Last Modified: 6/14/2016
McAfee Global Threat Intelligence (GTI) File Reputation
McAfee SaaS Endpoint Protection 5.x
McAfee VirusScan Enterprise 8.x
What is GTI File Reputation?
GTI File Reputation provides you with always-on, real-time protection that safeguards and secures you from emerging threats. GTI File Reputation enables you to leverage the threat intelligence gathered by McAfee Labs to prevent damage and data theft even before a signature update is available, making endpoints smarter and safer. GTI File Reputation technology extends the protection capabilities of McAfee products by providing access to an online cloud database containing file classification details to determine if a file is malicious. Because the database of malicious file classifications is extensive and changes frequently, GTI File Reputation queries the online GTI cloud servers about potentially suspicious files to achieve and maintain the highest security levels.
How does GTI File Reputation work?GTI File Reputation provides the most up-to-date malware detection for a number of Windows-based McAfee anti-virus products. GTI File Reputation looks for suspicious programs, Portable Document Format (PDF) files, and Android Application Package (.APK) files that are active on endpoints running McAfee products, including VirusScan Enterprise (VSE) and SaaS Endpoint Protection (formerly known as Total Protection Service). If any suspicious files are found that do not trigger existing signature DAT files, GTI sends a DNS request to a central database server hosted by McAfee Labs. This server is continually updated whenever new malware is found. When the Global Threat Intelligence Cloud at McAfee Labs receives the request from the GTI File Reputation enabled endpoint, it determines if this program is suspicious and responds appropriately.
Why must I be online to use GTI File Reputation?
GTI File Reputation accesses an online master database to determine if a file is suspicious. Because the McAfee database of suspicious files is extensive and changes frequently, it is not sent to you in advance. GTI File Reputation technology must query the online GTI Cloud about these suspicious files to achieve and maintain the highest security levels.
Does GTI File Reputation take up much bandwidth?
GTI File Reputation takes up minimal bandwidth because it triggers only if the existing DAT files do not detect a threat in the program, PDF, or .APK being scanned. Determination of suspicious files is carefully tuned so that only truly suspicious files generate network traffic. If the sensitivity setting is set to Very Low or Low, you can expect an average of 10-15 queries per day, per computer. If the setting is set to Medium, High, or Very High, you can expect an average of 20-25 queries per day, per computer. The number of queries depend on the scan type (On-Access Scan or On-Demand Scan) and how many files are being scanned.
If the GTI Cloud is unavailable, will I still be protected?
If your McAfee point product cannot contact the McAfee Labs GTI Cloud, your anti-malware products will use only the local copy of the DAT files for detection. If the GTI Cloud is unavailable, your protection will not be reduced to levels below that of standard DAT files.
Back to contents
What is the Intel Security definition of suspicious files?
A suspicious file is any program executable, Portable Document Format (PDF), or Android Application Package (.APK) file that has characteristics common to malicious files. In the case of executable files, GTI looks for certain identifiers within the executable to determine if the program has particular characteristics normally associated with malware. For example, whether or not the file is packed. Typically less than one percent of clean program executable files or PDF files meet the suspicious criteria, meaning that most files do not cause your GTI-enabled product to initiate a query. Other document files, such as Microsoft Word documents, are not affected by this enhancement as it only focuses on potentially malicious PDF documents.
What kinds of files are scanned?
GTI scans executables, PDF documents, and .APK files. GTI File Reputation has traditionally been used for scanning malicious program executables. However, with the continued growth of PDF and APK based malware, Intel Security has extended the capabilities of our cloud technology to best protect in this threat space. GTI File Reputation must be set to at least medium sensitivity in order to perform reputation lookups on PDF or APK files.
Can data files cause a GTI File Reputation query to be sent?
It is not possible for documents or other data files, such as Microsoft Word documents containing user-derived data, to cause a GTI File Reputation query to be sent, neither are samples automatically submitted to Intel Security. Files that can be queried are:
- Program executables that can contain malicious code
- Portable document format (.PDF) files that can contain malicious code
- Android Application Package File (.APK) file that can contain malicious code
- Configuration files that can be modified maliciously such as the Windows hosts file
What happens when GTI finds a suspicious file?
Instead of sending the whole file, GTI File Reputation sends only a fingerprint, which is typically less than 40 bytes of information. This is the minimum amount of information necessary to determine the nature of the file.
By default, without specifically opting in to share threat information with Intel Security, the query packet from your GTI File Reputation enabled McAfee products contains the following:
Version and product information This data indicates the internal version number of the driver(s) that determined a file was suspicious, the DAT file version, the McAfee product and version, and the product component that performed the scan. File Hash This consists of a hash of the file that uniquely identifies the file if it exists in the Intel Security master database. Fingerprint Information This is a bit sequence that indicates the presence of traits internal to the file structure that are common in malware. This data is restricted to data derived from the structure of a file. Environmental Information This is a bit sequence that indicates the presence of environment cues commonly associated with malicious samples. The data is restricted to information that the operating system stores about a file and does not include filename or other personally identifiable information stored in the file.
