Loading...

Knowledge Center

How to submit Web Gateway virus and anti-malware samples for analysis
Technical Articles ID:   KB62662
Last Modified:  5/21/2019
Rated:

Environment

McAfee Web Gateway (MWG) 8.x, 7.x

Summary

To better support you as a Web Gateway customer, McAfee has improved the processing of your virus and anti-malware submissions.
 
Obtaining a sample
To accurately diagnose a suspected false detection, you must collect samples from within your environment. Use the instructions in the Virus To File.pdf, which is attached to this article, to obtain, compress, and encrypt the sample directly from the MWG appliance.

Submitting the sample
Use the MWG virus detection block page to determine where to submit the sample:
  • VirusName: McAfeeGW or if empty: Follow the McAfee Gateway Anti-Malware (GAM) submission steps below.
  • VirusName: McAfee: Follow the McAfee AV submission steps below.  
  • VirusName: Avira: Follow the Avira submission steps below.  
For GAM versions v2015 and later, engine information is no longer provided by the API. This version is implemented in MWG 7.6.x and later.
IMPORTANT: For all submission processes, you must send the sample as a compressed and encrypted .zip file, using the word infected (lowercase, without quotes) as the encryption password.

McAfee Gateway Anti-Malware (GAM)
Submit the sample in a Service Request:

After you have collected and encrypted the sample using the Virus To File.pdf file, open a Service Request with Technical Support to submit the sample:
 https://support.mcafee.com/ServicePortal/faces/serviceRequests/createSR.

NOTE: Ensure that you select Product (not Malware) as the source of your problem, and select Web Gateway in the Product field.

With the sample, provide:
  • MWG version
  • GAM Engine version: You can find the version in the MWG user interface (UI) at DashboardGateway Engine.
  • Gateway DAT version: You can find the version in the MWG UI at DashboardGateway DATs.
  • Found_viruses.log: You can find this log in the MWG UI at TroubleshootingLog FilesUser-defined-logsFound_viruses.log. Ensure that Body.FullFilename is being logged, and provide the found_viruses.log that encompasses the time frame of the problem.
  • Sample URL that led to the detection.
  • The detection name of the potential false positive from your block page.
 
McAfee AV
Perform the GetSusp submission steps in KB68030 to submit suspected false positive detections for analysis.

Avira
Use the Avira submission website: https://analysis.avira.com/en/submit. After you submit a sample to Avira, you will receive an automated notification email to confirm the submission status and associated Avira tracking number. You will receive a final notification with the resolution within two days.

NOTES: 
  • If the Avira sample is larger than 50 MB, open a Service Request with MWG Technical Support to submit the sample. You can submit an SR from the ServicePortal at https://support.mcafee.com.
  • If you do not receive a timely response after you submit the samples, or if you disagree with the analysis provided by Avira, open a Service Request with MWG Technical Support. Include the Avira tracking number.  

Related Information

Alternative sample collection steps:
  1. Connect to your MWG Appliance using SSH as root.
  2. From the command line, use the wget command to download the file or URL sample. You can obtain the file or URL address on the MWG virus detection block page. If a file name is not specified on the block page, download a sample using the detected URL.

    Example wget command: 
    • File: wget www.domain.com/infected.aspx
    • URL: wget www.domain.com 
       
  3. Use the zip command to place the sample in a compressed and encrypted ZIP file, using the word infected (lowercase, without quotes) as the encryption password. 

    Example zip command:
    • File: zip -e sample.zip infected.aspx
    • URL: zip -e sample.zip index.html
       
  4. Transfer the file off the appliance using SCP or FTP.
If you want to open an SR with Technical Support to submit your sample:

To contact Technical Support, log on to the ServicePortal and go to the Create a Service Request page at https://support.mcafee.com/ServicePortal/faces/serviceRequests/createSR:
  • If you are a registered user, type your User Id and Password, and then click Log In.
  • If you are not a registered user, click Register and complete the required fields. Your password and logon instructions will be emailed to you.

Attachment

Virus To File.pdf
754K • < 1 minute @ broadband


Previous Document ID

3049

Rate this document

Affected Products

Web Gateway 7.8
Web Gateway 7.7

Beta Translate with

Select a desired language below to translate this page.

Glossary of Technical Terms


 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.