McAfee Artemis Claims Protection Online, On-the-Fly

Seems like McAfee has created a new Internet-based service to provide active protection on the fly when a PC gets hit by malicious computer code. "[Artemis] is a lot faster than traditional methodologies and it closes the gap between when a piece of malware is written, discovered, analyzed and protected against ... Artemis is available at no charge as part of McAfee VirusScan Enterprise or McAfee Total Protection Service for small and medium-sized businesses. Artemis is also available for McAfee's consumer products, where the functionality is called Active Protection."

This is why you read the fine print...

[pushing-robot]

TFA basically states that anything behaving "suspiciously" on your PC will be automatically back to McAfee for analysis. There's no mention at all of possible privacy risks.

Sheezus.

Artemis is available at no ADDITIONAL charge

[G3ckoG33k]

"Artemis is available at no charge as part of McAfee VirusScan Enterprise or McAfee Total Protection Service for small and medium-sized businesses."

I guess enterprise editions don't come at no charge.

I guess this is the new "cool thing"

[RootWind]

I guess all the security companies are heading toward community based databases. Other similar products include
F-Secure Deepguard: http://www.f-secure.com/deepguard [f-secure.com]
Threatfire: http://www.threatfire.com/ [threatfire.com] (recently acquired by Symantec... so they are in the game now)
DriveSentry: http://www.drivesentry.com/ [drivesentry.com]
Prevx: http://www.prevx.com/ [prevx.com]

Re:This is why you read the fine print...

[brucifer]

I've actually spoken with McAfee about this at length. If a suspicious file is found (not going into what is deemed suspicious out of professional courtesy) a fingerprint (hash) of the file is sent back to McAfee to see if it matches a known malware sample. If it matches, then the file is deleted or quarantined, or whatever the default behavior is. This only takes place if the malware doesn't trigger one of the other protection pieces in place.

There are settings in both the corp and home editions that let you decided if you want to send samples back to McAfee or just turn the feature off. It's a surprisingly cool thing to come out of one of the big players.

Re:ugh.

[interiot]

More here [av-comparatives.org]:

This new technology (Artemis) looks for suspicious PE files [EXEs, DLLs, etc], and when found it sends some kind of checksum (with no personal/sensitive data) to a central database server hosted by McAfee AVERT Labs. The central database server is constantly updated with new discovered malware, and is McAfee's malware queue for which no official DATs have been created so far. If a match is found in the central database, the scanner will report and handle the malware detection. The files in McAfee's queue have not been[sic] undergone any analysis, but they are crosschecked by McAfee's huge whitelists to avoid false alarms.

By having a remotely maintained blacklist it may be able to provide faster protection to new malware than vendors which release signature updates many times at[sic] day to cover the high amounts of new malware appearing every hour.

...

Update (May 2008): we re-tested Artemis over our clean-set in May 2008 and now that McAfee has expanded its whitelists, Artemis still produces relatively many false alarms, but at least no longer on very important/critical files.

What could go wrong?

Re:Antivirus software is bullshit

[Itninja]

I agree there is not substitute for educating users about the pitfalls of getting click-happy. But it's a bit naive to just call all AV software BS across the board. There are any number of ways to get 'pwned' without ever having to click a single button - especially in Windows. One that comes to mind is our old friend 'autorun'. Every Windows system since '95 has come with this little chestnut turned on by default. You want to put a keystroke logger or other malicious code on someones' Windows system? Just burn it to a CD and write an autorun.inf file to do whatever you like silently and without user interaction. Without any security software running, the user is totally hosed.

You think you can educate the user(s) to remember to always hold down shift when inserting a CD/DVD? Yeah, good luck with that.

Re:This is why you read the fine print...

[Anonymous Coward]

If only a hash is sent back to McAfee it seems like it would be trivial to code a virus (or other malware) that will go unnoticed. All you would need to do is add a few extra bytes in the file and fill them with random data when the machine is infected. Because the hash depends on this random data it is not likely to match another hash from the same virus on a different machine, so the virus will go unnoticed.

Re:Antivirus software is bullshit

[Kalriath]

That's wrong, not informative. Any modern Windows OS (XP SP2, Vista) pops up a box asking what you want to do when you insert the disk (which includes the option "Run the program"). It will not, however, automatically run anything.

Re:Flawed methodology

[domatic]

Running as root would be just as stupid (something Ubuntu does not have one do by default but I believe Mac does?)

What Macs and newer Linux distros, Ubuntu included, do is make the first user created on the system a "computer administrator". Only such a "computer administrator" can install software outside the home directory or change system settings and all such activities are password prompted. Unless that password is supplied for administrative actions, these users have no more privilege than regular users.

It isn't perfect. A nasty could run in the background as that user and silently sniff for that password but such attacks aren't common. It is fairly common practice to mitigate that on Linux systems by forbidding software to execute from the home directories. That would be possible on OS X as well but doesn't seem to be a very common practice.

gone in 60 seconds

[v1]

Really can they do that? Code Red (admittedly a worm not a virus) took what, 8 minutes, to do most of its propagation. I don't think they can do anything useful in terms of speedy. Getting out the defs a few days faster protects me from 20% more viruses. That's about meaningless. Unless you're going to knock it down a few orders, you're not helping the situation very much.

Re:This is why you read the fine print...

[arth1]

You're reinventing the wheel here. Viruses that did that were common back in the early 90s.

First, the more stupid AV programs would use a hash. The virus writers countered that simply by including an infection counter. The counter would increase with every infection, modifying the hash.
Then the less gifted AV program writers would hash just certain parts. The virus writers countered that by having the first instruction of the virus be a jump to where the virus was, and the actual virus block being moved at random within a bigger block whenever a new infection occurred.
So then the AV writers scanned for identifiers without looking at the location. The answer from the virus writers was to insert NOP statements at random inside the code, and shuffle these around at every new infection.

Incidentally, my own antivirus program (VScan) would in its deepest mode disassemble the code and emulate the actions of it without executing it, to see whether the result of the code would perform certain actions which only OS routines and viruses would ever do. This foiled some attempts at stealth, like adding numbers to generate an offset, or mutating the registers being used, and also allowed for finding new viruses that used the same techniques but not the same code as older viruses.

Then came XOR'ing the virus, then self-extracting compression, then actual encryption -- and the race is still on.