Verify that GTI File Reputation is installed and endpoints can communicate with the GTI server

Technical Articles ID: KB53733
Last Modified: 2023-04-03 12:15:44 Etc/GMT

Environment

Endpoint Security (ENS) Threat Prevention 10.x
Global Threat Intelligence (GTI) File Reputation

Summary

It's important to make sure that your products remain up to date with the latest virus content and the GTI File Reputation Cloud Service is correctly configured. Also, make sure that the endpoints can communicate with the GTI Cloud Service.

To receive email notification when this article is updated, click Subscribe on the right side of the page. You must be logged on to subscribe.

Contents
Click to expand the section you want to view:

Test GTI-REST connectivity

The ENS for Windows 10.6.1/10.7.0 September 2021 Update and later use GTI-REST by default. GTI File Reputation requires that the computer communicate with the GTI Cloud Service directly using the internet or indirectly using a proxy server. It's vital to verify that endpoints can communicate with the GTI Cloud Service to make sure that the endpoint can use the GTI reputation services. GTI services are a critical part of malware detections.

Use Curl.exe or PowerShell to verify whether the endpoint can connect to the GTI server.

To test with PowerShell if there isn't a proxy server, use the following command:

tnc amcore-ens.rest.gti.trellix.com -port 443

You see a response similar to the following if there's connectivity to the GTI server:

ComputerName     : amcore-ens.rest.gti.trellix.com
RemoteAddress    : x.x.x.x
RemotePort       : 443
InterfaceAlias   : Ethernet 2
SourceAddress    : x.x.x.x
TcpTestSucceeded : True

To test with Curl.exe, use the following command:

If there isn't a proxy server: curl -kv https://amcore-ens.rest.gti.trellix.com:443
If there's a proxy server: curl -kvx proxyaddress:port https://amcore-ens.rest.gti.trellix.com:443

View the output from the above command. A correct lookup contains the following:

* Establish HTTP proxy tunnel to amcore-ens.rest.gti.trellix.com:443
> CONNECT amcore-ens.rest.gti.trellix.com:443 HTTP/1.1
> Host: amcore-ens.rest.gti.trellix.com:443
> User-Agent: curl/7.83.1
> Proxy-Connection: Keep-Alive
>
< HTTP/1.0 200 Connection established
<
* Proxy replied 200 to CONNECT request
* CONNECT phase completed
* ALPN: offers h2
* ALPN: offers http/1.1
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS header, Finished (20):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS header, Finished (20):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-ECDSA-AES256-GCM-SHA384
* ALPN: server accepted http/1.1
* Server certificate:
* subject: C=US; ST=California; O=Trellix, Inc.; OU=Enterprise; CN=*.rest.gti.trellix.com
* start date: Mar 11 00:00:00 2022 GMT
* expire date: Mar 11 23:59:59 2023 GMT
* issuer: C=US; ST=CA; L=Santa Clara; O=Trellix, Inc.; CN=Trellix OV SSL CA 2
* SSL certificate verify result: self-signed certificate in certificate chain (
19), continuing anyway.
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
> GET / HTTP/1.1
> Host: amcore-ens.rest.gti.trellix.com
> User-Agent: curl/7.83.1
> Accept: */*

Test GTI-DNS connectivity

GTI File Reputation requires that the computer communicate with the GTI server directly using Domain Name System (DNS) or indirectly using an internal DNS that forwards the DNS request to mcafee.com. It's vital to verify that endpoints can communicate with the GTI server to make sure that the endpoint remains up to date. For more information, see KB53782 - Global Threat Intelligence and split Domain Name System (DNS).

Use nslookup to verify whether the endpoint can connect to the GTI server.

Press Windows+R, type cmd, and click OK.
Type or paste nslookup sfqpit75pjh525siewar2dtgt5.avts.mcafee.com and press Enter.
- You see a response similar to the following if there's connectivity to the GTI server:
  
  Server: <mylocaldnsserver.org>
  Address: 161.69.135.201
  
  Name: 4z9p5tjmcbnblehp4557z1d136.avts.mcafee.com
  Address: 127.0.4.8
- Here's an example of failing connectivity to the GTI server:
  
  Server: exampleserver.your.domain.org
  Address: xxx.xx.xxx.xxx
  
  *** exampleserver.your.domain.org can't find sfqpit75pjh525siewar2dtgt5.avts.mss
  mcafee.com: Non-existent domain

Test GTI-REST using the Artemis test program

The ENS 10.6.1/10.7.0 September 2021 Update and later use GTI-REST by default. To test GTI, use the password-protected Rest-GTI-Artemis-test.zip file in the "Attachment" section of this article.

