Technical Articles ID:
KB82396
Last Modified: 2022-06-21 05:45:47 Etc/GMT
Environment
Endpoint Security (ENS) Threat Prevention 10.x
V3 DAT files
Extra.DAT files
Trellix Labs
DAT Reputation
NOTES:
Only ENS for Windows requires V3 DAT files.
Endpoint Security for Linux (ENSL) and Endpoint Security for Mac (ENSM) before 10.7.0 use the V2 DAT files.
ENSL and ENSM 10.7.0 and later use the MED DAT files.
Summary
Recent updates to this article
Date
Update
June 21, 2022
Updated the FAQ "What's the difference between normal DAT files and runtime DAT files?" in the "General" section.
March 21, 2022
Added Expand All/Collapse All sections.
December 9, 2021
Updated the FAQ "Are you planning to discontinue V2 DAT?" in the "Differences between V2 and V3 DATs" section.
To receive email notification when this article is updated, click Subscribe on the right side of the page. You must be logged on to subscribe.
This article is a consolidated list of common questions and answers about V3 DAT files.
Contents
Click to expand the section you want to view:
Why did you introduce a V3 DAT?
The new architecture used in ENS for Windows requires structural changes to the DAT. The existing V2 DAT couldn't be changed to support existing products and ENS for Windows.
What's the difference between V2 DAT and V3 DAT?
The V3 DAT incorporates a new structure that's compatible with the AMCore-based product ENS for Windows.
Are you planning to discontinue V2 DAT?
No. There are no plans to bring V2 DATs to End of Life (EOL). We continue to develop content updates for V2 DAT.
For products that use V2 DATs and haven't reached EOL (such as ENSL and ENSM before 10.7.0), you'll continue to receive access to V2 DATs until these products reach EOL.
How do I know which DAT to use?
To determine which DAT to use, perform the actions below:
If you use the AutoUpdate functionality in your products, no action is needed. The automatic update mechanism downloads and installs the correct DAT update.
If you elect to download the DAT package for your product manually, you need to know whether you require either V2 or V3 DAT. (You can download the package manually through the Security Updates page.)
Only ENS for Windows requires V3 DAT.
ENSM and ENSL before 10.7.0 continue to use V2 DAT files. But, ENSM and ENSL 10.7.0 and later only use MED DAT files.
What's the size of V3 DAT?
The size might vary over time. Currently, V3 DAT is about 30 MB compressed.
Is there a detection and performance advantage with using V3 DAT?
Products that use V3 DATs offer protection that's comparable to that of V2 DATs.
How's the quality, efficacy, and performance of V3 DAT validated?
The technology in V3 DATs has been tested extensively in the field. It has also been subjected to numerous efficacy, performance, and false tests by third-party organizations such as AV-Test.org and AV-Comparatives.org. As with V2 DAT, each release of V3 DAT undergoes extensive quality and safety testing.
Is there any change to the concept of a full DAT and incremental DAT, or the incremental period before a full DAT file is downloaded?
No. There's no change from the current behavior.
Are you planning to continue to enhance the performance of both DATs?
Yes. Performance improvement remains a constant and ongoing process for V2 and V3 DATs. The recent performance improvements exhibited in third-party tests such as AV-Test.org are attributable in part to DAT performance optimizations.
Is it possible to use V3 DATs for V2 DAT products and conversely V2 DATs for V3 DAT products?
No. Products that aren't designed for the V3 DAT architecture are incompatible with V3 DATs, and can't initialize them.
What products use V3 DAT?
ENS for Windows uses V3 DAT.
Do managed products choose the correct DAT file?
Yes. Each product requests only the content type that it requires.
Are V3 DATs compatible with Extra.DATs?
Yes. V3 DATs are compatible with Extra.DATs and are managed in the same way as V2 DATs.
Are V3 DATs deployable through ePolicy Orchestrator (ePO)?
Yes. V3 DAT deployment can be managed using ePO.
Can ePO support both versions of DATs?
Yes. Both versions can be managed separately.
Does this change affect gateway and network products?
No. There's no change for existing gateway and network products that use V2 DAT.
Does anything change with existing AutoUpdates?
No. There's no change for existing products.
Does this change affect AV Engine upgrades?
No. Scan engines continue to support both DATs and associated products.
How do I update V3 DATs manually?
You can download the V3 DAT package manually through the Security Updates page.
To manually update V3 DAT, perform either of the following:
As an ePO administrator, do I need to change my update process to accommodate V2 and V3 DATs?
As long as your ePO installation replicates from the Common Updater, the process remains the same.
Do I need to change my ePO update process?
