We’re dedicated to providing the most effective and up-to-date detection and protection against new and existing threats. Over the past several years, there has been dramatic advancement beyond "traditional" signature-based detection. Now, there are more agile and comprehensive cloud-based mechanisms for detection of both "zero-day" and existing threats. Examples of these cloud-connected technologies are Global Threat Intelligence (GTI) and our machine learning capabilities that Real Protect (RP) provides in Endpoint Security Adaptive Threat Protection (ENS ATP).

These capabilities can reduce, or even eliminate, the time and manual effort needed to obtain and deploy Extra.DATs. As such, starting on April 1, 2021, we began making adjustments to reduce the number of Extra.DATs provided where cloud coverage is already in place.
 
We also no longer provide redundant Extra.DAT coverage in response to inquiries regarding Coverage and Information Requests for Hash or Indicators of Compromise (IOC), where cloud-based coverage is available.
 
We acknowledge that there might be legitimate scenarios or environmental factors where an Extra.DAT might be needed. These situations will be considered and an Extra.DAT will continue to be provided, where appropriate. 

If you see IOCs in public threat advisories and blogs published by threat research groups and other security vendors, you don’t need to create a Service Request for those IOCs. Our Advanced Threat Research Center constantly monitors new threat advisories and blogs. They proactively analyze available files to verify coverage for emerging IOCs. They make coverage updates to the cloud in real time, and to the daily DATs in cases where cloud coverage might not be applicable.

For additional information regarding current Threat Intelligence, see Trellix Insights and make sure to keep up to date with our Trellix Stories site.

Additional Information and Resources
To make sure that your environment has the best protection available, we highly recommend that you deploy all available technologies and use them to their fullest potential. To help with this configuration, we’ve created some resources. They can help you make sure that these cloud services are accessible and working as intended.

• "Adaptive Threat Protection" and "About Extra.DAT files" sections of the Endpoint Security 10.7.0 Product Guide - Windows
• KB91836 - Countermeasures for entry vector threats
• YouTube video: Adaptive Threat Protection Best Practices
• KB87843 - Dynamic Application Containment rules and best practices
• KB53733 - Verify that GTI File Reputation is installed and endpoints can communicate with the GTI server
• KB88828 - Test files to test Real Protect scanning and Credential Theft Protection

FAQs

Why is this change happening?
With the rapid changes in the active threat landscape, speed is more important than ever. As threats become more complex, it’s necessary to take advantage of real-time cloud technologies and proactive measures to stay ahead of the curve. These capabilities can reduce, or even eliminate, the time and manual effort needed to produce, obtain, and deploy Extra.DATs. Making sure that environments are protected by the most up-to-date protection and detection technologies reduces risk. Elimination of redundant efforts allows for that time to be spent elsewhere.

Can I obtain an Extra.DAT if I have a list of hashes I want information about?
If there’s no business impact, an Extra.DAT is usually not provided if cloud coverage already exists. Cloud coverage negates the need for an Extra.DAT. 
 
When will an Extra.DAT be provided for hash list coverage/Information Requests?
Extra.DATs might still be provided in these scenarios, on a situational basis, where applicable. GTI or RP cloud detections are an example of where it wouldn’t be needed to provide an Extra.DAT. The reason is that these detections aren’t content-based and can be updated in real time in the cloud.

What if my environment doesn’t allow Real Protect/GTI or I have systems with no internet connectivity​?
Extra.DATs would still be provided in these scenarios, where applicable.

Will Extra.DATs still be provided for false positives and detection failures? 
Extra.DATs would still be provided in these scenarios, where applicable. GTI or RP cloud detections are an example of where it wouldn’t be needed to provide an Extra.DAT. The reason is that these detections aren’t content-based and can be updated in real time in the cloud.

What if my business is impacted?
If there’s a business impact, we’ll provide an Extra.DAT on a case by case basis, where deemed appropriate. For example, when a threat is introduced into an environment and cleaning is needed.
 
How can I get more information about ATP and its components? 
You can find more information in the "Additional Information and Resources" section above.