FAQs for Global Threat Intelligence File Reputation
Technical Articles ID:
KB53735
Last Modified: 2024-02-08 09:21:42 Etc/GMT
Environment
Global Threat Intelligence (GTI) File Reputation
Summary
GTI, formerly known as Artemis, is a comprehensive, real-time, cloud-based reputation service introduced in 2008. It's fully integrated into our products and enables them to better block cyberthreats across all vectors — file, web, message, and network — swiftly. This article answers some common questions about GTI File Reputation.
Contents
Click to expand the section you want to view:
What's GTI File Reputation?
GTI File Reputation provides you with always-on, real-time protection that safeguards and secures you from emerging threats.
GTI File Reputation enables you to use the threat intelligence that our Advanced Research Center gathers to prevent damage and data theft even before a signature update is available. This function makes endpoints smarter and safer. GTI File Reputation technology extends the protection capabilities of our products. It does so by providing access to an online cloud database. The database contains file classification details to determine whether a file is malicious.
Because the database of malicious file classifications is extensive, and changes frequently, GTI File Reputation queries the online GTI cloud servers about potentially suspicious files. It does so to achieve and maintain the highest security levels.
How does GTI File Reputation work?
GTI File Reputation provides the most up-to-date malware detection for several Windows-based antivirus products.
GTI File Reputation looks for suspicious programs, Portable Document Format (PDF) files, and Android Application Package (.APK) files that are active on endpoints running our products. These products include Endpoint Security (ENS), VirusScan Enterprise (VSE), and SaaS Endpoint Protection (formerly known as Total Protection Service).
For any suspicious files found that don't trigger existing signature DAT files, GTI sends a DNS request to a central database server. Our Advanced Research Center hosts the server. This server is continually updated when new malware is found. When the GTI Cloud at our Advanced Research Center receives the request from the GTI File Reputation enabled endpoint, it determines whether this program is suspicious and responds appropriately.
Why must I be online to use GTI File Reputation?
GTI File Reputation accesses an online primary database to determine whether a file is suspicious. Because our database of suspicious files is extensive and changes frequently, it's not sent to you in advance. GTI File Reputation technology must query the online GTI Cloud about these suspicious files to achieve and maintain the highest security levels.
Does GTI File Reputation take up much bandwidth?
GTI File Reputation takes up minimal bandwidth. It triggers, only if the existing DAT files don't detect a threat in the program, PDF, or .APK being scanned. Determination of suspicious files is carefully tuned so that only truly suspicious files generate network traffic. If the sensitivity setting is set to Very Low or Low, you can expect an average of 10–15 queries per day, per computer. If the setting is set to Medium, High, or Very High, you can expect an average of 20–25 queries per day, per computer. The number of queries depend on the scan type (on-access scan or on-demand scan) and how many files are being scanned.
If the GTI Cloud is unavailable, am I still protected?
If your Enterprise-managed product can't contact the Advanced Research Center GTI Cloud, your antimalware products only use the local copy of the DAT files for detection. When the GTI Cloud is unavailable, your protection is not reduced to levels below the protection level of standard DAT files.
What's your definition of suspicious files?
A suspicious file is any program executable, PDF, or .APK file that has characteristics common to malicious files.
For executable files, GTI looks for certain identifiers inside the executable to determine whether the program has particular characteristics normally associated with malware; for example, whether the file is packed. Typically, less than 1% of clean program executable files or PDF files meet the suspicious criteria. This implies that most files don't cause your GTI-enabled product to initiate a query.
Other document files, such as Microsoft Word documents, aren't affected because GTI only focuses on potentially malicious PDF documents.
What kinds of files are scanned?
GTI scans executables, PDF documents, and .APK files.
GTI File Reputation has traditionally been used for scanning malicious program executables. But, with the continued growth of PDF- and APK-based malware, we've extended the capabilities of our cloud technology to best protect in this threat space. GTI File Reputation must be set to at least Medium sensitivity to perform reputation lookups on PDF or APK files.
Can data files cause a GTI File Reputation query to be sent?
It's not possible for documents or other data files to cause a GTI File Reputation query to be sent; for example, Microsoft Word documents containing user-derived data. Neither are samples automatically submitted to us. Files that can be queried are as follows:
Program executables that can contain malware
.PDF files that can contain malware
.APK files that can contain malware
Configuration files, such as the Windows hosts file, that can be changed maliciously
What happens when GTI finds a suspicious file?
Instead of sending the whole file, GTI File Reputation sends only a fingerprint, which is typically less than 40 bytes of information. This amount of information is the minimum needed to determine the nature of the file.
