How to verify that GTI File Reputation is installed correctly and that endpoints can communicate with the GTI server
Technical Articles ID: KB53733
Last Modified: 03/18/2014
Rated:
Last Modified: 03/18/2014
Rated:
Environment
McAfee Global Threat Intelligence File Reputation
McAfee SaaS Endpoint Protection 5.4
McAfee SaaS Endpoint Protection 6.0
McAfee VirusScan Enterprise 8.x
McAfee SaaS Endpoint Protection 5.4
McAfee SaaS Endpoint Protection 6.0
McAfee VirusScan Enterprise 8.x
Summary
It is important to ensure that your products remain up-to-date with the latest virus definitions. Use the information in this article to ensure that Global Threat Intelligence (GTI) File Reputation is current and correctly installed and that endpoints can communicate with the GTI server.
Solution 1
ArtemisTest.exe test program
Use the password protected ArtemisTest.zip file attached to this article to test GTI functionality.
NOTES:
Use the password protected ArtemisTest.zip file attached to this article to test GTI functionality.
NOTES:
-
Password = password
-
ArtemisTest.exe is a test program and is harmless.
- Password protection has been applied to the .zip file to ensure that it is not blocked when sent via email. Passwords normally meet higher security standards.
- On-Access Scan Test
- Ensure VirusScan Enterprise (VSE) or SaaS Endpoint Protection is running.
- Launch Windows Explorer and navigate to the folder that contains the test utility.
- Double-click ArtemisTest.exe to launch the program.
If GTI File Reputation is enabled in VSE or SaaS Endpoint Protection, it will deny access and prevent the file from running.
- Verify the contents of the DNS client through the command line and check if the test file has been passed to the GTI server:
- Click Start, Run, type cmd, and press ENTER.
- Double-click ArtemisTest.exe to perform the On-Access Scan Test again.
- At the command prompt, type ipconfig /displaydns, and press ENTER.
- On-Demand Scan Test
- Ensure VSE or SaaS Endpoint Protection is running.
- Launch Windows Explorer and navigate to the folder containing the test utility.
- Click Start, Programs, McAfee.
- Click On-Demand Scan, Start.
If GTI is working correctly, the On-Access Scan Messages dialog reports that ArtemisTest.exe has been detected. Depending on your settings, the Installation Check program is deleted or quarantined as malware.
NOTE: ArtemisTest.exe is benign and only shows a dialog box, similar to the one below:
On-Access Scan Messages MessageVirusScan Alert!Name:x:\path\Artemistest.exeDetected As:Artemis5DB32A316F07State: Deleted
Solution 2
GTI Connectivity Test
GTI File Reputation requires that the computer can communicate with the GTI server directly via the Internet or indirectly via an internal GTI Proxy server. It is vital to verify that your endpoints with a GTI-enabled product are able to communicate with the GTI server to ensure that you remain up-to-date.
GTI File Reputation requires that the computer can communicate with the GTI server directly via the Internet or indirectly via an internal GTI Proxy server. It is vital to verify that your endpoints with a GTI-enabled product are able to communicate with the GTI server to ensure that you remain up-to-date.
Use nslookup to verify that you can see the GTI server from your computer.
NOTE: This change will be part of the DAT update on Jan 22, 2013.
These include:
See also KB53782 - Global Threat Intelligence and Split DNS.
- Click Start, Run, type cmd, and click OK.
- Type or paste nslookup 4z9p5tjmcbnblehp4557z1d136.avqs.mcafee.com and press ENTER.
You see a response similar to the following:
Server: <mylocaldnsserver.org>
Address: 161.69.135.201
Name: 4z9p5tjmcbnblehp4557z1d136.avqs.mcafee.com
Address: 127.0.0.8
Example of failing connectivity:
Command used:
nslookup 4z9p5tjmcbnblehp4557z1d136.avqs.mcafee.com
Result:
Server: aylcorpdc1.corp.nai.org
Address: 161.69.135.201
*** aylcorpdc1.corp.nai.org can't find 4z9p5tjmcbnblehp4557z1d136.avqs.mss
cafee.com: Non-existent domain
NOTE: This change will be part of the DAT update on Jan 22, 2013.
These include:
- VirusScan Enterprise: VSE 8.8 Patch 1 and VSE 8.7 Patch 5
- Consumer products: Platinum and Emerald (14.5 and 15.0)
- SaaS Endpoint Protection 5.2.3
- Future McAfee GTI File Reputation-based products
See also KB53782 - Global Threat Intelligence and Split DNS.
Solution 3
PDF lookup test
Use the password protected ArtemisPDF_test.pdf file attached to this article to test GTI functionality.
NOTES:
-
Password = password
-
ArtemisPDF_test is a test program and is harmless.
- Password protection has been applied to the .zip file only to ensure it is not blocked when sent via email. Passwords normally meet higher security standards.
- The VSE setting for GTI file reputation must be set to MEDIUM or higher. For instructions, see KB70130.
- Lookups are limited to PDF files that are read/written to disk via the web browser or email client.
Related Information
For EOL and EOS lifecycle details, see the McAfee Product and Technology Support Lifecycle page at: http://www.mcafee.com/us/support/support-eol.aspx.
For EOL and EOS policy details, see the Enterprise Products End of Life Policy at: http://www.mcafee.com/common/media/mcafeeb2b/support/terms/Support_Policy-Product_Support_EOL.pdf.
Definitions
| End of Support (EOS) Notification |
|
| End of Life (EOL) Period | The EOL Period refers to the timeframe beginning with the day that McAfee notifies its intentions to discontinue a product until the last date that the product is formally supported. In general, after the EOL Period is announced, product enhancements are not made. |
| End of Support | The last day that the product is supported according the terms of McAfee’s standard support offering. |