Will GTI File Reputation protect me from malware only, or will it also cover Potentially Unwanted Programs (PUPs) and spam?
Currently, malware and PUPs are covered. To protect against spam, use an anti-spam product or a plugin.
How much will my malware detection improve with GTI File Reputation?
All new threats found by McAfee Labs are immediately added to the GTI database and are made available for GTI-enabled endpoints to provide a near immediate ability to protect you from new and emerging threats. This protection is made available well in advance of the signature for the new threat being included in regularly released DAT files.
I would like to turn on GTI File Reputation to report suspicious files to Intel Security, how do I proceed?
Intel Security recommends you select the sensitivity setting Medium in your product. For information on how to enable GTI File Reputation in VSE, see article KB70130.
Back to contents
I currently test each .DAT before deploying to my endpoints. How would GTI File Reputation affect my existing processes?
GTI provides protection outside your existing processes. For more information about how to enable GTI in your McAfee product, see article KB70130.
I have privacy concerns - what information is sent to Intel Security?
The data sent never includes any portion of any file scanned, so there is no chance of any information leaks. Any lookup is performed only on suspicious files and consists of a 32-byte fingerprint generated and sent to the GTI Cloud and a response is given if the fingerprint is determined as that of a malicious file.
- It is impossible to recreate the file or any of its contents from this fingerprint.
- To show the current Windows DNS cache, from the command line, type ipconfig /displayDNS and press ENTER. This shows all recent DNS queries made on the computer in question (including those made by GTI File Reputation).
- GTI File Reputation queries can be recognized because they are on sub domains of avqs.mcafee.com or avts.mcafee.com.What information does Intel Security keep in LOG files?
Intel Security only keeps anonymous logs of the queries from clients. Intel Security uses data-mining techniques to correlate global trends such as where in the world queries originated, and also what distribution vector was used (for instance, web versus email). Intel Security uses this prevalence data to identify new trends in the threat landscape and to better provide protection against emerging threats to Intel Security customers.
NOTE: GTI File Reputation logs do not contain any information about individual computers or users and it is impossible for Intel Security to use that information to derive such data.
How are GTI File Reputation queries sent?
GTI File Reputation queries are sent in clear text, with additional authentication added as appropriate.
Example query: 4z9p5tjmcbnblehp4557z1d136.avqs.mcafee.com or 4z9p5tjmcbnblehp4557z1d136.avts.mcafee.com
All information GTI File Reputation sends to Intel Security is anonymous, it does not contain any information about the user or the computer. Also, because the DNS infrastructure is used to transport the query, it is impossible for Intel Security to identify the IP address of the originating computer from the GTI File Reputation communication.
Back to contents
GTI File Reputation sounds like it generates many updates per day, so why would I not use Beta DAT files instead and how does Active Protection differ?
GTI File Reputation allows endpoints to protect against specific malware as soon as McAfee Labs determines a sample is suspicious. GTI File Reputation does not provide protection for classes of malware, just specific samples that have triggered a response.
What do users or administrators see when Active Protection detects malware?
A GTI File Reputation detections are shown in your McAfee product in the same way generic detections are shown. The detected program or binary is deleted or quarantined based upon your product settings.
What are the risks of using Active Protection? Can it generate false-positives?
Anti-malware protection products very rarely generate false-positives and Intel Security testing has shown that GTI File Reputation has a lower false positive rate than existing McAfee DAT files. GTI File Reputation detects specific instances of malware, as opposed to classes of malware, which significantly reduces the chances of generating false-positive detections.
Back to contents
To review the FAQs for Global Threat Intelligence Proxy, see article KB71000.
Email & Web Security 5.6
Email Gateway 7.6
Host Intrusion Prevention 8.0
Network Security Manager 7.1.x
Network Security Sensor Appliance 7.1.x
Network Threat Behavior Analysis Appliance 8.1.x
Network Threat Response A100 Sensor Appliance (A100) 2.x
Network Threat Response A200 Sensor Appliance (A200) 2.x
Network User Behavior Analysis (Securify) 6.x
SaaS - AntiVirus/Anti-Spyware Protection 6.0.x
SaaS - AntiVirus/Anti-Spyware Protection 5.4
Security for Microsoft Exchange 8.0
Security for SharePoint (PortalShield) 3.0
SiteAdvisor Enterprise 3.5
Threat Prevention and Removal
VirusScan Enterprise 8.8
Beta Translate with
Select a desired language below to translate this page.
Glossary of Technical Terms
Please take a moment to browse our Glossary of Technical Terms.