McAfee Artemis Claims Protection Online, On-the-Fly

← Back to Stories (view on slashdot.org)

McAfee Artemis Claims Protection Online, On-the-Fly

Posted by kdawson on Monday September 8, 2008 @03:49PM from the like-a-signature-database-in-the-cloud dept.

Seems like McAfee has created a new Internet-based service to provide active protection on the fly when a PC gets hit by malicious computer code. "[Artemis] is a lot faster than traditional methodologies and it closes the gap between when a piece of malware is written, discovered, analyzed and protected against ... Artemis is available at no charge as part of McAfee VirusScan Enterprise or McAfee Total Protection Service for small and medium-sized businesses. Artemis is also available for McAfee's consumer products, where the functionality is called Active Protection."

19 of 107 comments (clear)

Min score:

Reason:

Sort:

This is why you read the fine print... by pushing-robot · 2008-09-08 15:56 · Score: 5, Informative

TFA basically states that anything behaving "suspiciously" on your PC will be automatically back to McAfee for analysis. There's no mention at all of possible privacy risks.
Sheezus.

--
How can I believe you when you tell me what I don't want to hear?
1. Re:This is why you read the fine print... by Anonymous Coward · 2008-09-08 16:08 · Score: 5, Funny
  
  No, this is why *you* read TFA and summarize it for us. Real slashdotters can't be bothered, you insensitive clod!
2. Re:This is why you read the fine print... by brucifer · 2008-09-08 16:56 · Score: 5, Informative
  
  I've actually spoken with McAfee about this at length. If a suspicious file is found (not going into what is deemed suspicious out of professional courtesy) a fingerprint (hash) of the file is sent back to McAfee to see if it matches a known malware sample. If it matches, then the file is deleted or quarantined, or whatever the default behavior is. This only takes place if the malware doesn't trigger one of the other protection pieces in place.
  There are settings in both the corp and home editions that let you decided if you want to send samples back to McAfee or just turn the feature off. It's a surprisingly cool thing to come out of one of the big players.
3. Re:This is why you read the fine print... by arth1 · 2008-09-08 19:53 · Score: 4, Insightful
  
  But a fingerprint used as a unique identifier isn't safe. What's the guarantee that MacAffee won't keep rainbow tables of everything that has turned out to not be viruses, but someone else might find interesting?
  What stops e.g. the government or MPAA (but I repeat myself) from demanding to be told of everyone who have files matching a certain fingerprint? The first justification for this might be child porn. How about fingerprinting all known child porn images, and have the AV software notify the servers whenever there is a match? Undoubtedly that will be very effective! No pesky 4th amendment considerations either!
  Then, once it's used for that purpose, how about fingerprinting word documents describing how to make pipe bombs? Undoubtedly useful. And how about the communist manifesto? And, since it works against browser caches too, why not check who has browsed a certain page?
  I'm sorry, but I see a lot of problems with this.
4. Re:This is why you read the fine print... by arth1 · 2008-09-09 05:28 · Score: 4, Informative
  
  You're reinventing the wheel here. Viruses that did that were common back in the early 90s.
  First, the more stupid AV programs would use a hash. The virus writers countered that simply by including an infection counter. The counter would increase with every infection, modifying the hash.
  Then the less gifted AV program writers would hash just certain parts. The virus writers countered that by having the first instruction of the virus be a jump to where the virus was, and the actual virus block being moved at random within a bigger block whenever a new infection occurred.
  So then the AV writers scanned for identifiers without looking at the location. The answer from the virus writers was to insert NOP statements at random inside the code, and shuffle these around at every new infection.
  Incidentally, my own antivirus program (VScan) would in its deepest mode disassemble the code and emulate the actions of it without executing it, to see whether the result of the code would perform certain actions which only OS routines and viruses would ever do. This foiled some attempts at stealth, like adding numbers to generate an offset, or mutating the registers being used, and also allowed for finding new viruses that used the same techniques but not the same code as older viruses.
  Then came XOR'ing the virus, then self-extracting compression, then actual encryption -- and the race is still on.
Artemis is available at no ADDITIONAL charge by G3ckoG33k · 2008-09-08 16:00 · Score: 4, Informative

"Artemis is available at no charge as part of McAfee VirusScan Enterprise or McAfee Total Protection Service for small and medium-sized businesses."
I guess enterprise editions don't come at no charge.
ugh. by X_Bones · 2008-09-08 16:01 · Score: 5, Insightful

This advertisement^Warticle looks like it was written by some marketing exec's high-school kid. It's chock full of clumsy grammar and useless buzzwords, yet somehow almost completely content-free. Can someone please explain to me again why this belongs on the front page?

