This article provides information on GTI functionality for listing specific detected malware names.
To provide increased proactive detection, McAfee Labs has chosen to detect some malware generically. This means that new malware can be detected earlier in the wild, and some detection names will be generalized rather than providing a specific name for the infection.
Examples:
- Generic.dx
- Generic!Artemis
Because the name assigned to these detections is generic, it can be difficult to restore specific GTI detections from quarantine and differentiate between specific threats in reports. To counter this, McAfee Labs has recently added a unique identifier to the end of GTI identifications, so that when GTI identifies malware, an additional unique identifier is shown.
Example:
| Old detection: |
Generic!Artemis |
|
| New detection: |
Artemis!1234567890AB |
The bold text equals the first 12 hexadecimal characters of an MD5 hash. |
Adding the unique tagging for detections enables you to do the following:
- More easily restore items from quarantine via ePolicy Orchestrator.
You can use the full detection name to enable restore from quarantine for just the one detection rather than all GTI detections.
- Create reports detailing how unique the malware is that GTI is identifying.
You can see if multiple detections are of the same malware, and better understand the threat posture.
- More easily submit samples when you suspect a false positive detection.
With the unique identifier, you no longer have to locate and send a sample to McAfee Labs to submit a Service Request when you suspect a false positive. If a sample is requested, the unique identifier makes it much easier to locate specific files to send.
- Create exclusions for potentially unwanted program detections reported by GTI.
