McAfee Enterprise is dedicated to providing the most effective and up-to-date detection and protection against new and existing threats. Over the past several years, there has been dramatic advancement beyond "traditional" signature-based detection. Now, there are more agile and comprehensive cloud-based mechanisms for detection of both "zero-day" and existing threats. Examples of these cloud-connected technologies are McAfee Global Threat Intelligence (GTI) and the McAfee Enterprise machine learning capabilities that Real Protect (RP) provides in Endpoint Security Adaptive Threat Protection (ATP).

These capabilities can reduce, or even eliminate, the time and manual effort needed to obtain and deploy Extra.DATs. As such, beginning April 1, 2021, McAfee Enterprise is making adjustments to reduce the number of Extra.DATs provided where cloud coverage is already in place.
 
McAfee Enterprise will also no longer provide redundant Extra.DAT coverage in response to inquiries regarding Coverage and Information Requests for Hash or Indicators of Compromise (IOC), where cloud-based coverage is available.
 
We acknowledge that there might be legitimate scenarios or environmental factors where an Extra.DAT might be needed. These situations will be considered and an Extra.DAT will continue to be provided, where appropriate. 

If you see IOCs in public threat advisories and blogs published by threat research groups and other security vendors, you don’t need to create a Service Request for those IOCs. Our McAfee Advanced Threat Research Groups and McAfee Labs teams constantly monitor new threat advisories and blogs. They proactively analyze available files to verify coverage for emerging IOCs. They make coverage updates to the cloud in real time, and to the daily DATs in cases where cloud coverage might not be applicable.

For additional information regarding current Threat Intelligence, see McAfee Insights and make sure to keep up to date with our blog Securing Tomorrow.

Additional Information and Resources
To make sure that your environment has the best protection available, McAfee Enterprise highly recommends that you deploy all available technologies and use them to their fullest potential. To help with this configuration, we’ve created some resources. They can help you make sure that these cloud services are accessible and working as intended.

• (YouTube video) McAfee Real Protect and Dynamic Application Containment Demo 
• "Adaptive Threat Protection" and "About Extra.DAT files" sections of the Endpoint Security 10.7.0 Product Guide - Windows
• KB91836 - Countermeasures for entry vector threats
• (YouTube video) McAfee Center Stage: Adaptive Threat Protection Best Practices
• KB87843 - Dynamic Application Containment rules and best practices
• KB53733 - Verify that GTI File Reputation is installed and endpoints can communicate with the GTI server
• KB88828 - Test files to test Real Protect scanning and Credential Theft Protection

FAQs

Why is this change happening?
With the rapid changes in the active threat landscape, speed is more important than ever. As threats become more complex, it’s necessary to take advantage of real-time cloud technologies and proactive measures to stay ahead of the curve. These capabilities can reduce, or even eliminate, the time and manual effort needed to produce, obtain, and deploy Extra.DATs. Making sure that environments are protected by the most up-to-date protection and detection technologies reduces risk. Elimination of redundant efforts allows for that time to be spent elsewhere.

Can I obtain an Extra.DAT if I have a list of hashes I want information about?
If there’s no business impact, an Extra.DAT will usually not be provided if cloud coverage already exists. Cloud coverage negates the need for an Extra.DAT. 
 
When will an Extra.DAT be provided for hash list coverage/Information Requests?
Extra.DATs might still be provided in these scenarios, on a situational basis, where applicable. GTI or Real Protect cloud detections are an example of where it wouldn’t be needed to provide an Extra.DAT. The reason is that these detections aren’t content-based and can be updated in real time in the cloud.

Does this include VirusScan Enterprise (VSE)?
Yes, because VSE includes GTI, which can provide coverage for many threats without requiring an Extra.DAT.

What if my environment doesn’t allow Real Protect/GTI or I have systems with no internet connectivity​?
Extra.DATs would still be provided in these scenarios, where applicable.

Will Extra.DATs still be provided for false positives and detection failures? 
Extra.DATs would still be provided in these scenarios, where applicable. GTI or Real Protect cloud detections are an example of where it wouldn’t be needed to provide an Extra.DAT. The reason is that these detections aren’t content-based and can be updated in real time in the cloud.

What if my business is impacted?
If there’s a business impact, we’ll provide an Extra.DAT on a case by case basis, where deemed appropriate. For example, if a threat was introduced into an environment and cleaning is needed.
 
How can I get more information about ATP and its components? 
You can find more information in the "Additional Information and Resources" section above.