FAQs for Global Threat Intelligence File Reputation


Environment

McAfee Global Threat Intelligence (GTI) File Reputation

Summary

McAfee GTI, formerly Artemis, is a comprehensive, real-time, cloud-based reputation service introduced in 2008. It is fully integrated into McAfee products and enables them to better block cyberthreats across all vectors – file, web, message, and network – swiftly. This article answers some common questions about GTI File Reputation.

Contents
Click to expand the section you want to view:
What is GTI File Reputation?
GTI File Reputation provides you with always-on, real-time protection that safeguards and secures you from emerging threats.

GTI File Reputation enables you to use the threat intelligence that McAfee Labs gathers to prevent damage and data theft even before a signature update is available. This function makes endpoints smarter and safer. GTI File Reputation technology extends the protection capabilities of McAfee products. It does so by providing access to an online cloud database. The database contains file classification details to determine whether a file is malicious.

Because the database of malicious file classifications is extensive, and changes frequently, GTI File Reputation queries the online GTI cloud servers about potentially suspicious files. It does so to achieve and maintain the highest security levels.


How does GTI File Reputation work?
GTI File Reputation provides the most up-to-date malware detection for several Windows-based McAfee antivirus products.

GTI File Reputation looks for suspicious programs, Portable Document Format (PDF) files, and Android Application Package (.APK) files that are active on endpoints running McAfee products. These products include Endpoint Security (ENS), VirusScan Enterprise (VSE), and SaaS Endpoint Protection (formerly known as Total Protection Service).

For any suspicious files found that do not trigger existing signature DAT files, GTI sends a DNS request to a central database server. McAfee Labs hosts the server. This server is continually updated when new malware is found. When the GTI Cloud at McAfee Labs receives the request from the GTI File Reputation enabled endpoint, it determines whether this program is suspicious and responds appropriately.


Why must I be online to use GTI File Reputation?
GTI File Reputation accesses an online primary database to determine whether a file is suspicious. Because the McAfee database of suspicious files is extensive and changes frequently, it is not sent to you in advance. GTI File Reputation technology must query the online GTI Cloud about these suspicious files to achieve and maintain the highest security levels.


Does GTI File Reputation take up much bandwidth?
GTI File Reputation takes up minimal bandwidth. It triggers, only if the existing DAT files do not detect a threat in the program, PDF, or .APK being scanned. Determination of suspicious files is carefully tuned so that only truly suspicious files generate network traffic. If the sensitivity setting is set to Very Low or Low, you can expect an average of 10–15 queries per day, per computer. If the setting is set to Medium, High, or Very High, you can expect an average of 20–25 queries per day, per computer. The number of queries depend on the scan type (on-access scan or on-demand scan) and how many files are being scanned.


If the GTI Cloud is unavailable, am I still protected?
If your McAfee managed product can't contact the McAfee Labs GTI Cloud, your antimalware products only use the local copy of the DAT files for detection. When the GTI Cloud is unavailable, your protection is not reduced to levels below the protection level of standard DAT files.

Back to top
What is the McAfee definition of suspicious files?
A suspicious file is any program executable, Portable Document Format (PDF), or Android Application Package (.APK) file that has characteristics common to malicious files.

For executable files, GTI looks for certain identifiers inside the executable to determine whether the program has particular characteristics normally associated with malware. For example, whether the file is packed. Typically, less than one % of clean program executable files, or PDF files meet the suspicious criteria. Meaning that most files do not cause your GTI-enabled product to initiate a query.

Other document files, such as Microsoft Word documents, are not affected because GTI only focuses on potentially malicious PDF documents.


What kinds of files are scanned?
GTI scans executables, PDF documents, and .APK files.

GTI File Reputation has traditionally been used for scanning malicious program executables. But, with the continued growth of PDF and APK based malware, McAfee has extended the capabilities of our cloud technology to best protect in this threat space. GTI File Reputation must be set to at least Medium sensitivity to perform reputation lookups on PDF or APK files.


Can data files cause a GTI File Reputation query to be sent?
It is not possible for documents, or other data files to cause a GTI File Reputation query to be sent. For example, Microsoft Word documents containing user-derived data. Neither are samples automatically submitted to McAfee. Files that can be queried are:
  • Program executables that can contain malware
  • Portable document format (.PDF) files that can contain malware
  • Android Application Package File (.APK) files that can contain malware
  • Configuration files that can be changed maliciously such as the Windows hosts file

What happens when GTI finds a suspicious file?
Instead of sending the whole file, GTI File Reputation sends only a fingerprint, which is typically less than 40 bytes of information. This amount of information is the minimum needed to determine the nature of the file.

