Loading...

Knowledge Center


How to submit Web Gateway virus and anti-malware samples for analysis
Technical Articles ID:   KB62662
Last Modified:  5/11/2018
Rated:


Environment

McAfee Web Gateway (MWG) 7.x

Summary

To better support you as a Web Gateway customer, McAfee has improved the processing of your virus and anti-malware submissions.
 
Obtaining a sample
To accurately diagnose a suspected false detection, you must collect samples from within your environment. Use the instructions in the Virus To File.pdf, which is attached to this article, to obtain, compress, and encrypt the sample directly from the MWG appliance.

Submitting the sample
Use the MWG virus detection block page to determine where to submit the sample:
  • VirusName: McAfeeGW or if empty: follow the McAfee Gateway Anti-Malware (GAM) submission steps below.
  • VirusName: McAfee: follow the McAfee AV submission steps below.  
  • VirusName: Avira: follow the Avira submission steps below.  
For GAM versions v2015 and later, engine information is no longer provided by the API. This version is implemented in MWG 7.6.x and later.
IMPORTANT: For all submission processes, you must send the sample as a compressed and encrypted .zip file, using the word infected (lowercase, without quotes) as the encryption password.

McAfee Gateway Anti-Malware (GAM)
Submit the sample in a Service Request:

After you have collected and encrypted the sample using the Virus To File.pdf file, open a Service Request with Technical Support to submit the sample: https://support.mcafee.com/ServicePortal/faces/serviceRequests/createSR.

NOTE: Ensure that you select Product (not Malware) as the source of your problem, and select Web Gateway in the Product field.

Along with the sample, provide:
  • MWG version
  • GAM Engine version: You can find this in the MWG user interface (UI) at DashboardGateway Engine.
  • Gateway DAT version: You can find this in the MWG UI at DashboardGateway DATs.
  • Found_viruses.log: You can find this log in the MWG UI at TroubleshootingLog FilesUser-defined-logsFound_viruses.log. Ensure that Body.FullFilename is being logged, and provide the found_viruses.log that encompasses the time frame of the problem.
  • Sample URL that led to the detection.
  • The detection name of the potential false positive from your block page.
 
McAfee AV
Perform the GetSusp submission steps in KB68030 to submit suspected false positive detections for analysis.

Avira
Use the Avira submission website: http://analysis.avira.com/samples. After you submit a sample to Avira, you will receive an automated notification email to confirm the submission status and associated Avira tracking number. You will receive a final notification with the resolution within two days.

NOTES: 
  • If the Avira sample is larger than 50 MB, open a Service Request with MWG Technical Support to submit the sample. You can submit an SR from the ServicePortal at https://support.mcafee.com.
  • If you do not receive a timely response after you submit the samples, or if you disagree with the analysis provided by Avira, open a Service Request  with MWG Technical Support, and include the Avira tracking number.  

Attachment

Virus To File.pdf
754K • < 1 minute @ broadband


Previous Document ID

3049

Rate this document

Beta Translate with

Select a desired language below to translate this page.

Glossary of Technical Terms


 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.