How to submit Web Gateway virus and antimalware samples for analysis

Technical Articles ID: KB62662
Last Modified: 6/4/2020

Environment

McAfee Web Gateway (MWG)

Summary

To better support you as a Web Gateway customer, McAfee has improved the processing of your virus and antimalware submissions.

Obtaining a sample
To accurately diagnose a suspected false detection, you must collect samples from within your environment. Use the instructions in the Virus To File.pdf, which is attached to this article, to obtain, compress, and encrypt the sample directly from the MWG appliance.

Submitting the sample
Use the MWG virus detection block page to determine where to submit the sample:

VirusName: McAfeeGW or if empty: Follow the McAfee Gateway antimalware (GAM) submission steps below.
VirusName: McAfee: Follow the McAfee AV submission steps below.
VirusName: Avira: Follow the Avira submission steps below.

For GAM versions v2015 and later, engine information is no longer provided by the API. This version is implemented in MWG 7.6.x and later.

IMPORTANT: For all submission processes, you must send the sample as a compressed and encrypted .zip file, using the word infected (lowercase, without quotes) as the encryption password.

McAfee Gateway Anti-Malware (GAM)

Submit the sample in a Service Request:

After you have collected and encrypted the sample using the Virus To File.pdf file, open a Service Request with Technical Support to submit the sample:
https://support.mcafee.com/ServicePortal/faces/serviceRequests/createSR.

NOTE: Make sure that you select Product as the source of your problem, and select Web Gateway in the Product field. (Do not select Malware as the source of your problem.)

With the sample, provide:

MWG version
GAM Engine version: You can find the version in the MWG user interface (UI) at Dashboard, Gateway Engine.
Gateway DAT version: You can find the version in the MWG UI at Dashboard, Gateway DATs.
Found_viruses.log: You can find this log on to the MWG UI at Troubleshooting, Log Files, User-defined-logs, Found_viruses.log. Make sure that Body.FullFilename is being logged, and provide the found_viruses.log that encompasses the time frame of the problem.
Sample URL that led to the detection.
The detection name of the potential false positive from your block page.

McAfee AV
To submit suspected false positive detections for analysis, perform the GetSusp submission steps in KB68030.

Avira
Use the Avira submission website: https://analysis.avira.com/en/submit. After you submit a sample to Avira, you will receive an automated notification email to confirm the submission status and associated Avira tracking number. You receive a final notification with the resolution within two days.

NOTES:

If the Avira sample is larger than 50 MB, open a Service Request with MWG Technical Support to submit the sample. You can submit an SR from the ServicePortal at https://support.mcafee.com.
If you do not receive a timely response after you submit the samples, or if you disagree with the analysis provided by Avira, open a Service Request with MWG Technical Support. Include the Avira tracking number.

Related Information

Alternative sample collection steps:

Connect to your MWG Appliance using SSH as root.
From the command line, use the wget command to download the file or URL sample. You can obtain the file or URL address on the MWG virus detection block page. If a file name is not specified on the block page, download a sample using the detected URL.

Example wget command:
- File: wget www.domain.com/infected.aspx
- URL: wget www.domain.com
Use the zip command to place the sample in a compressed and encrypted ZIP file, using the word infected (lowercase, without quotes) as the encryption password.

Example zip command:
- File: zip -e sample.zip infected.aspx
- URL: zip -e sample.zip index.html
Transfer the file off the appliance using SCP or FTP.

If you want to open an SR with Technical Support to submit your sample:

To contact Technical Support, log on to the ServicePortal and go to the Create a Service Request page at https://support.mcafee.com/ServicePortal/faces/serviceRequests/createSR:

If you are a registered user, type your User Id and Password, and then click Log In.
If you are not a registered user, click Register and complete the required fields. Your password and logon instructions will be emailed to you.

Attachment

Virus To File.pdf
754K • < 1 minute @ broadband

Previous Document ID

3049

Affected Products

Best Practices
Diagnostic Data Collection
Threat Prevention and Removal
Web Gateway 9.2.x
Web Gateway 9.1.x
Web Gateway 9.0.x
Web Gateway 8.2.x
Web Gateway 8.1.x
Web Gateway 8.0.x
Web Gateway 7.8

Languages:

This article is available in the following languages:

German
English United States
Spanish Spain
French
Italian
Japanese
Portuguese Brasileiro
Chinese Simplified

Glossary of Technical Terms

Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.

How to submit Web Gateway virus and antimalware samples for analysis

Environment

Summary

Related Information

Attachment

Previous Document ID

Affected Products

Languages:

Glossary of Technical Terms

Title

Title

Featured Solutions:Draft for New Nav

Explore Our Portfolio

Security Outcomes

Industries

Products

Featured Solutions

Explore Our Portfolio

MVISION Products

Services & Training

Threat Research

Our Researchers

Threat Landscape Dashboard

Tools

Contact Us

Resources

Downloads

Product Help

Connect with Us

Explore

Our Company

Our Efforts

Other Resources

Careers

Partnerships

How to submit Web Gateway virus and antimalware samples for analysis

Environment

Summary

Related Information

Attachment

Previous Document ID

Affected Products

Languages:

Glossary of Technical Terms

Choose your region

Title

Title