Loading...

Knowledge Center


How to submit Web Gateway virus and anti-malware samples (false positives or false negatives) for analysis
Technical Articles ID:   KB62662
Last Modified:  11/10/2016
Rated:


Environment

McAfee Web Gateway (MWG) 7.x

Summary

To better support you as a Web Gateway customer, Intel Security has improved the processing and escalation of your virus and anti-malware submissions.

Solution

Obtaining a sample
To accurately diagnose a suspected false detection, you must collect samples from within your environment. Use the instructions in the Virus To File.pdf attached to this article to obtain, compress, and encrypt the sample directly from the MWG appliance.

Submitting the sample
Use the MWG virus detection block page to determine where to submit the sample:
For GAM versions v2015 and later, engine information is no longer provided by the API. This version is implemented in MWG 7.6.X and later.
IMPORTANT: For all submission processes, you must send the sample as a compressed and encrypted ZIP file, using the word infected (lowercase, without quotes) as the encryption password.

McAfee Gateway Anti-Malware (GAM)
Submit the sample in a Service Request:

After you have collected and encrypted the sample using the Virus To File.pdf, open a Service Request (SR) with Technical Support to submit the sample. You can open a Service Request from the ServicePortal at https://support.mcafee.com. Ensure that you open the SR with the Web Gateway support team rather than the Malware team.

Along with the sample, provide:
  • MWG version
  • GAM Engine version: You can find this in the MWG user interface (UI) at Dashboard, Gateway Engine.
  • Gateway DAT version: You can find this in the MWG UI at Dashboard, Gateway DATs.
  • Found_viruses.log: You can find this log in the MWG UI at Troubleshooting, Log Files, User-defined-logs, Found_viruses.log. Ensure that Body.FullFilename is being logged, and provide the found_viruses.log that encompasses the time frame of the problem.
  • Sample URL that led to the detection.
  • The detection name of the potential false positive from your block page.
 
McAfee AV
Perform the GetSusp submission steps in KB68030 to submit suspected false positive detections for analysis.

Avira
Use the Avira submission website: http://analysis.avira.com/samples. After you submit a sample to Avira, you will receive an automated notification email to confirm the submission status and associated Avira tracking number. You will receive a final notification with the resolution within two days.

NOTES: 
  • If the Avira sample is larger than 50 MB, open a Service Request (SR) with MWG Technical Support to submit the sample. You can submit an SR from the ServicePortal at https://support.mcafee.com.
  • If you do not receive a timely response after you submit the samples, or if you disagree with the analysis provided by Avira, open an SR with MWG Technical Support to escalate the request. You must provide the Avira tracking number to escalate a request.  

Attachment

Virus To File.pdf
754K • 2 minute(s) @ 56k, < 1 minute @ broadband


Previous Document ID

3049

Rate this document

Did this article resolve your issue?

Please provide any comments below

Beta Translate with

Select a desired language below to translate this page.

Glossary of Technical Terms


Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.