1 Reply Latest reply on Sep 3, 2010 2:46 PM by rmetzger

    McAfee daily DATs

      Hey, since about 4 days ago i noticed the daily dat files posted at http://vil.nai.com/vil/DATReadme.aspx  have like 20 new detections and 20 enchanted detections when they come out but they keep adding new detections to them so by the time the next dat will be available the detections will go up to 100new det and 100 enchanted det , my question is if i download the DAT when it comes out , will i miss the detections that are added later or ? i really have no idea and it kind of worries me , i'd apreciate it if someone can explain how it works.

       

      Lets take for exampel dat 6092 , when it camed out it had 25 new det and 30 enchanted but by the time 6093 was avaiable , 6092 had 406 new detections.

        • 1. Re: McAfee daily DATs
          rmetzger

          Baboon wrote:

           

          Hey, since about 4 days ago i noticed the daily dat files posted at http://vil.nai.com/vil/DATReadme.aspx  have like 20 new detections and 20 enchanted detections when they come out but they keep adding new detections to them so by the time the next dat will be available the detections will go up to 100new det and 100 enchanted det , my question is if i download the DAT when it comes out , will i miss the detections that are added later or ? i really have no idea and it kind of worries me , i'd apreciate it if someone can explain how it works.

           

          Lets take for exampel dat 6092 , when it camed out it had 25 new det and 30 enchanted but by the time 6093 was avaiable , 6092 had 406 new detections.

          No need to worry. Yes, the new detections are added and the size of the file is growing. However, as activity in truly old malware shrinks, at some point, these old detections are removed from the DAT files. So, the size basically can remain the same size (give or take) and performance can be held about where it is. Be sure, new detections remain for quite some time, so that the newest signature file contains the previous new detections as well.

           

          What gets removed is based on the In-The-Wild lack of activity.

           

          Have fun.

          Ron Metzger

           

           

          Message was edited by: rmetzger on 9/3/10 3:46:09 PM EDT