As long as your ePO installation replicates from the Common Updater, the process remains the same.
Do I have the flexibility in ePO to choose whether to download one or both DATs, or are both retrieved automatically?
The V3 DAT is downloaded only if ePO actively manages a product that requires it. ENS for Windows requires it.
If my VPN checks endpoint compliance before establishing the VPN, how would it deal with looking for a DAT being within x versions from V2 and V3 DATs?
We recommend examining the time stamp rather than the DAT version number to determine compliance.
My environment doesn't allow cloud access. Do I have reduced detection effectiveness with V2 or V3 DATs?
Our products provide the best possible detection effectiveness and safety capabilities when configured to use Global Threat Intelligence (GTI) level medium or higher. Endpoints that aren't cloud connected might require stricter policy configuration.
What's the Trust DAT?
The Trust DAT is one of the content streams within the V3 data. The AVEngine loads it, but provides identification of trusted files rather than detection of malicious files. It mainly contains certificates in the allow list, but can also identify files to be trusted via other means, for example, file hash. The Trust DAT is at C:\Program Files\Common Files\McAfee\Engine\content\avengine\trs\.
Is the cache reset when the Trust DAT changes?
The cache is reset if the AMCore content update includes a new version of the Trust DAT. This reset is so that the new trust information (removals and additions) can take effect. Usually, there isn't a Trust DAT change and so the cache isn't reset. Instead, the cache has a time to live (TTL) and once expired, the file is scanned again. The typical TTL for local files is 7,200 minutes (5 days), but is less for files on other media like a network share.
Does the V3 DAT update Adaptive Threat Protection (ATP) and Real Protect?
The V3 DAT includes updates to scanners, engines, and rules that ATP uses:
ATP - The V3 DAT contains updates to the scanner and the rules that ATP uses to dynamically compute the reputation of files and processes on the client systems.
Real Protect - The V3 DAT contains updates to the Real Protect scan engine and rules based on results of ongoing threat research. Real Protect is a component of the ATP module.
Can I run the v3dat.exe file silently?
There isn't a specific argument to have the v3dat.exe run silently. From an elevated command prompt, run -V3_XXXXdat.exe > NUL. From PowerShell, run - V3_XXXXdat.exe > NULL.
What are DAT files?
Virus definition or DAT files contain signatures and other information that our antivirus products use to protect your computer against existing and new potential threats. DAT files are released regularly. To make sure that your antivirus software protects your system against the latest threats, always use the most recent DAT files.
What integrity and validity checks are performed on the DAT files to make sure that they aren't tampered with?
The DAT files are encrypted and then compressed and signed when they're compiled. The Scan Engine performs a signature verification on the DATs as an integrity check during initialization. The Scan Engine doesn't load the files if they've been modified. The products that use the Scan Engine then verify the integrity of the Scan Engine by verifying whether the digital certificate used to sign the Scan Engine is valid.
Does the DAT perform any proactive detection for scanning of malformed archives?
Our products can handle specific types of malformed archives. Malformed archives cause the Scan Engine to be unable to scan within the archive. This ability enables the products to detect the presence of a bad archive without having to open it. The detection is reported as Malformed Archive.
We continue to refine our detection techniques to tackle the many types of malformed archives that can be created. We continue to focus on making sure that customers receive maximum protection and providing a rapid response to potential vulnerabilities.
Why does Trellix Labs release regular DAT files?
There has been an exponential rise in the number, propagation rate, and prevalence of new threats. The same applies to the number of virus submissions, rate of new malware development, and number of emergency DAT releases. The growing number and variety of threats make it vital that you update your DAT files regularly.
At what time during the day are DAT files made available?
The regular DAT files are generally available on the day of release at19:00 (UTC/GMT). But, DAT files might be released earlier if a new threat warrants it. To receive alerts regarding delays or important notifications, subscribe to the Support Notification Service (SNS). For SNS details, see KB67828 - Support Notification Service Frequently Asked Questions.
NOTE: For local time conversion, see the World Time Server, or a similar site.
Do you release DAT files on holidays?
We release DAT files on holidays, except for January 1 and December 25. If needed, emergency DAT files are issued on these days.
When can I schedule an automatic update of my system with the regular DAT files?
We recommend that you schedule a daily pull task within a 4–6 hour interval from the time the DAT files are made available to the source repository. This schedule allows enough time for the DAT file to replicate on all our servers globally. See the ePO product guidefor details.
Where can I find the latest DAT files?
The latest DAT files are available from the Security Updates page in XDAT and SDAT format. This site also provides access to Beta DAT files.
What's the difference between regular DAT files and Beta DAT files?
