Knowledge Center

FAQs for Global Threat Intelligence File Reputation
Technical Articles ID:   KB53735
Last Modified:  6/13/2019


McAfee Global Threat Intelligence (GTI) File Reputation


This article answers some common questions about GTI File Reputation.

Click to expand the section you want to view:

What is GTI File Reputation?
GTI File Reputation provides you with always-on, real-time protection that safeguards and secures you from emerging threats.

GTI File Reputation enables you to use the threat intelligence gathered by McAfee Labs to prevent damage and data theft even before a signature update is available, making endpoints smarter and safer. GTI File Reputation technology extends the protection capabilities of McAfee products by providing access to an online cloud database containing file classification details to determine whether a file is malicious.

Because the database of malicious file classifications is extensive and changes frequently, GTI File Reputation queries the online GTI cloud servers about potentially suspicious files to achieve and maintain the highest security levels.

How does GTI File Reputation work?
GTI File Reputation provides the most up-to-date malware detection for various Windows-based McAfee anti-virus products.

GTI File Reputation looks for suspicious programs, Portable Document Format (PDF) files, and Android Application Package (.APK) files that are active on endpoints running McAfee products. These products include Endpoint Security (ENS), VirusScan Enterprise (VSE), and SaaS Endpoint Protection (formerly known as Total Protection Service).

If any suspicious files are found that do not trigger existing signature DAT files, GTI sends a DNS request to a central database server hosted by McAfee Labs. This server is continually updated when new malware is found. When the Global Threat Intelligence Cloud at McAfee Labs receives the request from the GTI File Reputation enabled endpoint, it determines whether this program is suspicious and responds appropriately.

Why must I be online to use GTI File Reputation?
GTI File Reputation accesses an online master database to determine whether a file is suspicious. Because the McAfee database of suspicious files is extensive and changes frequently, it is not sent to you in advance. GTI File Reputation technology must query the online GTI Cloud about these suspicious files to achieve and maintain the highest security levels.

Does GTI File Reputation take up much bandwidth?
GTI File Reputation takes up minimal bandwidth because it triggers only if the existing DAT files do not detect a threat in the program, PDF, or .APK being scanned. Determination of suspicious files is carefully tuned so that only truly suspicious files generate network traffic. If the sensitivity setting is set to Very Low or Low, you can expect an average of 10–15 queries per day, per computer. If the setting is set to Medium, High, or Very High, you can expect an average of 20–25 queries per day, per computer. The number of queries depend on the scan type (On-Access Scan or On-Demand Scan) and how many files are being scanned.

If the GTI Cloud is unavailable, am I still protected?
If your McAfee managed product cannot contact the McAfee Labs GTI Cloud, your anti-malware products only use the local copy of the DAT files for detection. If the GTI Cloud is unavailable, your protection is not reduced to levels below the protection level of standard DAT files.

Back to top

What is the McAfee definition of suspicious files?
A suspicious file is any program executable, Portable Document Format (PDF), or Android Application Package (.APK) file that has characteristics common to malicious files.

For executable files, GTI looks for certain identifiers inside the executable to determine whether the program has particular characteristics normally associated with malware. For example, whether the file is packed. Typically less than one percent of clean program executable files or PDF files meet the suspicious criteria, meaning that most files do not cause your GTI-enabled product to initiate a query.

Other document files, such as Microsoft Word documents, are not affected by this enhancement because it only focuses on potentially malicious PDF documents.

What kinds of files are scanned?
GTI scans executables, PDF documents, and .APK files.

GTI File Reputation has traditionally been used for scanning malicious program executables. But, with the continued growth of PDF and APK based malware, McAfee has extended the capabilities of our cloud technology to best protect in this threat space. GTI File Reputation must be set to at least medium sensitivity to perform reputation lookups on PDF or APK files.

Can data files cause a GTI File Reputation query to be sent?
It is not possible for documents or other data files, such as Microsoft Word documents containing user-derived data, to cause a GTI File Reputation query to be sent, neither are samples automatically submitted to McAfee. Files that can be queried are:
  • Program executables that can contain malicious code
  • Portable document format (.PDF) files that can contain malicious code
  • Android Application Package File (.APK) files that can contain malicious code
  • Configuration files that can be changed maliciously such as the Windows hosts file

What happens when GTI finds a suspicious file?
Instead of sending the whole file, GTI File Reputation sends only a fingerprint, which is typically less than 40 bytes of information. This amount of information is the minimum required to determine the nature of the file.