--

the coolest club on /.
1. Re:ugh. by interiot · 2008-09-08 17:20 · Score: 4, Informative
  
  More here:
  
  This new technology (Artemis) looks for suspicious PE files [EXEs, DLLs, etc], and when found it sends some kind of checksum (with no personal/sensitive data) to a central database server hosted by McAfee AVERT Labs. The central database server is constantly updated with new discovered malware, and is McAfee's malware queue for which no official DATs have been created so far. If a match is found in the central database, the scanner will report and handle the malware detection. The files in McAfee's queue have not been[sic] undergone any analysis, but they are crosschecked by McAfee's huge whitelists to avoid false alarms.
  By having a remotely maintained blacklist it may be able to provide faster protection to new malware than vendors which release signature updates many times at[sic] day to cover the high amounts of new malware appearing every hour.
  ...
  Update (May 2008): we re-tested Artemis over our clean-set in May 2008 and now that McAfee has expanded its whitelists, Artemis still produces relatively many false alarms, but at least no longer on very important/critical files.
  What could go wrong?
And I bet... by Perseid · 2008-09-08 16:04 · Score: 4, Funny

...it'll only take 128MB of RAM and 30% of your processor!*

* Requirements in Vista may be higher
1. Re:And I bet... by martinw89 · 2008-09-08 16:22 · Score: 4, Funny
  
  ...it'll only take 128MB of RAM and 30% of your processor!* **
  * Requirements in Vista may be higher
  **Home users and other non-enterprise users may need to sacrifice a goat for acceptable performance. Please send Proof of Sacrifice to:
  3965 Freedom Circle
  Santa Clara, CA 95054
  USA
  In the event that you cannot supply a Proof of Sacrifice: Please wait for Earth to acquire a second moon and we may let your browser connect to websites, in which case you can find more about our alternative methods.
2. Re:And I bet... by SurturZ · 2008-09-08 18:00 · Score: 4, Funny
  
  ...it'll only take 128MB of RAM and 30% of your processor!*
  * Requirements in Vista may be higher
  ...and as a service to our customers, you will be automatically upgraded to the professional version which takes doubles the RAM and processor requirements for only a 50% increase in your monthly fee. You don't need to do anything*!
  * Customers may opt out of this offer by finding checking the disabled checkbox that says "opt out" on the hidden page on our website. WARNING: If you somehow manage to opt out, we'll take it personally.
  (I'm just waiting for the day my account gets automatically upgraded to the point where it starts automatically buying shares in McAfee)
I guess this is the new "cool thing" by RootWind · 2008-09-08 16:31 · Score: 4, Informative

I guess all the security companies are heading toward community based databases. Other similar products include
F-Secure Deepguard: http://www.f-secure.com/deepguard
Threatfire: http://www.threatfire.com/ (recently acquired by Symantec... so they are in the game now)
DriveSentry: http://www.drivesentry.com/
Prevx: http://www.prevx.com/
Antivirus software is bullshit by Mike610544 · 2008-09-08 17:09 · Score: 4, Interesting

when a PC gets hit by malicious computer code.
A PC doesn't "get hit" by "malicious computer code" too often these days. The target unintentionally (but by their own action) runs malicious code because they're ignorant. Even running Windows (patched w/ firewall) there aren't many ways you can get pwned without clicking on the "RUN VIRUS NOW" button (admittedly recognizing the ways that button can masquerade itself is a skill.)

Trying to protect people against themselves is futile. Antivirus software is like the Maginot Line. It only works against shit they're expecting.

There's no substitute for educating computer users about what's not to be clicked upon (and/or run as root.)

--
... also, I can kill you with my brain.
Big Brother gets to examine all your files by Animats · 2008-09-08 17:11 · Score: 5, Insightful
Here's McAfee's explanation of how it works:
1. A user receives a file that the scan agent deems suspicious (for example, an encrypted or packed file) and for which there is no signature in the local .DAT database.
2. Using McAfee Artemis Technology, the agent sends a fingerprint of the file for instant lookup to the comprehensive database at McAfee Avert® Labs.
3. In less than a second, if the fingerprint is identified as known malware, an appropriate response is sent to the user to block or quarantine the file.
In other words, every time you download a binary file, McAfee HQ knows about it and logs it. Was this dreamed up by the RIAA, the NSA, or the anti-child-porno people?
Flawed methodology by mcrbids · 2008-09-08 17:25 · Score: 5, Insightful

Using anti-virus to "protect" your computer is like trying to avoid collisions by studying your rear-view mirror. By definition, it only "catches" compromises AFTER THEY ARE SUCCESSFUL.
Then, we have to trust that:
1) The compromise is one of the known viruses, or falls into the realm of "suspsicious activity".
2) The compromise was successfully noticed.
3) All aspects of the virus are known and can be removed.
4) You (the end user) have sufficient system permissions to remove the virus.
5) You (the end user) have all updates applied.
The whole system is woefully fragile and ineffective. Most estimates today seldom put A/V effectiveness above 50% effective, despite the considerable resources consumed by the software. It may be better than poking yourself with a sharp stick, but not by much!
And here's a good example of this: My kids' computer. It's an Athlon XP 3400 with a GB of RAM and an 80 GB HDD. I got sick of reloading the !@#@$ computer every 3 months when it got all horked with god-knows-what so I did the nasty, this time.
I installed ALL O/S patches while hooked up to a private network. I installed AVG antivirus. I let the kids only use the computer as the most limited user available: guest. I installed FF and made it the default browser, along with Open Office and a few legal games. (not warez!) I set WinXP to self-update every single day, and not ask about it. The Windows firewall was on, and the computer is on a NAT network, connected to another highly firewalled DMZ.
Despite all this hassle and inconvenience, the system is STILL behaving rather poorly, 6 months later. Bought me 3 months, but only three more.
Compare/contrast with the Mac. Same kids. Same amount of usage. Same type of usage for the same purposes. Blogging, MySpace, games, homework. All else the same, but I never bothered with antivirus. Yet it works fine! No bogging down. No strange behavior. Same thing with my Linux laptop, which after some 10 years is still using the same /home partition.
Good security isn't something you "band aid", it's something you design from the beginning.

