How to verify that GTI File Reputation is installed correctly and that endpoints can communicate with the GTI server

Technical Articles ID: KB53733
Last Modified: 6/13/2019

Environment

McAfee Global Threat Intelligence File Reputation
McAfee SaaS Endpoint Protection 6.0, 5.4
McAfee VirusScan Enterprise 8.x

Summary

It is important to ensure that your products remain up to date with the latest virus definitions. Use the information in this article to ensure that Global Threat Intelligence (GTI) File Reputation is current and correctly installed, and that endpoints can communicate with the GTI server.

Recent updates to this article:

Date	Update
March 8, 2018	Added a NOTE statement to the 'On-Demand Scan Test' section.

To receive email notification when this article is updated, click Subscribe on the right side of the page. You must be logged on to subscribe.

Solution

ArtemisTest.exe test program
Use the password protected ArtemisTest.zip file attached to this article to test GTI functionality.

NOTES:

Password = password
ArtemisTest.exe is a test program and is harmless.
Password protection has been applied to the .zip file to ensure that it is not blocked when sent via email. Passwords normally meet higher security standards.

After you extract ArtemisTest.exe, you can run an On-Access Scan test and an On-Demand Scan test on this file.

On-Access Scan Test
1. Ensure VirusScan Enterprise (VSE) or SaaS Endpoint Protection is running.
2. Open Windows Explorer and navigate to the folder that contains the test utility.
3. Double-click ArtemisTest.exe to launch the program.
  
  If GTI File Reputation is enabled in VSE or SaaS Endpoint Protection, it will deny access and prevent the file from running.
4. Verify the contents of the DNS client through the command line and check if the test file has been passed to the GTI server:
  1. Click Start, Run, type cmd, and press ENTER.
  2. Double-click ArtemisTest.exe to perform the On-Access Scan Test again.
  3. At the command prompt, type ipconfig /displaydns, and press ENTER.

On-Demand Scan Test
NOTE: It will be necessary to avoid an On-Access Scan (OAS) detection by either excluding the file or directory that the ODS is scanning or by temporarily disabling the OAS.

Ensure VSE or SaaS Endpoint Protection is running.
Open Windows Explorer and navigate to the folder that contains the test utility.
Click Start, Programs, McAfee.

Click On-Demand Scan, Start.

If GTI is working correctly, the On-Access Scan Messages dialog reports that ArtemisTest.exe has been detected. Depending on your settings, the Installation Check program is deleted or quarantined as malware.

NOTE: ArtemisTest.exe is benign and only shows a dialog box, similar to the one below:

On-Access Scan Messages
Message	VirusScan Alert!
Name:	x:\path\Artemistest.exe
Detected As:	Artemis5DB32A316F07
State:	Deleted

Solution

GTI Connectivity Test
GTI File Reputation requires that the computer can communicate with the GTI server directly via the Internet or indirectly via an internal GTI Proxy server. It is vital to verify that your endpoints with a GTI-enabled product are able to communicate with the GTI server to ensure that you remain up to date.

Use nslookup to verify that you can connect to the GTI server from your computer.

Click Start, Run, type cmd, and click OK.
Type or paste nslookup sfqpit75pjh525siewar2dtgt5.avts.mcafee.com and press ENTER.

You see a response similar to the following:

Server: <mylocaldnsserver.org>
Address: 161.69.135.201

Name: 4z9p5tjmcbnblehp4557z1d136.avts.mcafee.com
Address: 127.0.4.8

Example of failing connectivity:

Command used:

nslookup sfqpit75pjh525siewar2dtgt5.avts.mcafee.com

Result:

Server: exampleserver.your.domain.org
Address: xxx.xx.xxx.xxx

*** exampleserver.your.domain.org can't find sfqpit75pjh525siewar2dtgt5.avts.mss
mcafee.com: Non-existent domain

McAfee products that use VSCore version 14.4.0.354.17 or later send the GTI File Reputation queries to the domain: avts.mcafee.com. These include:

VirusScan Enterprise: VSE 8.8 Patch 1 and VSE 8.7 Patch 5
Consumer products: Security Suites for Windows (versions 14.5 and 15.0)
SaaS Endpoint Protection 5.4, 6.0
Future McAfee GTI File Reputation-based products

All other McAfee products including GTI Proxy will continue to send GTI File Reputation queries to avqs.mcafee.com.

For more information about Global Threat Intelligence connectivity and split DNS, see KB53782.

Solution

PDF lookup test
Use the password protected ArtemisPDF_test.pdf file attached to this article to test GTI functionality.

NOTES:

Password = password
ArtemisPDF_test is a test program and is harmless.
Password protection has been applied to the .zip file only to ensure it is not blocked when sent via email. Passwords normally meet higher security standards.

For GTI lookups on PDF files to happen, the following conditions must be met:

The VSE setting for GTI file reputation must be set to MEDIUM or higher. For instructions, see KB70130.
Lookups are limited to PDF files that are read/written to disk via the web browser or email client.

McAfee Labs initially restricted PDF lookups to these conditions to evaluate the increase in the number of GTI file reputation lookups, and will expand the lookup criteria as deemed necessary.

Related Information

For product lifecycle details, see the McAfee Product and Technology Support Lifecycle page at: http://www.mcafee.com/us/support/support-eol.aspx.

For End of Life (EOL) policy details, see the Corporate Products EOL policy at: https://www.mcafee.com/enterprise/en-us/assets/misc/support-policy-product-support-eol.pdf.

Definitions:

EOL period—The time frame that runs from the day McAfee announces product discontinuation, until the last date that McAfee formally supports the product. In general, after the EOL period is announced, no enhancements are made.
EOL date—The last day that the product is supported, according to the terms of the McAfee standard support offering.

Attachment

ArtemisTest.zip
126K • < 1 minute @ broadband

Attachment

ArtemisPDF_Test.zip
6K • < 1 minute @ broadband

Affected Products

VirusScan Enterprise 8.8

Languages:

This article is available in the following languages:

German
English United States
Spanish Spain
French
Italian
Japanese
Korean
Dutch
Portuguese Brasileiro
Chinese Simplified
Chinese Traditional

Glossary of Technical Terms

Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.

Knowledge Center

Environment

Summary

Solution

Solution

Solution

Related Information

Attachment

Attachment

Affected Products

Languages:

Glossary of Technical Terms

Title

Title

Featured Solutions

Explore Our Portfolio

Security Outcomes

Industries

Products

Featured Solutions

Explore Our Portfolio

MVISION Products

Services & Training

Threat Research

Our Researchers

Threat Landscape Dashboard

Tools

Contact Us

Resources

Downloads

Product Help

Connect with Us

Explore

Our Company

Our Efforts

Other Resources

Careers

Partnerships

Knowledge Center

Environment

Summary

Solution

Solution

Solution

Related Information

Attachment

Attachment

Affected Products

Languages:

Glossary of Technical Terms

Choose your region

Title

Title