DAT files are released regularly and go through a full QA cycle. Beta DAT files are produced hourly and receive only limited false positive testing. We recommend that you use the following:
Regular DAT files for desktop deployment
Beta DAT files for high-risk computers and perimeter products such as GroupShield
What's the difference between normal DAT files and runtime DAT files?
Each file has its own advantage:
Normal DAT files: Normal DAT files are simple in format with optimization designed for downloads of regular incremental files (signatures). A priority for downloading the normal DAT updates is to use as little bandwidth as possible. But, it isn't well optimized for local performance. The information about incremental files and normal DAT files is truncated and the DAT update time depends on the number of files to be downloaded, irrespective of the size of files. Advantage: Faster download
Runtime DAT files: The runtime DAT file is optimized for high local performance. It's a rebuild of the normal DAT files, so that the memory and CPU resources needed to operate are balanced for best performance. Advantage: Faster system
Under what circumstances do emergency DAT releases happen?
Outbreaks sometimes require emergency releases. Emergency DAT releases generally ship around 19:00 GMT. But, they might be released earlier or later in the day if a new threat warrants it. When a DAT is released early to preempt a potential outbreak, there generally is no second DAT release that day, unless another emergency situation occurs.
Where can I find the DAT Release Notes?
The release notes are posted on the DAT Release Notes page.
What's DAT Reputation?
DAT Reputation is an endpoint technology that contacts the GTI Cloud before an endpoint DAT update. The call-back component checks the reputation of a DAT package before it installs the update. Also, an endpoint safety pulse component runs periodically on a Microsoft Windows endpoint. The safety pulse checks for potential product or operating system issues that have occurred since the installation of a DAT update package. Data collected from the endpoint safety pulse tests are transferred back to Labs and monitored for anomalies. If a significant problem is found with a DAT package after it has been released, it’s tagged as Blocked in the GTI Cloud so that endpoints don't install the DAT.
Do you contact me using the Support Notification Service (SNS) if there's a problem found with the current DAT?
Yes. Our Incident Response procedures are invoked if we find a significant problem with a DAT. We recommend that all customers register for SNS.
Which products can use DAT Reputation?
DAT Reputation is available for all supported products on Microsoft Windows that update using a DAT.
What happens if my endpoints update using ePO?
The endpoints call the GTI Cloud individually, in case a problematic DAT is already downloaded to a local repository.
What are the system requirements for DAT Reputation?
DAT Reputation has been tested with Windows Vista and later. The recommended system requirements are as follows:
Processor
Minimum: Pentium class processor
Recommended: Pentium IV class processor or higher
Physical RAM
Minimum: 512 MB
Recommended: 1 GB or greater
Where are the DAT Reputation files installed?
DAT Reputation files are installed to the following locations:
Where do I download DAT Reputation?
DAT Reputation is installed as part of a standard DAT update. Customers can elect to download DATs that contain DAT Reputation for about six months. After six months, a full AutoUpdate is downloaded.
New health check content might be added later if further diagnostic tests are needed. Health check content is also delivered as part of a standard DAT update. Customers are notified through SNS when new health check content is going to be deployed.
What's the increase in download size when DAT Reputation is installed?
The update size is about 1 MB, in addition to the size of the standard DAT content.
Do updates fail if my endpoints can't connect to the GTI Cloud?
DAT Reputation doesn't block updates if the endpoint can't make a connection to the GTI Cloud.
Does DAT Reputation work in an environment using proxy servers?
Yes. DAT Reputation works if the endpoint can communicate on port 443 using SSL over TCP. DAT Reputation supports the following proxy servers:
Basic proxy
NTLM
LDAP
Proxy without authentication (Transparent Proxy)
NOTE: Kerberos authentication isn't currently supported.
What type of data is collected when checking the DAT Reputation?
The DAT version number and DAT type (V2, V3, or MED) are securely transmitted to verify the reputation of the DAT file. No additional information about the endpoint is uploaded.
What type of data is collected during the endpoint safety pulse health check?
The only data collected are the results of a few tests being run on the endpoint following a DAT download. These results contain data such as the following:
Whether a test passes or fails.
Metadata about the endpoint. For example, the operating system name and version, the DAT and engine versions, and what product versions are installed.
IMPORTANT: No personally identifiable information is collected or transmitted.
Why is this data collected?
This data helps us determine whether the recently downloaded DAT behaves as expected. It also provides value to the security of your endpoint.
How frequently does the health check component run on an endpoint?
The health check component runs between 6–8 times per day.
What size are the data packets sent for the DAT Reputation check and health check data?
About 200 bytes of data is sent for a reputation check. Also, between 1–2 kilobytes of data is transferred per instance of health check data.