NOTES:

Password protection is applied to the .zip file to make sure that it isn't blocked when sent using email. Passwords normally meet higher security standards. The password is test_detection and the MD5 is 5db32a316f079fe7947100f899d8db86.
The Rest-GTI-Artmeis-test.exe process is a test program and is harmless.

After you extract Rest-GTI-Artemis-test.exe, you can execute the file to trigger an on-access scan (OAS) on this file. The sample contains a test detection that only triggers a detection if GTI File Reputation using REST is enabled and working. The detection name Artemis!5DB32A316F07 appears in the threat event.

Test GTI-DNS using the Artemis test program

To test GTI, use the password-protected ArtemisTest.zip file in the "Attachment" section of this article.

NOTES:

Password protection is applied to the .zip file to make sure that it isn't blocked when sent using email. Passwords normally meet higher security standards. The password is password.
The ArtemisTest.exe process is a test program and is harmless.

After you extract ArtemisTest.exe, you can run an OAS test and an on-demand scan (ODS) test on this file.

OAS test
1. Make sure that ENS is running.
2. Open Windows Explorer and navigate to the folder that contains the test utility.
3. To start the program, double-click ArtemisTest.exe. If GTI File Reputation is enabled, ENS deletes the file or denies access and prevents the file from running (the action taken depends on the configuration).
4. Verify the contents of the DNS client through the command line and check whether the test file is passed to the GTI server.
  1. To perform the OAS test again, double-click ArtemisTest.exe.
  2. At the command prompt, type ipconfig /displaydns and press Enter. This command shows all recent DNS queries made on the computer, including the queries that GTI File Reputation makes. The GTI File Reputation queries are on subdomains of avqs.mcafee.com or avts.mcafee.com.

ODS test

NOTE: To avoid an OAS detection, either exclude the file or directory or temporarily disable the OAS.

Make sure that ENS is running.
Open Windows Explorer and navigate to the folder that contains the test utility.

Right-click the folder or start an ODS through the console for ENS. If GTI is working correctly, the On-Access Scan Messages dialog (similar to below) reports that ArtemisTest.exe is detected. Depending on your settings, the test file is deleted and quarantined as malware.

OAS Messages
Message	VirusScan Alert!
Name	x:\path\Artemistest.exe
Detected As	Artemis5DB32A316F07
State	Deleted

Test GTI using the PDF lookup test

To test GTI, use the password protected ArtemisPDF_test.pdf file in the "Attachment" section of this article.

NOTES:

Password protection is applied to the .zip file to make sure that it isn't blocked when sent using email. Passwords normally meet higher security standards. The password is password.
The ArtemisPDF_test process is a test program and is harmless.

For GTI lookups on PDF files to happen, the following conditions must be met:

The ENS setting for GTI File Reputation must be set to Medium or higher. For instructions, see KB70130 - How to enable Global Threat Intelligence Technology in our products.
Lookups are limited to PDF files that are read or written to the disk using the web browser or email client.

Related Information

For a list of ENS URLs used to perform off-box communication including GTI, see KB93324 - Endpoint Security off-box communication URLs.

Attachment 1

ArtemisTest.zip
126K • < 1 minute @ broadband

Attachment 2

ArtemisPDF_Test.zip
6K • < 1 minute @ broadband

Attachment 3

REST-GTI-Artemis-test.zip
546Bytes • < 1 minute @ broadband

Affected Products

Languages:

This article is available in the following languages:

Knowledge Center

Verify that GTI File Reputation is installed and endpoints can communicate with the GTI server

Environment

Summary

Related Information

Attachment 1

Attachment 2

Attachment 3

Affected Products

Languages:

Title

Title

Knowledge Center

Verify that GTI File Reputation is installed and endpoints can communicate with the GTI server

Environment

Summary

Related Information

Attachment 1

Attachment 2

Attachment 3

Affected Products

Languages:

Choose your region

Title

Title