I spoke with McAfee recently, following my column about its Artemis technology. I learned a few things. Artemis kicks in when the local anti-virus scanner sees, through behavioral methods, if the file is suspicious. Then it sends a fingerprint of the file up to the Artemis servers for further analysis. I had assumed that this fingerprint was a hash of some kind, but that was a simplistic assumption. The fingerprint includes characteristics of the file, including the ones that the scanner used to determine that the file was suspicious: Is it packed? Using certain packers in particular? Is it compressed (not the same thing)? Is it a certain size? In case I was unclear before, none of this involves signatures in the conventional sense. It occurs to me that this could lower false-positives, compared with conventional behavioral analysis, because it subjects suspicious threats to more extensive analysis in the cloud. It all depends on how aggressive McAfee is at that stage. Another thought I had is that since Artemis kicks in as a result of behavioral analysis, the threat has already hit the system by the time Artemis is invoked. Presumably the process is asynchronous and Artemis could return its analysis some time after the submission. If this is the case, it could be awhile during which malware is running rampant on your system.