Yes I have seen commercial applications incorrectly flagged as Artemis
detections.

You can't whitelist Artemis detections, however the process to get it
resolved is:

Send an email to virus_research @avertlabs.com [or the platinum support
submissions address if you have plat support] with the subject "FALSE
xxxxxxxxxxxxx" (ie include some spiel in the subject.)

In the body of the email, you just need to give the Artemis detection name
and a summary of why you believe this to be a false positive.

Eg:
"Subject: FALSE Artemis detection of Artemis!XXXXXXXXXX
Body:
I believe the following file is incorrectly detected by Artemis
Filename.exe - Artemis!XXXXXXXXXX

Filename.exe is part of the Test Software Enterprises application called
FancySmanchy - www.fffftestsoftware.com/fancysmanchy

Could you please investigate and remove this detection if it is incorrect.
"

Normally you'll get a response back within 24 hours.

If you have McAfee support, you can also get a ticket logged via support for
the issue. You may get a faster response.



--------------------------------------------------
From: "bobstasz@..." <bob.staszewski@...>
Sent: Thursday, December 17, 2009 10:08 PM
To: <tvdug@yahoogroups.com>
Subject: [tvdug] Doc-It Document Management software - VSE 8.7i Artemis
detecting as PUP

> we recently released VirusScan 8.7i out to our firm and one of our offices
> using Doc-It Document management system.  Since releasing VSE 8.7i, with
> the hueristics (Artemis) set at Very Low, it has been flagging  and
> removing several program files related to Doc-It as Potentially Unwanted
> Programs.
>
> I have tried creating exclusion rules and setting the processes as Low
> Risk, all to no avail.
>
> Has anyone here seen the new Artemis technology flag items as PUP's , but
> that are legitimate programs?
>
> And has anyone created an exclusion or low risk processs, yet still have
> the hueristics (Artemis) engine detect and remove the software?
>
> I already sent a sample to Webimmune and reported this as a false
> positive.
>
>
>

I will be out of the office starting 12/16/2009 and will not return until 12/18/2009.

I will respond to your message when I return. If you need technical support, please call 770-677-2444

Regards,
Terry Aday

we recently released VirusScan 8.7i out to our firm and one of our offices using
Doc-It Document management system.  Since releasing VSE 8.7i, with the
hueristics (Artemis) set at Very Low, it has been flagging  and removing several
program files related to Doc-It as Potentially Unwanted Programs.

I have tried creating exclusion rules and setting the processes as Low Risk, all
to no avail.

Has anyone here seen the new Artemis technology flag items as PUP's , but that
are legitimate programs?

And has anyone created an exclusion or low risk processs, yet still have the
hueristics (Artemis) engine detect and remove the software?

I already sent a sample to Webimmune and reported this as a false positive.

Hi,

If you are running Second copy you might want to know.

We are trying to restore via epo restore task for VSE 8.5, but that doesn't
work. Anyone that has run this restore task before and got it to work?


Mvh / Regards

Mikael Fryksten
NSEC Network Security AB

Mobile: +46 (0)708 566 977
Office: +46 (0)8 564 72 830
Web: www.nsec.se <http://www.nsec.se/>

--------------------------------------------------------------------------
Följ NSECs säkerhetsblogg på www.nsec.se/blogg
--------------------------------------------------------------------------


________________________________

Från: tvdug@yahoogroups.com genom Small, Prescott
Skickat: on 2009-11-18 21:05
Till: tvdug@yahoogroups.com
Ämne: RE: [tvdug] Re: TVDUG quiet - where is everyone posting now?




I am sure some have been laid off.



I bet others are so swamped with extra work due to lays offs.



I got a promotion and have different responsibilities.  I am lucky.



From: tvdug@yahoogroups.com [mailto:tvdug@yahoogroups.com] On Behalf Of Russ
Sent: Wednesday, November 18, 2009 11:19 AM
To: tvdug@yahoogroups.com
Subject: [tvdug] Re: TVDUG quiet - where is everyone posting now?