By default, without opting in to share threat information with McAfee, the query packet from your GTI File Reputation enabled McAfee products contains the following:
Version and product information This data indicates the internal version number of one or more drivers that determined a file was suspicious, the DAT file version, the McAfee product and version, and the product component that performed the scan.
File Hash This item consists of a hash of the file that uniquely identifies the file if it exists in the McAfee master database.
Fingerprint Information This item is a bit sequence that indicates the presence of traits internal to the file structure that are common in malware. This data is restricted to data derived from the structure of a file.
Environmental Information This item is a bit sequence that indicates the presence of environment cues commonly associated with malicious samples. The data is restricted to information that the operating system stores about a file and does not include file name or other personally identifiable information stored in the file.

Does GTI File Reputation protect me from malware only, or does it also include protection against Potentially Unwanted Programs (PUPs) and spam?
Currently, malware and PUPs are covered. To protect against spam, use an anti-spam product or a plug-in.

How much will my malware detection improve with GTI File Reputation?
All new threats found by McAfee Labs are immediately added to the GTI database and are made available for GTI-enabled endpoints to provide a near immediate ability to protect you from new and emerging threats. This protection is made available before the signature for the new threat being included in regularly released DAT files.

How do I enable GTI File Reputation to report suspicious files to McAfee?
McAfee recommends that you select the sensitivity setting Medium in your product. For information about how to enable GTI File Reputation in VSE, see article KB70130.

Back to top

I currently test each DAT file before deploying to my endpoints. How would GTI File Reputation affect my existing processes?
GTI provides protection outside your existing processes. For more information about how to enable GTI in your McAfee product, see article KB70130.


I have privacy concerns - what information is sent to McAfee?
The data sent never includes any part of any file scanned, so there is no chance of any information leaks. Any lookup is performed only on suspicious files and consists of a 32-byte fingerprint generated and sent to the GTI Cloud. A response is given if the fingerprint is determined to be a malicious file.

  • It is impossible to re-create the file or any of its contents from this fingerprint.
  • To show the active windows DNS cache, from the command line, type ipconfig /displayDNS and press ENTER. This command shows all recent DNS queries made on the computer in question, including those queries made by GTI File Reputation.
  • GTI File Reputation queries can be recognized because they are on sub domains of avqs.mcafee.com or avts.mcafee.com.

What information does McAfee keep in LOG files?
McAfee keeps only anonymous logs of the queries from clients. McAfee uses data-mining techniques to correlate global trends such as where in the world queries originated, and also what distribution vector was used (for instance, web versus email). McAfee uses this prevalence data to identify new trends in the threat landscape and to better provide protection against emerging threats to McAfee customers.

NOTE: GTI File Reputation logs do not contain any information about individual computers or users and it is impossible for McAfee to use that information to derive such data.

In the future, GTI File Reputation technology might periodically send a unique, anonymous number to inform us that the software is working properly for individual users. This number helps McAfee know the number of people using GTI File Reputation and in what products it has been enabled. The information is intended to help McAfee plan the resources needed to continue to provide quality real-time detection with GTI File Reputation. This method is similar to the cookies used by many websites today, and complies with the McAfee Privacy Policy. For more information, see http://www.mcafee.com/us/about/privacy.html.

How are GTI File Reputation queries sent?
GTI File Reputation queries are sent in clear text, with additional authentication added as appropriate.

Example query: 4z9p5tjmcbnblehp4557z1d136.avqs.mcafee.com or 4z9p5tjmcbnblehp4557z1d136.avts.mcafee.com

All information GTI File Reputation sends to McAfee is anonymous, it does not contain any information about the user or the computer. Also, because the DNS infrastructure is used to transport the query, it is impossible for McAfee to identify the IP address of the originating computer from the GTI File Reputation communication.


GTI File Reputation sounds like it generates many updates per day, so why would I not use Beta DAT files instead and how does Active Protection differ?
GTI File Reputation allows endpoints to protect against specific malware when McAfee Labs determines a sample is suspicious. GTI File Reputation does not provide protection for classes of malware, specific samples that have triggered a response.

What do users or administrators see when Active Protection detects malware?
GTI File Reputation detections display in your McAfee product in the same way generic detections are shown. The detected program or binary is deleted or quarantined based on your product settings.

What are the risks of using Active Protection? Can it generate false-positives?
Anti-malware products rarely generate false-positives and McAfee testing has shown that GTI File Reputation has a lower false positive rate than existing McAfee DAT files. GTI File Reputation detects specific instances of malware, as opposed to classes of malware, which significantly reduces the chances of generating false-positive detections.

Rate this document

Glossary of Technical Terms

 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.