By default, without opting to share threat information with McAfee, the query packet from your GTI File Reputation enabled McAfee products contains the following:
Version and
Product information
This data indicates:
  • The internal version number of one or more drivers that determined a file was suspicious.
  • The DAT file version.
  • The McAfee product version.
  • The product component that performed the scan.
File Hash This item consists of a hash of the file that uniquely identifies the file if it exists in the McAfee primary database.
Fingerprint Information This item is a bit sequence that indicates the presence of traits internal to the file structure that are common in malware. This data is restricted to data derived from the structure of a file.
Environmental Information This item is a bit sequence that indicates the presence of environment cues commonly associated with malicious samples. The data is restricted to information that the operating system stores about a file. It does not include file name or other personally identifiable information stored in the file.


Does GTI File Reputation protect me from malware only? Or does GTI File Reputation include protection against Potentially Unwanted Programs (PUPs) and spam?
Currently, malware and PUPs are covered. To protect against spam, use an antispam product or a plug-in.


How much does my malware detection improve with GTI File Reputation?
All new threats that McAfee Labs finds are immediately added to the GTI database. They are made available for GTI-enabled endpoints to provide a near immediate ability to protect you from new and emerging threats. This protection is made available before the signature for the new threat is included in regular released DAT files.


How do I enable GTI File Reputation to report suspicious files to McAfee?
McAfee recommends that you set the sensitivity setting to Medium in your product. For information about how to enable GTI File Reputation, see KB70130.


Back to top
I currently test each DAT file before deploying to my endpoints. How would GTI File Reputation affect my existing processes?
GTI provides protection outside your existing processes. For more information about how to enable GTI in your McAfee product, see KB70130.
I have privacy concerns - what information is sent to McAfee?
The data sent never includes any part of any file scanned, so there is no chance of any information leaks. Any lookup is performed only on suspicious files and consists of a 32-byte fingerprint generated and sent to the GTI Cloud. A response is given if the fingerprint is determined to be a malicious file.

NOTES:
  • It is impossible to re-create the file or any of its contents from this fingerprint.
  • To show the Windows DNS cache, from the command line, type ipconfig /displayDNS and press Enter. This command shows all recent DNS queries made on the computer in question, including those queries made by GTI File Reputation.
  • GTI File Reputation queries can be recognized because they are on sub domains of avqs.mcafee.com or avts.mcafee.com.

What information does McAfee keep in log files?
McAfee keeps only anonymous logs of the queries from clients. McAfee uses data-mining techniques to correlate global trends, such as where in the world queries originated. Also what distribution vector was used (for instance, web versus email). McAfee uses this prevalence data to identify new trends in the threat landscape and to better provide protection against emerging threats to McAfee customers.

NOTE: GTI File Reputation logs do not contain any information about individual computers or users and it is impossible for McAfee to use that information to derive such data.

In the future, GTI File Reputation technology might periodically send a unique, anonymous number to inform us that the software is working properly for individual users. This number helps McAfee know the number of people using GTI File Reputation and in what products it has been enabled. The information is intended to help McAfee plan the resources needed to continue to provide quality real-time detection with GTI File Reputation. This method is similar to the cookies used by many websites today, and complies with the McAfee Privacy Policy. For more information, see http://www.mcafee.com/us/about/privacy.html.

How are GTI File Reputation queries sent?
GTI File Reputation queries are sent in clear text, with other authentication added as appropriate.

Example query: 4z9p5tjmcbnblehp4557z1d136.avqs.mcafee.com or 4z9p5tjmcbnblehp4557z1d136.avts.mcafee.com

All information that GTI File Reputation sends to McAfee is anonymous, it does not contain any information about the user or the computer. Also, because the DNS infrastructure is used to transport the query, it is impossible for McAfee to identify the IP address of the originating computer from the GTI File Reputation communication.
GTI File Reputation sounds like it generates many updates per day. So why would I not use Beta DAT files instead, and how does Active Protection differ?
GTI File Reputation allows endpoints to protect against specific malware when McAfee Labs determines a sample is suspicious. GTI File Reputation does not provide protection for classes of malware, only specific samples that have triggered a response.


What do users or administrators see when Active Protection detects malware?
GTI File Reputation detections display in your McAfee product in the same way generic detections are shown. The detected program or binary is deleted or quarantined based on your product settings.


What are the risks of using Active Protection? Can it generate false-positives?
Antimalware products rarely generate false-positives. McAfee testing has shown that GTI File Reputation has a lower false positive rate than existing McAfee DAT files. GTI File Reputation detects specific instances of malware, as opposed to classes of malware, which significantly reduces the chances of generating false-positive detections.