An extra.dat is compiled with a pre-set expiry date. Post the expiry date - it would delete itself. The date range can depend on whether the extra.dat was compiled by automation, a human researcher or the type of signature it contains.
The best way to confirm if detection has been included is to rescan the sample and check for detection in the dats.
Do i have to delete the extra.dat file before doing the test or is there a way to see if the malware is detected by the Extra.dat file or by the normal dat-file.
ex. I have an extra.dat file activated last week and now there is still a warning Generic.Tra!22e40fcd4d19 (ED) (Trojan). Is this because the extra.dat precedence the normal dat-file or the signature is not known in the normal dat.file?
The ED in the detection name denotes this was an extra.dat based detection.
The precedence followed is extra.dat --> DATs --> Artemis lookup
Remove the extra.dat and rescan the file. It should get detected as X97M/Downloader.d with the latest dats.
thanks it works,
1)but how do you know that X97M/Downloader.d = Generic.Tra!22e40fcd4d19 and that X97M/Downloader.d is detected with the latest dats?
2)Is there a way to see the expiry date of an extra.dat file?
1. Being a McAfee Labs employee, I have access to our backend systems and looked up that the partial hash 22e40fcd4d19 translated to MD5: 22e40fcd4d1901b94ff4972cd472d185. Then checked that file against out latest sigs.
2. There is no externally availably tool or product that will display the expiry date. Sorry, but this info is internal only too.