Knowledge Center

FAQs for Global Threat Intelligence File Reputation
Technical Articles ID:  KB53735
Last Modified:  03/18/2014


McAfee Global Threat Intelligence File Reputation
McAfee SaaS Endpoint Protection 5.x
McAfee VirusScan Enterprise 8.x


This article answers some common questions about Global Threat Intelligence (GTI) File Reputation.

Scanning and Detection
DAT Files
Active Protection


What is Global Threat Intelligence?
Global Threat Intelligence (GTI) provides you with always-on, real-time protection that safeguards and secures you from emerging threats. GTI enables you to leverage the threat intelligence gathered by McAfee Labs to prevent damage and data theft even before a signature update is available. This makes endpoints smarter and safer. GTI technology extends protection capabilities of McAfee Security products by providing access to an online cloud database containing file classification details to determine if a file is malicious. Because the McAfee database of malicious file classifications is extensive and changes frequently, GTI File Reputation queries the online GTI cloud servers about potentially suspicious files to achieve and maintain the highest security levels. 
How does GTI work? 
GTI provides the most up-to-date malware detection for a number of Windows-based McAfee anti-virus products. GTI looks for suspicious programs and PDF and APK files that are active on endpoints running McAfee products, including VirusScan Enterprise (VSE) and SaaS Endpoint Protection (formerly known as Total Protection Service). If any suspicious files are found that do not trigger existing signature DAT files, GTI sends a DNS request to a central database server hosted by McAfee Labs. This server is continually updated whenever new malware is found. When the Community Threat Intelligence system at McAfee Labs receives the request from the GTI-enabled endpoint, it determines if this program is malicious and responds appropriately.

Why must I be online to use GTI?
GTI File Reputation accesses an online master database to determine if a file is malicious. Because the McAfee database of malicious files is extensive and changes frequently, it is not sent to you in advance. GTI File Reputation technology must query the online GTI servers about these suspicious files to achieve and maintain the highest security levels.

Does GTI take up much bandwidth? 
GTI takes up minimal bandwidth because it triggers only if the existing DAT files do not detect a threat in the program, Portable Document Format (PDF), or Android Application Package File (.APK) being scanned. Determination of suspicious files is carefully tuned, so that only truly suspicious files generate network traffic. If the sensitivity setting is set to Very Low or Low, you can expect an average of 10-15 queries per day, per computer. If the setting is set to Medium, High, or Very High, you can expect an average of 20-25 queries per day, per computer.

If the GTI server is unavailable, will I still be protected?
If your McAfee point product cannot contact the McAfee Labs server, your anti-malware products will use only the local copy of the DAT files for detection. If the GTI server is unavailable, your protection will not be reduced to levels below that of standard DAT files.

Back to contents


Scanning and Detection

What is the McAfee definition of suspicious files?
A suspicious file is any program executable or Portable Document Format (PDF) or Android Application Package File (.APK) file that has characteristics common to malicious files. In the case of executable files, GTI looks for certain identifiers within the executable to determine if the program has particular characteristics normally associated with malware. For example, whether or not the file is packed. Typically less than one percent of clean program executable files or portable document format files meet the suspicious criteria, meaning that most files do not cause your GTI-enabled product to initiate a query. Other document files, such as Microsoft Word documents, are not affected by this enhancement that only focuses on potentially malicious PDF documents.

What kinds of files are scanned?
GTI scans executables and PDF documents. GTI File Reputation has traditionally been used for scanning malicious program executables. However, with the continued growth of PDF and APK based malware, McAfee has extended the capabilities of our cloud technology to best protect in this threat space. 

Can data files cause a GTI query to be sent?
It is not possible for documents or other data files, such as Microsoft Word documents containing user-derived data, to cause a GTI query to be sent, neither are samples automatically submitted to McAfee. Files that can be queried are: 
  • Program executables that can contain malicious code
  • Portable document format (.PDF) files that can contain malicious code
  • Android Application Package File (.APK) file  that can contain malicious code
  • Configuration files that can be modified maliciously such as the Windows hosts file

What happens when GTI finds a suspicious file?
Instead of sending the whole file, GTI File Reputation sends only a fingerprint, which is typically less than 40 bytes of information. This is the minimum amount of information necessary to determine the nature of the file.

