Recent updates to this article:
To receive email notification when this article is updated, click Subscribe on the right side of the page. You must be logged on to subscribe.
Date |
Update |
February 23, 2018 |
Major rewrite. Title updated; content updated in Problem field and moved to Summary section to transition from an issue article to an informational article. |
There are two categories of Global Threat Intelligence (GTI) queries that result in DNS request Primary and Secondary.
Primary
Area |
Description |
Frequency |
Additional Info |
Artemis DAT |
Artemis DAT refers to the Network Heuristic Check setting seen in the product UI for each scanner. |
Any time a file is encountered that meets criteria. |
Artemis is explained more in KB53735. |
NOTE: Artemis DAT
queries are directed to the systems DNS server or the configured GTI Enterprise Server.
Secondary
Area |
Description |
Frequency |
Additional Info |
ELAM |
When VSE is loaded as the Early Load Anti-Malware component, VSE performs Artemis Lookups. |
Occurs for unsigned kernel driver files seen on startup. |
n/a |
Scan Timeout |
During a file scan, if the file times out, VSE falls back to an Artemis lookup on the file. |
Any time the On-Access Scanner times out on a file. |
Timeouts are explained more in KB55869. |
PreScanSizeKBForArtemisScan |
Introduced with VSE 8.8 Patches 3 and 4.
If a file is larger than 5 MB, a parallel Artemis lookup is performed on the file because it might be faster than a local scan. This parallel scan has proven to generate an unpredictable amount of DNS traffic with insufficient real-world performance benefits, and is disabled in VSE 8.8 Patch 5. |
Any time a file is larger than the threshold setting (default is 5 MB). |
This behavior is disabled for all users with VSE 8.8 Patch 5.
See KB83831. |
The secondary table includes other instances of when GTI Artemis queries occur.
These queries are directed to the
Artemis Server Domain Name specified in the
VirusScan Enterprise 8.8.0,
General Options Policies,
Global Scan Settings policy.
NOTES:
- The Artemis Server Domain Name does not affect Artemis DAT generated queries.
- The PreScanSizeKBForArtemisScan option can be disabled separately from Enable artemis background queries via the registry. See KB83831.
- In addition to the Enable artemis background queries setting, the Network Heuristic Check setting must also be Enabled for any of the above to GTI queries to occur. Disabling the Network Heuristic Check setting disables both the Primary and secondary behaviors. See KB70130.