--- In tvdug@yahoogroups.com <mailto:tvdug%40yahoogroups.com> , "mitlyng"
<matthew.mitlyng@...> wrote:
>
> Still here, just haven't had any real problems with 4.5 and 8.7 w/SP2.
>
> --- In tvdug@yahoogroups.com <mailto:tvdug%40yahoogroups.com> , "Mal"
<Mal2004@> wrote:
> >
> > Certainly this group is nowhere as busy as it used to be.
> >
> > McAfee have two separate communities that I know some Enterprise customers
> > post to:
> >
> > https://www.mcafeetheplace.com/ <https://www.mcafeetheplace.com/>  (Not
really that keen on this one, as it
> > seems to have been poorly thought out, and more of a marketing place).
> > http://community.mcafee.com/community/business/system?view=overview
<http://community.mcafee.com/community/business/system?view=overview>
> > (recently redesigned and expanded to include a Business Products section).
> >
> > And there is a LinkedIn group that I know quite a few TVDUG'ers belong to:
> >
> > http://www.linkedin.com/groups?about=&gid=1349777
<http://www.linkedin.com/groups?about=&gid=1349777>  (McAfee ePolicy
> > Orchestrator group on Linkedin).
> >
> >
> > Are there other places where people go to discuss issues with Enterprise
> > McAfee products and the latest news etc?
> >
> > Mal.no everyone is running security essentials
> >
>

I think a reboot causes that event to occur as well.

--------------------------------------------------
From: "scott_lawton" <scott_lawton@...>
Sent: Sunday, December 13, 2009 8:45 PM
To: <tvdug@yahoogroups.com>
Subject: [tvdug] Scan was Cancelled

> This is one of those times where the answer is probably right in front of
> me.
>
> I thought I had locked the user access down on the GUI for VSE 8.71 -
> however my blessed users are still cancelling an on demand scan.
>
> What am I missing (apart from ther application of percussive maintenance
> to said user)
>
>
>
>

This is one of those times where the answer is probably right in front of me.

I thought I had locked the user access down on the GUI for VSE 8.71 - however my
blessed users are still cancelling an on demand scan.

What am I missing (apart from ther application of percussive maintenance to said
user)

Has anyone come across a situation where right after the 5400 Engine was
released and automatically pushed to machines, some machines stopping recieving
DAT's unless the machine was rebooted or VSE was reinstalled?
   In what situation would the 5400 engine update require a reboot?

thanks

--- In tvdug@yahoogroups.com, "mitlyng" <matthew.mitlyng@...> wrote:
>
> Still here, just haven't had any real problems with 4.5 and 8.7 w/SP2.
>
> --- In tvdug@yahoogroups.com, "Mal" <Mal2004@> wrote:
> >
> > Certainly this group is nowhere as busy as it used to be.
> >
> > McAfee have two separate communities that I know some Enterprise customers
> > post to:
> >
> > https://www.mcafeetheplace.com/ (Not really that keen on this one, as it
> > seems to have been poorly thought out, and more of a marketing place).
> > http://community.mcafee.com/community/business/system?view=overview
> > (recently redesigned and expanded to include a Business Products section).
> >
> > And there is a LinkedIn group that I know quite a few TVDUG'ers belong to:
> >
> > http://www.linkedin.com/groups?about=&gid=1349777  (McAfee ePolicy
> > Orchestrator group on Linkedin).
> >
> >
> > Are there other places where people go to discuss issues with Enterprise
> > McAfee products and the latest news etc?
> >
> > Mal.no everyone is running security essentials
> >
>

I have to concur.

I work in a "artistic" environment so it presents me a new day of difficulty
each day when attempting to enable my users, but at the same time stop them from
playing in traffic on the freeway.

What an oppressive regime I am.

--- In tvdug@yahoogroups.com, Erik Kurlanska <erikkur@...> wrote:
>
>
> We haven't seen this one yet thankfully.....It seems as though virus writers
are just sending them out at a faster rate than McAfee can seem to have
protection for them.  Other top names Symantec have also been missing the boat. 
It looks like Malware Bytes seems to almost always clean things that McAfee
misses, and when putting up a few of the most recent vundo variants one of the
only manufacturers to have detection was Microsoft.
>
>
>
> I think these days even having a fully patched box OS-wise and A/V wise isn't
enough.  You need to take away admin rights to the box, as well as have some
sort of IPS or IDS device either from McAfee, Cisco, etc.
>
>
>
> We don't have one in place and it is killing us every day.
>
>
>
> Erik
>
>
>
>
>
>
>
>
>
>
>
>  EMAILING FOR THE GREATER GOOD
> Join me
>
>
>
>
>
> To: tvdug@yahoogroups.com
> From: scott_lawton@...
> Date: Tue, 3 Nov 2009 21:12:42 +0000
> Subject: [tvdug] Re: W32/Virut.n.gen
>
>
>
>
>
> Anyone?
>
> --- In tvdug@yahoogroups.com, "scott_lawton" <scott_lawton@> wrote:
> >
> > Rather interesting incident last week.
> >
> > One of my users (Bless'im) decided to download a fuile that would rest the
password on VBS project files.
> >
> > We run Web Marshal with Mcafee.
> >
> > We run VSE 8.7i patch 2, completely up to date.
> >
> > He downloaded it. un-RAR-ed it. and it hosed the box. Yes I got alerts.
> >
> > The signature scan components came up: W32/Virut.n.gen
> >
> > Also got a not of " NEW POLY" and "New Win32" before our esteemed user
realised the errors of his ways and pulled the box off the network.
> >
> > Subesequent scans showed pretty much every executable on the box had been
hit. The O/S was hosed, the Engine could clean it, so the O/S needed to be
rebuilt.
> >
> > Now I am perplexed.
> >
> > The box was entirely up to date, O/S patching, Antimalware - the lot.
> >
> > How on earth did it get so far.
> > I'm curious that it waltzed possed Marshal as well.
> >
> > What am I missing here?
> >
>

