cancel
Showing results for 
Search instead for 
Did you mean: 

Coverage of ExtraDAT

Hello, I've questoon regarding the threats covered by ExtraDATs. When I receive an ExtraDAT I'd like to know: - what's covered (threat names, hashes etc) - if this is also covered by V2/V3 standard DAT/AMCore - if this is also covered by GTI cloud How can I get those information? Since I am administering big environment, I need to balance the risks of deploying the ExtraDAT (false positive) vs the threats already covered by standard McAfee mechanisms. I can't find those information on McAfee website. Where can I find those information? Thank you.
5 Replies
McAfee Employee AdithyanT
McAfee Employee
Report Inappropriate Content
Message 2 of 6

Re: Coverage of ExtraDAT

Hi @andmar3 

Good Question. Since EXTRA DATs are tailor made for particular detections, the information is obtainable only form Support. However, opening these DAT files using a normal text editor should show you the names of detections covered by it.

Was my reply helpful?
If you find this post useful, Please give it a Kudos! l Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

Thanks and regards,
Adithyan T

Re: Coverage of ExtraDAT

Thanks for your answer.

The problem is that the name in ExtraDAT file usually contains very generic name like "Generic Trojan.kc" which  doesn't say a lot.. Neither it's clear what samples are covered.

My understanding is that ExtraDAT files are prepared by McAfee much quicker and with very  limited testing. This is done to protect against emerging threats not covered by the latests V2/V3 definition file. 

What are the criteria for moving the protection from ExtraDAT to V2/V3 DAT and how can I verify it?

I try to build my ExtraDAT testing/deployment strategy. Without having those information it's hard for me to do it.  

Are there any ExtraDAT testing recommendations from McAfee side?

Shall I ask McAfee support the same coverage questions each time I receive an extraDAT? 

McAfee Employee Thussain
McAfee Employee
Report Inappropriate Content
Message 4 of 6

Re: Coverage of ExtraDAT

McAfee Technical Support team should be able to share the details about coverage. 

Also note, once the Extra Dat is provided to the customer, it will be added to the regular dat in period of 5 to 7 days. 

Was my reply helpful?
If you find this post useful, Please give it a Kudos! l Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!
McAfee Employee AdithyanT
McAfee Employee
Report Inappropriate Content
Message 5 of 6

Re: Coverage of ExtraDAT

Hi @andmar3 

Thank you for your response.


@andmar3 wrote:

The problem is that the name in ExtraDAT file usually contains very generic name like "Generic Trojan.kc" which  doesn't say a lot.. Neither it's clear what samples are covered.

This is a conscious decision taken by McAfee Labs to avoid revealing what detection is meant for what program. This nomenclature is followed to mark a specific genre of malwares and hence one detection name may apply to thousands of samples with a similar behavior/pattern as observed by Labs team.

 


@andmar3 wrote:

 

My understanding is that ExtraDAT files are prepared by McAfee much quicker and with very  limited testing. This is done to protect against emerging threats not covered by the latests V2/V3 definition file. 

What are the criteria for moving the protection from ExtraDAT to V2/V3 DAT and how can I verify it?

Your understanding is absolutely correct here. The movement of ExtraDAT files to regular DAT updates is decided by McAfee Labs. Usually it takes few days however this depends on several factors where prevalence of a malware and its age definitely are taken into account. I am not sure if Labs can answer that, however, Tech Support can always verify if the Extra DAT detection is covered by regular DATs anytime you need.


@andmar3 wrote:

Are there any ExtraDAT testing recommendations from McAfee side?

Shall I ask McAfee support the same coverage questions each time I receive an extraDAT? 


There are no specific Testing recommendations from us. ExtraDATs are to address threats on urgency basis as it should not hamper our regular DAT update releases. Any further Testing form your end is only going to delay the application of the file if you are facing and active infection. However, you can always apply it on the infected machine to confirm capture of the malware and then apply it via ePO to all other machines.

Coverage questions can always be posed at Support, but it can be answered only if the EXTRA DATs are developed for you based on the samples you submit. For example, let's say you submit a sample to us that we detect as Generic Trojan.kc using ExtraDAT file. Now technical Support will be able to help you with the detection name against that particular sample you submitted. However, there may be a hundred more samples that we may detect under the same name and that may not be relevant data to be revealed by Support or Labs.

I sincerely hope this answers your queries!

Was my reply helpful?
If you find this post useful, Please give it a Kudos! l Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

Thanks and regards,
Adithyan T
Highlighted
McAfee Employee Thussain
McAfee Employee
Report Inappropriate Content
Message 6 of 6

Re: Coverage of ExtraDAT

I would suggest you to kindly log a service request with Support and request them to provide you with the details of malware sample submitted. Our McAfee Labs team will be able to observe the behavior of the malware and share the details with you and also provide the Extra Dat.  

I hope this answers your query

Was my reply helpful?
If you find this post useful, Please give it a Kudos! l Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!
More McAfee Tools to Help You

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community