By default, without opting to share threat information with us, the query packet from your GTI File Reputation enabled products contains the following:
Version and
Product Information
This data indicates the following:
Internal version number of one or more drivers that determines that a file is suspicious.
DAT file version.
Product version.
Product component that performs the scan.
File Hash
This item consists of a hash of the file that uniquely identifies the file if it exists in the primary database.
Fingerprint Information
This item is a bit sequence that indicates the presence of traits internal to the file structure that are common in malware. This data is restricted to data derived from the structure of a file.
Environmental Information
This item is a bit sequence that indicates the presence of environment cues commonly associated with malicious samples. The data is restricted to information that the operating system stores about a file. It doesn't include the file name or other personally identifiable information stored in the file.
Does GTI File Reputation protect me from malware only? Or does GTI File Reputation include protection against Potentially Unwanted Programs (PUPs) and spam?
Currently, malware and PUPs are covered. To protect against spam, use an antispam product or a plug-in.
How much does my malware detection improve with GTI File Reputation?
All new threats that our Advanced Research Center finds are immediately added to the GTI database. They're made available for GTI-enabled endpoints to provide a near immediate ability to protect you from new and emerging threats. This protection is made available before the signature for the new threat is included in regular released DAT files.
How do I enable GTI File Reputation to report suspicious files?
We recommend that you set the sensitivity setting to Medium in your product. For information about how to enable GTI File Reputation, see KB70130 - How to enable Global Threat Intelligence in our products.
I currently test each DAT file before deploying to my endpoints. How would GTI File Reputation affect my existing processes?
GTI provides protection outside your existing processes. For more information about how to enable GTI in your product, see KB70130 - How to enable Global Threat Intelligence in our products.
I have privacy concerns; what information is sent to you?
The data sent never includes any part of any file scanned, so there's no chance of any information leaks. Any lookup is performed only on suspicious files and consists of a 32-byte fingerprint generated and sent to the GTI Cloud. A response is given if the fingerprint is determined to be a malicious file.
NOTES:
It's impossible to re-create the file or any of its contents from this fingerprint.
To show the Windows DNS cache from the command line, type ipconfig /displayDNS and press Enter. This command shows all recent DNS queries made on the computer in question, including those queries made by GTI File Reputation.
GTI File Reputation queries can be recognized because they are on subdomains of avqs.mcafee.com or avts.mcafee.com.
What information do you keep in log files?
We keep only anonymous logs of the queries from clients. We use data-mining techniques to correlate global trends, such as the location in the world from where queries originate. Also, the distribution vector that's used (for instance, web versus email). We use this prevalence data to identify new trends in the threat landscape and to better provide protection against emerging threats to our customers.
NOTE: GTI File Reputation logs don't contain any information about individual computers or users, and it's impossible for us to use that information to derive such data.
In the future, GTI File Reputation technology might periodically send a unique, anonymous number to inform us that the software is working properly for individual users. This number helps us know the number of people using GTI File Reputation and in what products it has been enabled. The information is intended to help us plan the resources needed to continue to provide quality real-time detection with GTI File Reputation. This method is similar to the cookies used by many websites today, and complies with our Privacy Policy. For more information, see the Privacy Policy.
How are GTI File Reputation queries sent?
GTI File Reputation queries are sent in clear text, with other authentication added as appropriate.
Example query: 4z9p5tjmcbnblehp4557z1d136.avqs.mcafee.com or 4z9p5tjmcbnblehp4557z1d136.avts.mcafee.com
All information that GTI File Reputation sends to us is anonymous; it doesn't contain any information about the user or computer. Also, because the DNS infrastructure is used to transport the query, it's impossible for us to identify the IP address of the originating computer from the GTI File Reputation communication.
GTI File Reputation sounds like it generates many updates per day. So why would I not use Beta DAT files instead, and how does Active Protection differ?
GTI File Reputation allows endpoints to protect against specific malware when our Advanced Research Center determines that a sample is suspicious. GTI File Reputation does not provide protection for classes of malware, but only for specific samples that have triggered a response.
What do users or administrators see when Active Protection detects malware?
GTI File Reputation detections display in your product in the same way generic detections are shown. The detected program or binary is deleted or quarantined based on your product settings.
What are the risks of using Active Protection? Can it generate false-positives?
Antimalware products rarely generate false-positives. Our testing has shown that GTI File Reputation has a lower false positive rate than existing DAT files. GTI File Reputation detects specific instances of malware, as opposed to classes of malware, which significantly reduces the chances of generating false-positive detections.