Still here, just haven't had any real problems with 4.5 and 8.7 w/SP2.

--- In tvdug@yahoogroups.com, "Mal" <Mal2004@...> wrote:
>
> Certainly this group is nowhere as busy as it used to be.
>
> McAfee have two separate communities that I know some Enterprise customers
> post to:
>
> https://www.mcafeetheplace.com/ (Not really that keen on this one, as it
> seems to have been poorly thought out, and more of a marketing place).
> http://community.mcafee.com/community/business/system?view=overview
> (recently redesigned and expanded to include a Business Products section).
>
> And there is a LinkedIn group that I know quite a few TVDUG'ers belong to:
>
> http://www.linkedin.com/groups?about=&gid=1349777  (McAfee ePolicy
> Orchestrator group on Linkedin).
>
>
> Are there other places where people go to discuss issues with Enterprise
> McAfee products and the latest news etc?
>
> Mal.
>

Certainly this group is nowhere as busy as it used to be.

McAfee have two separate communities that I know some Enterprise customers
post to:

https://www.mcafeetheplace.com/ (Not really that keen on this one, as it
seems to have been poorly thought out, and more of a marketing place).
http://community.mcafee.com/community/business/system?view=overview
(recently redesigned and expanded to include a Business Products section).

And there is a LinkedIn group that I know quite a few TVDUG'ers belong to:

http://www.linkedin.com/groups?about=&gid=1349777  (McAfee ePolicy
Orchestrator group on Linkedin).


Are there other places where people go to discuss issues with Enterprise
McAfee products and the latest news etc?

Mal.

You've gotta love users and their ability to find viruses/trojans without
really trying! (well, the users can be trying, but they aren't normally
trying to infect their machine!)

My suspicion with the scenario you gave (and I don't know everything about
what happened) is:

- User downloaded an executable that was not detected by McAfee based on
either a failure in the configuration, or because Avert had not added the
definition to the dat file.
- User ran the file, which then injected code into other processes (still
not detected by McAfee), and then started to infect files. Some infections
matched signatures for Virut and were detected, others matched "generic"
signatures and were detected.

Once a virus/trojan etc gets control of a machine, it is very hard to detect
and block it writing bad code to other files.

Virut uses Rootkit technologies to hook itself into the system, so that also
assists with hiding itself.

If you can find the original downloaded file, submit a sample to AVERT. That
may help others who have to deal with the same issue.





--------------------------------------------------
From: "scott_lawton" <scott_lawton@...>
Sent: Tuesday, November 03, 2009 9:12 PM
To: <tvdug@yahoogroups.com>
Subject: [tvdug] Re: W32/Virut.n.gen

> Anyone?
>
> --- In tvdug@yahoogroups.com, "scott_lawton" <scott_lawton@...> wrote:
>>
>> Rather interesting incident last week.
>>
>> One of my users (Bless'im) decided to download a fuile that would rest
>> the password on VBS project files.
>>
>> We run Web Marshal with Mcafee.
>>
>> We run VSE 8.7i patch 2, completely up to date.
>>
>> He downloaded it. un-RAR-ed it. and it hosed the box. Yes I got alerts.
>>
>> The signature scan components came up: W32/Virut.n.gen
>>
>> Also got a not of " NEW POLY" and "New Win32" before our esteemed user
>> realised the errors of his ways and pulled the box off the network.
>>
>> Subesequent scans showed pretty much every executable on the box had been
>> hit. The O/S was hosed, the Engine could clean it, so the O/S needed to
>> be rebuilt.
>>
>> Now I am perplexed.
>>
>> The box was entirely up to date, O/S patching, Antimalware - the lot.
>>
>> How on earth did it get so far.
>> I'm curious that it waltzed possed Marshal as well.
>>
>> What am I missing here?
>>
>
>
>