How to verify that GTI File Reputation is installed correctly and that endpoints can communicate with the GTI server
Technical Articles ID: KB53733
Last Modified: 12/23/2014
Rated:
Last Modified: 12/23/2014
Rated:
Environment
McAfee Global Threat Intelligence File Reputation
McAfee SaaS Endpoint Protection 6.0, 5.4
McAfee VirusScan Enterprise 8.x
McAfee SaaS Endpoint Protection 6.0, 5.4
McAfee VirusScan Enterprise 8.x
Summary
It is important to ensure that your products remain up to date with the latest virus definitions. Use the information in this article to ensure that Global Threat Intelligence (GTI) File Reputation is current and correctly installed, and that endpoints can communicate with the GTI server.
Solution 1
ArtemisTest.exe test program
Use the password protected ArtemisTest.zip file attached to this article to test GTI functionality.
NOTES:
Use the password protected ArtemisTest.zip file attached to this article to test GTI functionality.
NOTES:
-
Password = password
-
ArtemisTest.exe is a test program and is harmless.
- Password protection has been applied to the .zip file to ensure that it is not blocked when sent via email. Passwords normally meet higher security standards.
After you extract ArtemisTest.exe, you can run an On-Access Scan test and an On-Demand Scan test on this file.
- On-Access Scan Test
- Ensure VirusScan Enterprise (VSE) or SaaS Endpoint Protection is running.
- Launch Windows Explorer and navigate to the folder that contains the test utility.
- Double-click ArtemisTest.exe to launch the program.
If GTI File Reputation is enabled in VSE or SaaS Endpoint Protection, it will deny access and prevent the file from running.
- Verify the contents of the DNS client through the command line and check if the test file has been passed to the GTI server:
- Click Start, Run, type cmd, and press ENTER.
- Double-click ArtemisTest.exe to perform the On-Access Scan Test again.
- At the command prompt, type ipconfig /displaydns, and press ENTER.
- On-Demand Scan Test
- Ensure VSE or SaaS Endpoint Protection is running.
- Launch Windows Explorer and navigate to the folder containing the test utility.
- Click Start, Programs, McAfee.
- Click On-Demand Scan, Start.
If GTI is working correctly, the On-Access Scan Messages dialog reports that ArtemisTest.exe has been detected. Depending on your settings, the Installation Check program is deleted or quarantined as malware.
NOTE: ArtemisTest.exe is benign and only shows a dialog box, similar to the one below:
On-Access Scan Messages MessageVirusScan Alert!Name:x:\path\Artemistest.exeDetected As:Artemis5DB32A316F07State: Deleted
Solution 2
GTI Connectivity Test
GTI File Reputation requires that the computer can communicate with the GTI server directly via the Internet or indirectly via an internal GTI Proxy server. It is vital to verify that your endpoints with a GTI-enabled product are able to communicate with the GTI server to ensure that you remain up to date.
GTI File Reputation requires that the computer can communicate with the GTI server directly via the Internet or indirectly via an internal GTI Proxy server. It is vital to verify that your endpoints with a GTI-enabled product are able to communicate with the GTI server to ensure that you remain up to date.
Use nslookup to verify that you can connect to the GTI server from your computer.
For more information about Global Threat Intelligence connectivity and split DNS, see KB53782.
- Click Start, Run, type cmd, and click OK.
- Type or paste nslookup sfqpit75pjh525siewar2dtgt5.avts.mcafee.com and press ENTER.
You see a response similar to the following:
Server: <mylocaldnsserver.org>
Address: 161.69.135.201
Name: 4z9p5tjmcbnblehp4557z1d136.avts.mcafee.com
Address: 127.0.4.8
Example of failing connectivity:
Command used:
nslookup sfqpit75pjh525siewar2dtgt5.avts.mcafee.com
Result:
Server: exampleserver.your.domain.org
Address: xxx.xx.xxx.xxx
*** exampleserver.your.domain.org can't find sfqpit75pjh525siewar2dtgt5.avts.mss
mcafee.com: Non-existent domain
- VirusScan Enterprise: VSE 8.8 Patch 1 and VSE 8.7 Patch 5
- Consumer products: Security Suites for Windows (versions 14.5 and 15.0)
- SaaS Endpoint Protection 5.4, 6.0
- Future McAfee GTI File Reputation-based products
For more information about Global Threat Intelligence connectivity and split DNS, see KB53782.
Solution 3
PDF lookup test
Use the password protected ArtemisPDF_test.pdf file attached to this article to test GTI functionality.
NOTES:
Use the password protected ArtemisPDF_test.pdf file attached to this article to test GTI functionality.
NOTES:
-
Password = password
-
ArtemisPDF_test is a test program and is harmless.
- Password protection has been applied to the .zip file only to ensure it is not blocked when sent via email. Passwords normally meet higher security standards.
For GTI lookups on PDF files to happen, the following conditions must be met:
- The VSE setting for GTI file reputation must be set to MEDIUM or higher. For instructions, see KB70130.
- Lookups are limited to PDF files that are read/written to disk via the web browser or email client.
McAfee Labs initially restricted PDF lookups to these conditions to evaluate the increase in the number of GTI file reputation lookups, and will expand the lookup criteria as deemed necessary.
Related Information
For product lifecycle details, see the McAfee Product and Technology Support Lifecycle page at: http://www.mcafee.com/us/support/support-eol.aspx.
For EOL policy details, see the Enterprise Products End of Life Policy at: http://www.mcafee.com/common/media/mcafeeb2b/support/terms/Support_Policy-Product_Support_EOL.pdf.
Definitions
For EOL policy details, see the Enterprise Products End of Life Policy at: http://www.mcafee.com/common/media/mcafeeb2b/support/terms/Support_Policy-Product_Support_EOL.pdf.
Definitions
| End of Life Period | The timeframe that runs from the day Intel Security announces product discontinuation until the last date that the product is formally supported by Intel Security. In general, after the EOL Period is announced, no enhancements are made. |
| End of Life Date | The last day that the product is supported according the terms of the Intel Security standard support offering. |
