McAfee Artemis Claims Protection Online, On-the-Fly

Seems like McAfee has created a new Internet-based service to provide active protection on the fly when a PC gets hit by malicious computer code. "[Artemis] is a lot faster than traditional methodologies and it closes the gap between when a piece of malware is written, discovered, analyzed and protected against ... Artemis is available at no charge as part of McAfee VirusScan Enterprise or McAfee Total Protection Service for small and medium-sized businesses. Artemis is also available for McAfee's consumer products, where the functionality is called Active Protection."

This is why you read the fine print...

[pushing-robot]

TFA basically states that anything behaving "suspiciously" on your PC will be automatically back to McAfee for analysis. There's no mention at all of possible privacy risks.

Sheezus.

Re:This is why you read the fine print...

[brucifer]

I've actually spoken with McAfee about this at length. If a suspicious file is found (not going into what is deemed suspicious out of professional courtesy) a fingerprint (hash) of the file is sent back to McAfee to see if it matches a known malware sample. If it matches, then the file is deleted or quarantined, or whatever the default behavior is. This only takes place if the malware doesn't trigger one of the other protection pieces in place.

There are settings in both the corp and home editions that let you decided if you want to send samples back to McAfee or just turn the feature off. It's a surprisingly cool thing to come out of one of the big players.

Re:This is why you read the fine print...

[arth1]

You're reinventing the wheel here. Viruses that did that were common back in the early 90s.

First, the more stupid AV programs would use a hash. The virus writers countered that simply by including an infection counter. The counter would increase with every infection, modifying the hash.
Then the less gifted AV program writers would hash just certain parts. The virus writers countered that by having the first instruction of the virus be a jump to where the virus was, and the actual virus block being moved at random within a bigger block whenever a new infection occurred.
So then the AV writers scanned for identifiers without looking at the location. The answer from the virus writers was to insert NOP statements at random inside the code, and shuffle these around at every new infection.

Incidentally, my own antivirus program (VScan) would in its deepest mode disassemble the code and emulate the actions of it without executing it, to see whether the result of the code would perform certain actions which only OS routines and viruses would ever do. This foiled some attempts at stealth, like adding numbers to generate an offset, or mutating the registers being used, and also allowed for finding new viruses that used the same techniques but not the same code as older viruses.

Then came XOR'ing the virus, then self-extracting compression, then actual encryption -- and the race is still on.

Artemis is available at no ADDITIONAL charge

[G3ckoG33k]

"Artemis is available at no charge as part of McAfee VirusScan Enterprise or McAfee Total Protection Service for small and medium-sized businesses."

I guess enterprise editions don't come at no charge.

I guess this is the new "cool thing"

[RootWind]

I guess all the security companies are heading toward community based databases. Other similar products include
F-Secure Deepguard: http://www.f-secure.com/deepguard
Threatfire: http://www.threatfire.com/ (recently acquired by Symantec... so they are in the game now)
DriveSentry: http://www.drivesentry.com/
Prevx: http://www.prevx.com/

Re:ugh.

[interiot]

More here:

This new technology (Artemis) looks for suspicious PE files [EXEs, DLLs, etc], and when found it sends some kind of checksum (with no personal/sensitive data) to a central database server hosted by McAfee AVERT Labs. The central database server is constantly updated with new discovered malware, and is McAfee's malware queue for which no official DATs have been created so far. If a match is found in the central database, the scanner will report and handle the malware detection. The files in McAfee's queue have not been[sic] undergone any analysis, but they are crosschecked by McAfee's huge whitelists to avoid false alarms.

By having a remotely maintained blacklist it may be able to provide faster protection to new malware than vendors which release signature updates many times at[sic] day to cover the high amounts of new malware appearing every hour.

...

Update (May 2008): we re-tested Artemis over our clean-set in May 2008 and now that McAfee has expanded its whitelists, Artemis still produces relatively many false alarms, but at least no longer on very important/critical files.

What could go wrong?

Re:Antivirus software is bullshit

[Itninja]

I agree there is not substitute for educating users about the pitfalls of getting click-happy. But it's a bit naive to just call all AV software BS across the board. There are any number of ways to get 'pwned' without ever having to click a single button - especially in Windows. One that comes to mind is our old friend 'autorun'. Every Windows system since '95 has come with this little chestnut turned on by default. You want to put a keystroke logger or other malicious code on someones' Windows system? Just burn it to a CD and write an autorun.inf file to do whatever you like silently and without user interaction. Without any security software running, the user is totally hosed.

You think you can educate the user(s) to remember to always hold down shift when inserting a CD/DVD? Yeah, good luck with that.