Verify that GTI File Reputation is installed and endpoints can communicate with the GTI server

Technical Articles ID: KB53733
Last Modified: 8/3/2021

Environment

McAfee Endpoint Security (ENS) Threat Prevention 10.x
McAfee Global Threat Intelligence (GTI) File Reputation
McAfee VirusScan Enterprise (VSE) 8.x

Summary

It’s important to make sure that your products remain up to date with the latest virus definitions. Make sure that GTI File Reputation is current and correctly installed. Also, make sure that the endpoints can communicate with the GTI server.

Recent updates to this article:

Date	Update
August 3, 2021	Updated the "ArtemisTest.exe Test Program" section that GTI File Reputation queries are on sub domains of avqs.mcafee.com or avts.mcafee.com.

To receive email notification when this article is updated, click Subscribe on the right side of the page. You must be logged on to subscribe.

Solution

ArtemisTest.exe Test Program
To test GTI, use the password-protected ArtemisTest.zip file in the Attachment section of this article.

NOTES:

Password protection is applied to the .zip file to make sure that it isn’t blocked when sent using email. Passwords normally meet higher security standards. The password is password.
The ArtemisTest.exe process is a test program and is harmless.

After you extract ArtemisTest.exe, you can run an on-access scan test and an on-demand scan test on this file.

On-access scan test
1. Make sure that your endpoint protection product (ENS or VSE) is running.
2. Open Windows Explorer and navigate to the folder that contains the test utility.
3. To start the program, double-click ArtemisTest.exe. If GTI File Reputation is enabled, ENS or VSE deletes the file or denies access and prevents the file from running. (The action taken depends on the configuration.)
4. Verify the contents of the DNS client through the command line and check whether the test file has been passed to the GTI server.
  1. To perform the on-access scan test again, double-click ArtemisTest.exe.
  2. At the command prompt, type ipconfig /displaydns and press Enter. This command shows all recent DNS queries made on the computer, including those queries that GTI File Reputation makes. The GTI File Reputation queries are on sub domains of avqs.mcafee.com or avts.mcafee.com.

On-demand scan test
NOTE: To avoid an on-access scan detection, either exclude the file or directory or temporarily disable the on-access scan.

Make sure that your endpoint protection product (ENS or VSE) is running.
Open Windows Explorer and navigate to the folder that contains the test utility.

Right-click the folder or start an on-demand scan through the console for ENS or VSE. If GTI is working correctly, the On-Access Scan Messages dialog (similar to below) reports that ArtemisTest.exe has been detected. Depending on your settings, the test file is deleted and quarantined as malware.

On-Access Scan Messages
Message	VirusScan Alert!
Name:	x:\path\Artemistest.exe
Detected As:	Artemis5DB32A316F07
State:	Deleted

Solution

GTI Connectivity Test
GTI File Reputation requires that the computer can communicate with the GTI server directly using the internet or indirectly using an internal GTI proxy server. It’s vital to verify that endpoints can communicate with the GTI server to make sure that the endpoint remains up to date.

Use nslookup to verify that the endpoint can connect to the GTI server.

Press Windows+R, type cmd, and click OK.
Type or paste nslookup sfqpit75pjh525siewar2dtgt5.avts.mcafee.com and press Enter.
- You see a response similar to the following if there’s connectivity to the GTI server:
  
  Server: <mylocaldnsserver.org>
  Address: 161.69.135.201
  
  Name: 4z9p5tjmcbnblehp4557z1d136.avts.mcafee.com
  Address: 127.0.4.8
- Here’s an example of failing connectivity to the GTI server:
  
  Server: exampleserver.your.domain.org
  Address: xxx.xx.xxx.xxx
  
  *** exampleserver.your.domain.org can't find sfqpit75pjh525siewar2dtgt5.avts.mss
  mcafee.com: Non-existent domain

Solution

PDF Lookup Test
To test GTI, use the password protected ArtemisPDF_test.pdf file in the Attachment section of this article.

NOTES:

Password protection is applied to the .zip file to make sure that it isn’t blocked when sent using email. Passwords normally meet higher security standards. The password is password.
The ArtemisPDF_test process is a test program and is harmless.

For GTI lookups on PDF files to happen, the following conditions must be met:

The ENS or VSE setting for GTI File Reputation must be set to Medium or higher. For instructions, see: KB70130 - How to enable Global Threat Intelligence Technology in McAfee products.
Lookups are limited to PDF files that are read or written to disk using the web browser or email client.

Related Information

For a list of ENS URLs used to perform off-box communication including GTI, see: KB93324 - Endpoint Security off-box communication URLs.

Attachment

ArtemisTest.zip
126K • < 1 minute @ broadband

Attachment

ArtemisPDF_Test.zip
6K • < 1 minute @ broadband

Affected Products

Endpoint Security Threat Prevention 10.7.x
Endpoint Security Threat Prevention 10.6.x
VirusScan Enterprise 8.8

Languages:

This article is available in the following languages:

German
English United States
Spanish Spain
French
Italian
Japanese
Portuguese Brasileiro
Chinese Simplified

Glossary of Technical Terms

Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.

Knowledge Center

Verify that GTI File Reputation is installed and endpoints can communicate with the GTI server

Environment

Summary

Solution

Solution

Solution

Related Information

Attachment

Attachment

Affected Products

Languages:

Glossary of Technical Terms

Title

Title

Knowledge Center

Verify that GTI File Reputation is installed and endpoints can communicate with the GTI server

Environment

Summary

Solution

Solution

Solution

Related Information

Attachment

Attachment

Affected Products

Languages:

Glossary of Technical Terms

Choose your region

Title

Title