--
I have no problem with your religion until you decide it's reason to deprive others of the truth.
1. Re:Flawed methodology by Urkki · 2008-09-08 18:17 · Score: 5, Funny
  
  Good security isn't something you "band aid", it's something you design from the beginning.
  Yes, but that still doesn't work. You'd have to remove the human element. Enough nuking from orbit should remove both the virus creator and the hapless user, so as long as you protect the actual computer from the EMPs during the bombardment that's probably the safest way to go.
2. Re:Flawed methodology by im_thatoneguy · 2008-09-08 18:28 · Score: 5, Interesting
  
  Here here.
  I usually run on a DMZ. No firewall local or at the router.
  I even have a dynamicDNS directed to my main computer.
  I scan regularly. And haven't been infected in over 8 years. (which was my fault for opening an attachment without thinking.)
  My current windows install is about 2 years old with LOTS of use. The computer is 5 years old and it's time to junk it. It's also still suffering from a 4 year old Norton uninstall that seems to have never completed and is getting worse. Norton was the worst thing that ever happened to one of my computers and I still haven't completely purged it.
  What junks up my Windows PCs aren't the illicit viruses that get installed without my permission. It's all the crap that comes along with little freeware worthless pieces of crap that I need to use once to convert some file or another.
  Windows PCs and Macs get used very differently. Having run both of them I used them very differently myself--largely because there just isn't the world of little crappy apps available.
  I'm with parent. Your comparison is apples to oranges.
3. Re:Flawed methodology by rolfwind · 2008-09-08 20:38 · Score: 4, Interesting
  
  Bullshit. You must be a retard if you trust anything your kids say. They may be surfing the same sites, but they're downloading and executing ZOMG U MUST SEE THIS!!1 shit on the PC which isn't compatible with any other OS.
  I haven't seen a virus on my PCs since my 286, which came preloaded with them, and my own deliberate HPAVC collection from the BBS days.
  He's not trusting what his kids say, he's seeing the results for himself. And who cares what his kids download? They had limited user accounts, it SHOULD NOT HAVE MADE A DIFFERENCE what they downloaded.
  Some windows users love closing their eyes to the results and stammer and sputter about marketshare and all that crap - but the fact is that Windows has more attack vectors for whatever reason. Like your parent said, security is a bandaid on windows, not built in. I don't know the entire reasons for that, I heard that in unix, services run as a normal user account, sandboxed away from causing damage while in Windows many services run as root - meaning only one has to be compromised for something malicious to gain control.
  There are probably other reasons and the OP may have well talked about Ubuntu instead of a Mac -- but your sample size of one is unconvincing from every angle. You're obviously not the average computer user, nor do you anticipate the truly stupid shit some people do and how kids play with their computers.
  Running as root would be just as stupid (something Ubuntu does not have one do by default but I believe Mac does?) but having extensive contact with the administrators in my old school - they let the macs be while the Windows based systems are set to be reimaged every night simply because it's too much of a pain to keep Windows clean for more than a week among groups of students. Default UAC in Vista might have finally changed that, but their machines still run the cheapest form of XP (without UAC) and it also does not get rid of the services issue.
4. Re:Flawed methodology by stevied · 2008-09-08 23:58 · Score: 4, Interesting
  I'm pondering the following set-up:
  1Gb ageing Athlon box
  Ubuntu installed on the raw hardware
  Virtualbox installed on Ubuntu
  WinXP running in Virtualbox with about 50% of the RAM.
  Auto login set up on Ubuntu and WinXP, so apart from the Ubuntu splash screen, there's nothing particularly scary to see for the dyed-the-wool Windows user I'm jumping through all these hoops for.
  This allows various cool stuff: incoming HTTP and IMAP connections could be scanned with ClamAV, for example. What would be really great would be to just discard changes to the main VB disk image at the end of every session. Obviously user docs + data would be somewhere else, and could potentially get infected, but that's a lot less data to periodically virus scan, or to restore if anything does get in to it.
  Preliminary tests suggest that virtualized windows without on-access scanning runs quite a lot more smoothly than a bare-metal install does with it. The added bonus is that I can ssh into the underlying Ubuntu system and do admin with the rather richer toolset available there than on Windows (though greater personal familiarity with that toolset is also an issue, I admit.)