How is the health check data encrypted and transferred?
The data is encrypted using SSL and transferred using SSL over TCP, which uses port 443.
How is the health check data stored?
The data is stored and secured on our back-end databases.
Which domain does DAT Reputation connect to?
It connects to datreputation.gti.mcafee.com and datreputation.mcafee.com.
Do endpoints that can't connect to the internet try to use DAT Reputation?
You can configure endpoints on closed or limited networks to disable the DAT Reputation check and endpoint safety pulse. But, in the unlikely case of a bad DAT update, these computers must have their update tasks disabled by an administrator. An ePO extension is provided for policy management and reporting. Customers with unmanaged endpoints can contact Technical Support for more information about how to configure DAT Reputation settings. For details, see the "Related Information" section below.
NOTE: We don'trecommend that you disable DAT Reputation unless needed.
Who can I contact if I have more questions or ideas for a future release of DAT Reputation?
Contact your Technical Support representative. For details, see the "Related Information" section below.
What's an XDAT?
XDAT is an application that you can double-click to start from Windows. It shuts down any active antivirus scans, services, and other memory-resident software components that might interfere with your updates. It then copies the new files to the needed location and enables your antivirus software to use the update immediately. XDAT files contain virus definitions without the Scan Engine.
How do I recognize an XDAT file?
The file has a name in the format nnnnXDAT.EXE, where nnnn is the DAT version number. The regular XDAT file includes the DAT files plus an executable that installs the files. We don't support running an XDAT with non-Administrative permissions. For more information about XDAT files, see the readme.txt file.
What's an Extra.DAT file?
An Extra.DAT file is a temporary definition file in response to malware that isn't yet covered in the regular DAT files. The Extra.DAT file provides emergency coverage until detection for the new malware is added to the regular DAT files. You must apply an Extra.DAT file to the infected system and any systems that can potentially be compromised.
What's a custom DAT package?
A custom DAT package is a temporary detection file created by Labs. It contains the full production DATs and other detections. It contains cleaning for a new threat that's too complex to be addressed in an Extra.DAT. For more information, see KB76657 - How to use custom DATs.
Is an Extra.DAT file still available when emergency releases happen?
Yes. Extra.DAT files are still available from Trellix Labs. They're made available for download for threats that reach a medium-risk assessment or higher. Also, you still receive an Extra.DAT file for any new samples submitted to Trellix Labs.
How safe are Extra.DAT files?
Extra.DAT files are released after limited testing and are provided to address only a specific threat. When you have to deploy an Extra.DAT file to more than a few nodes, we recommend that you test the Extra.DAT on a subset of these nodes before you deploy to all systems. After you verify that there's no problem with the Extra.DAT file, you can deploy it to the remaining nodes.
How long can I use my Extra.DAT file?
The standard expiration for an Extra.DAT file is 30 days, but the expiration varies. Detection in an Extra.DAT file automatically expires when the date embedded in the regular DAT files is the same as or later than the expiration date of the detection in the Extra.DAT file.
How many Extra.DAT files can I use?
You can have only one Extra.DAT file active on a computer at any time. You can combine multiple Extra.DAT files to provide protection for multiple new threats. For instructions, see KB68061 - How to combine multiple Extra.DAT files.
How does an Extra.DAT file relate to the DAT file?
Detection in an Extra.DAT file takes precedence over detection in the standard DAT files. If the remediation method of an Extra.DAT file differs from the method of the standard DAT file, the method specified by the Extra.DAT file is used.
Why are Extra.DAT files removed from a system, and what determines when an Extra.DAT file is removed?
The removal of an expired Extra.DAT file is determined by comparing the expiration date of the detection in the Extra.DAT file to the date embedded in the applied DATs. The Extra.DAT file is removed when the Scan Engine loads the DAT. If the embedded date of the DATs is equal to or greater than the expiration date of the detection in the Extra.DAT file, the Scan Engine sees the detection in the Extra.DAT file as expired.
Example: On May 11, 2020, you run a DAT from May 8, 2020, and your Extra.DAT file expires on May 9, 2020. The Scan Engine continues to use the Extra.DAT file until the DATs are updated to the DAT from May 9, 2020, even though the date is May 11, 2020.
What's the difference between the CommonUpdater and CommonUpdater2 sites?
The CommonUpdater2 download site doesn't have a copy of the DAT files in its root folder.
What are the benefits of the CommonUpdater2 download site?
If you have no products installed that look for DAT content in the root directory of the site, you can select the CommonUpdater2 site. This site offers bandwidth benefits because fewer files need to be replicated.
