1 Reply Latest reply on Jan 1, 2011 7:40 AM by vinoo

    Generic.Tra detections

      Here are a few questions for anyone @ McAfee Labs who is willing to answer.

       

      Could you explain what a Generic.Tra detection is and help me understand them better. From my investigations and knowledge so far:

       

      I believe Generic.Tra detections are basically a checksum only detection of malicious files. These are then analysed further and eventually make their way into the dat files. The !xxxxxxxx is the first 8 characters of the MD5 checksum of the file.

       

      I often submit new malware through the portal, and get a generic.tra!xxxxxxxx extra.dat pretty quickly. Is this because it's already a known threat, or is it because the automation detects that the file looks suspicious and creates the extra.dat?

       

      What would be the longest time between a generic.tra sample being received and the detection making it's way into the production dat files? I know a support customer can get this escalated and make it happen sooner.

       

      Is there a reason why you can't request a generic.tra extra.dat from the Get Extra.dat page here: https://www.webimmune.net/extra/getextra.aspx

        • 1. Re: Generic.Tra detections
          vinoo

          You've pretty much summed up how Generic!tra is authored. If automation can author an extra.dat for a submitted sample - it send out a Generic!tra so that you can quickly deploy the extra.dat for remediation. Generic.tra extra.dats are also created by human analysts for those samples automation cannot respond to.

           

          The quickest time for a generic!tra detection to make it to the dats is if the detection authored gets merged into the dats right away. It will reflect in the beta dats within the hour and after a full QA cycle come out in the next production dat release. If for some reason, automation is unable to merge the detection into the dats or the signature is flagged by QA as weak/false - the detection may not get merged into the dats and until a human researcher takes a look at the issue. (escalating the issue via support can help expedite this process)

           

          The reason one cannot request a Generic.tra extra.dat from WebImmune is that this detection series is not part of the regular production or beta dats - hence an extra.dat for this detection name cannot be complied.