups on PDF files to happen, the following conditions must be met:
  • The VSE setting for GTI file reputation must be set to MEDIUM or higher. For instructions, see KB70130.
  • Lookups are limited to PDF files that are read/written to disk via the web browser or email client.

McAfee Labs initially restricted PDF lookups to these conditions to evaluate the increase in the number of GTI file reputation lookups, and will expand the lookup criteria as deemed necessary.

Related Information

For product lifecycle details, see the McAfee Product and Technology Support Lifecycle page at: http://www.mcafee.com/us/support/support-eol.aspx.

For End of Life (EOL) policy details, see the Corporate Products EOL policy at: https://www.mcafee.com/enterprise/en-us/assets/misc/support-policy-product-support-eol.pdf.

Definitions:
  • EOL period—The time frame that runs from the day McAfee announces product discontinuation, until the last date that McAfee formally supports the product. In general, after the EOL period is announced, no enhancements are made.
  • EOL date—The last day that the product is supported, according to the terms of the McAfee standard support offering.

Attachment

ArtemisTest.zip
126K • < 1 minute @ broadband


Attachment

ArtemisPDF_Test.zip
6K • < 1 minute @ broadband


Rate this document

Beta Translate with

Select a desired language below to translate this page.

Glossary of Technical Terms


 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.