is the "Active Protection" component of McAfee's Security Center which uses a combination of signature and behavior analysis to check with McAfee servers in real-time to identify possible new malware threats. This is accomplished by adding heuristics
to the virus database. McAfee then uses this heuristic detection to analyze the cataloged behaviors and assess the likelihood of possible new variants of malware
before the vendor can get samples and update the program's definitions for detection. This process is similar to Symantec's Bloodhound Technology
. Artemis is not the name of an actual virus
, but an alert displayed by McAfee when it thinks it may have found a new virus
. Artemis is included in the detection name for any file that is quarantined or blocked by McAfee's Global Threat Intelligence (GTI) technology for enhanced detection of unknown threats based on the file's behavior. Thus, Artemis detections may
or may not
In general, heuristics uses non-specific detection methods to find new or unknown malware which allows the anti-virus to detect and stop if before doing any harm to your system. Heuristic scanning methods vary depending on the vendor. Some claim to allow emulation of the file's activities in a virtual sandbox. Others scan the file more intensively, searching line by line inspecting the code in a file to see if it contains virus-like characteristics. If the number of these characteristics/instructions exceeds a pre-defined threshold, the file is flagged as a possible virus
. The disadvantage
to using heuristics is that it is not as reliable as signature-based detection (blacklisting) and can potentially increase the chances that a non-malicious program is flagged as malicious. With heuristics, there is always a potential risk
for a "false positive
" when the heuristic analysis flags a file as suspicious
that contains no malware.
Certain embedded files that are part of legitimate programs or specialized fix tools such as Combofix may at times be detected by some anti-virus and anti-malware scanners as suspicious
, a Risk Tool
, Hacking Tool
, Potentially Unwanted Program
, a possible threat
or even Malware (virus/trojan) when that is not the case
. This occurs for a variety of reasons to include the tool's compiler, the files it uses, whether files are compressed
, what behavior (routines, scripts, etc) it performs, any registry strings it may contain and the type of security engine that was used during the scan. Other legitimate files which may be obfuscated, encrypted or password protected in order to conceal itself so they do not allow access for scanning but often trigger alerts by anti-virus software.
When flagged by an anti-virus or security scanner, it's because the program includes features, behavior or files that appear suspicious or which can potentially be used for malicious purposes. Compressed and packed files in particular are often flagged as suspicious by security software because they have difficulty reading what is inside them. These detections do not necessarily mean the file is malicious or a bad program. It means it has the potential for being misused by others or that it was simply detected as suspicious or a threat due to the security program's heuristic analysis
engine which provides the ability to detect possible new variants of malware
. Anti-virus scanners cannot distinguish
between "good" and "malicious" use of such programs, therefore they may alert you or even automatically remove
them. In these cases the detection is a "false positive
" and can be ignored. Either have your anti-virus ignore the detection or temporarily disable it until you download and run the tool.
The same explanation above applies to AdwCleaner and several other specialized tools commonly used for malware cleanup and disinfection when they are detected.The problem is really with the anti-virus vendors who keep targeting these embedded files and NOT with ComboFix
. We can inform the developer but he has encountered this issue many times before and in most cases there isn't much he can do about it. Once the detection is reported to the anti-virus vendor, they are usually quick to fix it by releasing an updated definition database.