Explanation of Global Threat Intelligence queries that occur with VirusScan Enterprise 8.8.x

Technical Articles ID: KB84084
Last Modified: 1/2/2019

Environment

McAfee VirusScan Enterprise (VSE) 8.8

For details of VSE supported environments, see KB51111.

Summary

Recent updates to this article:

To receive email notification when this article is updated, click Subscribe on the right side of the page. You must be logged on to subscribe.

Date	Update
February 23, 2018	Major rewrite. Title updated; content updated in Problem field and moved to Summary section to transition from an issue article to an informational article.

There are two categories of Global Threat Intelligence (GTI) queries that result in DNS request Primary and Secondary.

Primary

Area	Description	Frequency	Additional Info
Artemis DAT	Artemis DAT refers to the Network Heuristic Check setting seen in the product UI for each scanner.	Any time a file is encountered that meets criteria.	Artemis is explained more in KB53735.

NOTE: Artemis DAT queries are directed to the systems DNS server or the configured GTI Enterprise Server.

Secondary

Area	Description	Frequency	Additional Info
ELAM	When VSE is loaded as the Early Load Anti-Malware component, VSE performs Artemis Lookups.	Occurs for unsigned kernel driver files seen on startup.	n/a
Scan Timeout	During a file scan, if the file times out, VSE falls back to an Artemis lookup on the file.	Any time the On-Access Scanner times out on a file.	Timeouts are explained more in KB55869.
PreScanSizeKBForArtemisScan	Introduced with VSE 8.8 Patches 3 and 4. If a file is larger than 5 MB, a parallel Artemis lookup is performed on the file because it might be faster than a local scan. This parallel scan has proven to generate an unpredictable amount of DNS traffic with insufficient real-world performance benefits, and is disabled in VSE 8.8 Patch 5.	Any time a file is larger than the threshold setting (default is 5 MB).	This behavior is disabled for all users with VSE 8.8 Patch 5. See KB83831.

The secondary table includes other instances of when GTI Artemis queries occur.
These queries are directed to the Artemis Server Domain Name specified in the VirusScan Enterprise 8.8.0, General Options Policies, Global Scan Settings policy.

NOTES:

The Artemis Server Domain Name does not affect Artemis DAT generated queries.
The PreScanSizeKBForArtemisScan option can be disabled separately from Enable artemis background queries via the registry. See KB83831.
In addition to the Enable artemis background queries setting, the Network Heuristic Check setting must also be Enabled for any of the above to GTI queries to occur. Disabling the Network Heuristic Check setting disables both the Primary and secondary behaviors. See KB70130.

Solution

VSE 8.8 Patch 6 and later provide an updated ePO extension for managing VSE that specifically adds a field to manage how the Secondary Artemis lookups behave.

Issue resolutions in updates and major releases are cumulative; Technical Support recommends that you install the latest version. To find the most recent release for your product, visit the Product Downloads site at https://www.mcafee.com/enterprise/en-us/downloads/my-products.html.

Updates are available when you log on to the ServicePortal at: https://support.mcafee.com/downloads.

In the Policy Catalog:

Go to VirusScan Enterprise 8.8.0 and select General Options Policies.
Specify for Workstation or Servers.
Select the Global Scan Settings section. The options for Artemis Heuristic network check for suspicious files display.
Configure the options as appropriate for your needs:
- Enable artemis background queries: Controls whether the Artemis functionality is enabled or not.
- Artemis Server Domain Name: Used to specify the domain information where Artemis queries will be sent.

Affected Products

VirusScan Enterprise 8.8

Languages:

This article is available in the following languages:

German
English United States
Spanish Spain
French
Italian
Japanese
Portuguese Brasileiro
Chinese Simplified

Glossary of Technical Terms

Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.

Knowledge Center