What is a Threat Artifact?
search cancel

What is a Threat Artifact?

book

Article ID: 161687

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

You have submitted a suspicious file or email to Symantec for Analysis. The reply describes the message or one of its attachments as “not malicious itself, but may be an artifact of a threat. What exactly does this mean?

"Threat Artifact" means that the email or file in question is not capable of performing any harm by itself, and so does not meet Symantec's criteria for malware detection.  The file may, however, indicate that a threat was present on the computer or that an attack was made against the computer. 

Please note that a verdict of "ThreatArtifact" does not mean that the email or the file is harmless; it may mean that the email or one of its attachments contains a link to a malicious download hosted on a website.

Resolution

For Symantec Cloud Email Security:

Email artifacts are aggregated and provided to Symantec .cloud AntiSpam team for analysis and possible filter creation.  See also Spam email missed (False Negative) in Symantec.cloud for additional information.

 

For Symantec Messaging Gateway (SMG) and Symantec Mail Security for MS Exchange (SMSMSE): 

Please submit email messages that generate a "Threat Artifact" response using the following processes: Manually submitting missed spam, phishing, marketing, suspicious URLS

 

Some examples of Threat Artifacts:

  • A suspicious "Fax message.msg" email was submitted.  Security Response replied that this .msg file is a "Threat artifact" because the email itself is harmless.  The malicious part (against which protection was added) was the file that came as the email’s attachment.  That attachment is treated as a separate file. 
  • A .pdf file was received by mail.  When opened it was found to contain links and a message designed to social engineer the reader into clicking on them.  Security Response replied that this .pdf file is a "Threat artifact" because, though it was used as part of a malicious campaign, the .pdf is not harmful in itself. It does not exploit an Adobe vulnerability to automatically download the malware- it only contains links to URLs that were likely under the control of the malware author at the time the mail was sent.
  • Similarly, a phishing mail or mail attachment would not meet Symantec's criteria for detection as malware.  Phishing protection comes from AntiSpam rather than AntiVirus.
  • A .jpg (image file) contains another file that is hidden with steganography.  The hidden file, when extracted by a tool, is malicious.  Symantec will detect that extracted file.  The .jpg itself would be classified as a Threat Artifact as it cannot perform any harm unless it is intentionally acted upon by another tool.
  • Files damaged by a cryptolocker were submitted.  Security Response replied that the encrypted file is a "Threat artifact." Though it is a sign that malware had been active on that computer, the sabotaged file contains no malicious code and is harmless.  The file should be deleted and restored from a known good backup.   
  • A shortcut file was submitted following a threat outbreak.  Security Response replied that this .lnk file is a "Threat artifact." Many threats create .lnk files in order to spread or remain on computers. However, these shortcuts are just pointers to malicious files.  They are not malicious in themselves.