By default, without specifically opting in to share threat information with McAfee, the query packet from your GTI File Reputation enabled McAfee products contains the following:

Version and product information This data indicates the internal version number of the driver(s) that determined a file was suspicious, the DAT file version, the McAfee product and version as well as the product component that was doing the scanning.
File Hash This consists of a hash of the file that uniquely identifies the file if it exists in the McAfee master database. 
Fingerprint Information This is a bit sequence that indicates the presence of traits internal to the file structure that are common in malware. This data is restricted to data derived from the structure of a file. 
Environmental Information This is a bit sequence that indicates the presence of environment cues commonly associated with malicious samples. The data is restricted to information that the operating system stores about a file and does not include filename or other personally identifiable information stored in the file. 

Will GTI protect me from malware only, or will it also cover Potentially Unwanted Programs (PUPs) and spam?
Currently malware and PUPs are covered. To protect against spam, use an anti-spam product or a plugin.

How much will my malware detection improve with GTI?
All new threats found by McAfee Labs are immediately added to the GTI database server and are made available for GTI-enabled endpoints to provide a near immediate ability to protect you from new and emerging threats. This protection is made available well in advance of the signature for the new threat being made available in regularly released DAT files.

I would like to turn on GTI to report suspicious files to McAfee, but I am not ready to have GTI trigger on malware - how do I proceed? 
McAfee recommends you select the sensitivity setting Very Low in your product. This setting is equivalent to detections that will be covered by the next DAT release. For information on how to enable GTI in VSE, see article KB70130.

Back to contents


DAT Files

I currently test each .DAT before deploying to my endpoints. How would GTI affect my existing processes?
GTI provides protection outside your existing processes. McAfee recommends you enable GTI using the Very low setting initially and then gradually increase the setting too Low to Medium over a couple of weeks. For more information about how to enable GTI in your McAfee product, see article KB70130


I have privacy concerns - what information is sent to McAfee?
The data sent never includes any portion of any file scanned, so there is no chance of any information leaks. Any lookup is performed only on suspicious files and consists of a 32-byte fingerprint generated and sent to GTI servers and a response is given if the fingerprint is determined as that of a malicious file.


  • It is impossible to recreate the file or any of its contents from this fingerprint.
  • To show the current Windows DNS cache, from the command line, type ipconfig /displayDNS and press ENTER. This shows all recent DNS queries made on the computer in question (including those made by GTI).
  • GTI queries can be recognized because they are on sub domains of avqs.mcafee.com or avts.mcafee.com

What information does McAfee keep in LOG files?
McAfee only keeps anonymous logs of the queries from clients. McAfee uses data-mining techniques to correlate global trends such as where in the world queries originate and also what distribution vector was used (for instance, web versus email). McAfee uses this prevalence data to identify new trends in the threat landscape and to better provide protection against emerging threats to McAfee customers.

NOTE: GTI logs do not contain any information about individual computers or users and it is impossible for McAfee to derive such data.
In the future, GTI File Reputation technology might periodically send a unique, anonymous number to inform us that the software is working properly for individual users. This helps McAfee know how many people are using GTI File Reputation and in what products it has been enabled. The information is intended to help McAfee plan the resources necessary to continue to provide quality real-time detection with GTI File Reputation. This method is very similar to the cookies used by many web sites today. This complies with the McAfee Privacy Policy. For more information, see http://www.mcafee.com/us/about/privacy.html.

How are GTI File Reputation queries sent?

File Reputation queries are sent in clear text, with additional authentication added as appropriate.

Example query: 4z9p5tjmcbnblehp4557z1d136.avqs.mcafee.com or 4z9p5tjmcbnblehp4557z1d136.avts.mcafee.com

All information GTI sends to McAfee is anonymous, it does not contain any information about the user or the computer. Also, because the DNS infrastructure is used to transport the query, it is impossible for McAfee to identify the IP address of the originating computer from the GTI File Reputation communication.

Back to contents


Active Protection

GTI sounds like it generates many updates per day, so why would I not use Beta DAT files instead and how does Active Protection differ?
GTI allows endpoints to protect against specific malware as soon as McAfee Labs determines a sample is malicious. GTI does not provide protection for classes of malware, just specific samples that have triggered a response.

What do users or administrators see when Active Protection detects malware?
A GTI detection will be shown in your McAfee product in the same way generic detections are shown. The detected program or binary is deleted or quarantined based upon your McAfee product settings.

What are the risks of using Active Protection? Can it generate false-positives?
Anti-malware protection products very rarely generate false-positives and McAfee testing has shown that GTI has a lower false positive rate than existing McAfee DAT files. GTI detects specific instances of malware, as opposed to classes of malware, which significantly reduces the chances of generating false-positive detections.

Back to contents 

Rate this document

Did this article resolve your issue?

Please provide any comments below


This article is available in the following languages:

English United States

Glossary of Technical Terms

Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.
United States - English
© 2003-2013 McAfee, Inc.