Knowledge Center

FAQs for V3 DAT files
Technical Articles ID:   KB82396
Last Modified:  8/10/2018


NOTE: This article applies only to McAfee business and enterprise products. If you need information or support for McAfee consumer or small business products, visit https://service.mcafee.com.

McAfee V3 DAT files
McAfee Labs (AVERT)
McAfee Endpoint Security (ENS) Threat Prevention 10.x


Recent updates to this article
Date Update
August 9, 2018 Added two FAQs for the Trust DAT.
March 29, 2018 Added this table to track updates to this article.

To receive email notification when this article is updated, click Subscribe on the right side of the page. You must be logged on to subscribe.

This article is a consolidated list of common questions and answers about V3 DAT files.

Click to expand the section you want to view:
Why did McAfee introduce a V3 DAT?
The new architecture used in Endpoint Security for Windows, requires structural changes to the DAT. The existing V2 DAT could not be changed to support existing products and Endpoint Security for Windows.

What is the difference between the V2 DAT and V3 DAT?
The V3 DAT incorporates a new structure that is compatible with AMCore-based product Endpoint Security for Windows.

Will the V2 DAT be discontinued?
No. There are no plans to bring V2 DATs to End of Life. McAfee continues to develop content updates for the V2 DAT.

How do I know which DAT to use?
To determine which DAT to use:
  • If you use the AutoUpdate functionality in your products, no action is required. The automatic update mechanism downloads and installs the correct DAT update.
  • If you elect to download the DAT package for your product manually via the Security Updates page at http://www.mcafee.com/apps/downloads/security-updates/security-updates.aspx, you need to know whether you require either the V2 or the V3 DAT.
    • Only Endpoint Security for Windows requires the V3 DAT.
    • Any other enterprise products, including Endpoint Security for Mac and Endpoint Security for Linux, continue to use the V2 DAT
What is the size of the V3 DAT?
The size might vary over time. Currently the V3 DAT is about 30 MB compressed.

Is there a detection and performance advantage using the V3 DAT?
Products that use V3 DATs offer protection that is comparable to V2 DATs.

How has the quality, efficacy, and performance of the V3 DAT been validated?
The technology in V3 DATs has been used in Consumer products since December 2012. It is already running on tens of millions of Consumer endpoints and has been tested extensively in the field. It has also been subjected to numerous efficacy, performance, and false tests by third-party organizations such as AV-Test.org and AV-Comparatives.org. As with the V2 DAT, each release of the V3 DAT undergoes extensive quality and safety testing.

Is there any change to the concept of a full DAT and incremental DAT, or the incremental period before a full DAT file is downloaded?
No. There is no change from the current behavior.

Will McAfee continue to enhance performance of both DATs?
Yes. Performance improvement remains a constant and ongoing process for V2 and V3 DATs. The recent performance improvements exhibited in third-party tests such as AV-Test.org are attributable in part to DAT performance optimizations.

Back to top
Is it possible to use V3 DATs for V2 DAT products and conversely V2 DATs for V3 DAT products?
No. Products that are not designed for the V3 DAT architecture are not compatible with the V3 DATs and cannot initialize them.

What corporate products use the V3 DAT?
Endpoint Security for Windows uses the V3 DAT.

Will managed products be able to choose the correct DAT file?
Yes. Each product requests only the content type that it requires.

Are V3 DATs compatible with Extra.DATs?
Yes. V3 DATs are compatible with Extra.DATs and are managed in the same way as V2 DATs.

Are V3 DATs ePolicy Orchestrator (ePO-deployable?
Yes. V3 DAT deployment can be managed using ePO.

Can ePO support both versions of the DATs?
Yes. Both versions can be managed separately.

Does this change affect gateway and network products?
No. There is no change for existing gateway and network products that use the V2 DAT.

Does anything change with existing AutoUpdates?
No. There is no change for existing products.

Does this change affect AV Engine upgrades?
No. Scan engines continue to support both DATs and associated products.
As an ePO administrator, do I need to change my update process to accommodate V2 and V3 DATs?
As long as your ePO installation replicates from the McAfee Common Updater, the process remains the same.

Do I need to change my ePO update process?
As long as your ePO installation replicates from the McAfee Common Updater, the process remains the same.

Do I have the flexibility in ePO to choose whether to download one or both DATs, or are both retrieved automatically?
The V3 DAT is downloaded only if a product that requires it, which is Endpoint Protection for Windows, is actively managed by ePO.

If my VPN checks endpoint compliance before establishing the VPN, how would it deal with looking for a DAT being within x versions from V2 and V3 DATs? 
McAfee recommends examining the time stamp rather than the DAT version number to determine compliance.

My environment does not allow cloud access. Do I have reduced detection effectiveness with V2 or V3 DATs?
McAfee products provide the best possible detection effectiveness and safety capabilities when configured to use Global Threat Intelligence (GTI) level medium or higher. Endpoints that are not cloud connected might require stricter policy configuration.

What is the Trust DAT?
The Trust DAT is one of the content streams within the V3 data. It is loaded by the AVEngine, but provides identification of trusted files rather than detection of malicious files. It mainly contains whitelisted certificates but can also identify files to be trusted by other means, for example, file hash. The Trust DAT is located at C:\Program Files\Common Files\McAfee\Engine\content\avengine\trs\.
Is the cache reset when the Trust DAT changes?
The cache is reset if the AMCore content update includes a new version of the Trust DAT. This reset is so that the new trust information (removals and additions) can take effect. Usually, there is not a Trust DAT change and so the cache is not reset. Instead, the cache has a TTL (time to live) and once expired, the file is scanned again. The typical TTL for local files is 7200 minutes (5 days), but is less for files on other media like a network share.

Rate this document

Glossary of Technical Terms

 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.