How to submit samples to McAfee Labs for suspected malware detection failure (Virus not found) or Clean failure

Technical Articles ID: KB68030
Last Modified: 12/3/2019

Environment

McAfee DAT files
McAfee Labs
Multiple McAfee products

NOTE: This article applies only to McAfee business and enterprise products. If you need information or support for McAfee consumer or small business products, visit https://service.mcafee.com.

Summary

Use the instructions in this article if:

You have a file that you think is infected, but was not detected with your McAfee antivirus software.
Or
The file detected but was not cleaned.

Then, submit the sample to McAfee Labs. McAfee Labs reviews samples for potential inclusion into the daily DAT file releases or Global Threat Intelligence (GTI) File Reputation.

Contents
Click to expand the section you want to view:

Issue types and submission methods

Minimum data collection requirements are needed to process a sample. The following applies when engaging with Technical Support or McAfee Labs for:

Detection failures
Clean failures
False positives for Endpoint Security and VirusScan Enterprise.

NOTE: For more information, see KB91459.

Follow the sample submission method below based on the issue type:

Clean failure: If a malware detection occurred and the action is "Clean Failed", take the following action:
- Email the sample to virus_research@avertlabs.com
- Immediately open a Malware-related Service Request using the ServicePortal at https://support.mcafee.com or by contacting Technical Support.
Virus Information Library (VIL) request (with sample): If you have a malware sample and require details about its behavior, take the following action:
- Email the sample to virus_research@avertlabs.com
- Immediately open a Malware-related Service Request using the ServicePortal at https://support.mcafee.com or by contacting Technical Support.
Detection failure: If you have a file that is not detected, submit the sample using one of the options in this article.

Submit samples through the ServicePortal

The preferred method for submission is the ServicePortal.

Log on to the ServicePortal at https://support.mcafee.com using your Grant Number.
Click the Service Requests tab.
Click the Submit a Sample tab.
Complete the submission details. Make sure that you select the appropriate Issue Type for your submission: Malware.
Upload the samples.
Click Submit. A Sample Submission Service Request is created on the ServicePortal, which you can use to track progress. This system is automated and no support agents are assigned to submissions. The Service Request number is provided only for tracking purposes and is not monitored. If immediate assistance is needed, you must open a Service Request with Technical Support.

Submit samples through email submissions

To submit a sample using email, send it to McAfee Labs Virus Research at: virus_research@avertlabs.com.

NOTE: If you submit a file for a missed detection and automation is unable to add coverage for the detection, open a Service Request to have a McAfee Labs engineer review the sample.

Prefix the email subject line with the word Detection Failure. For example:

Detection Failure: Malware not detected by VSE

Example of information to provide:

Review the submitted file as we think this detection is a missed detection.

Product: VirusScan Enterprise 8.8
DAT version: 8125
Engine: 5800
Description of issue: This application encrypts all files on the affected systems.

NOTE: Failure to supply all information requested above could result in delays with the analysis.

Submit samples through Technical Support

Use this method only if you have:

A critical issue with malware not being detected
Or
If automation is not able to add detection for a submitted sample.

Log on to the ServicePortal at https://support.mcafee.com using your Grant Number.
Click the Service Requests tab.
Click the Create a Service Request tab.
Select the Issue Type Malware.
Complete the submission details.
Upload the samples.
Click Submit. The sample is associated with the Service Request. You can now work with Technical Support.

Other methods to submit samples for review

Web Gateway: If you are using Web Gateway, follow the product-specific instructions in KB62662 to collect and submit samples.
Advanced Threat Defense: If you are using Advanced Threat Defense, follow the product-specific instructions in KB83659 to collect and submit samples.
GetSusp: GetSusp is a free tool that helps you find and log undetected malware. GetSusp has built-in submission capabilities that allow you to automatically submit samples to McAfee Labs.

To review the FAQs for GetSusp, see KB69385
To download GetSusp, go to: http://www.mcafee.com/us/downloads/free-tools/getsusp.aspx
FTP: Submissions through FTP are accepted only if:
- The samples exceed the limits for the ServicePortal
  Or
- There is a technical issue with the ServicePortal or email submission.

In the above cases, follow the instructions in KB87703 to submit the samples through FTP.

Submission requirements

It is important that this information is followed because not doing so, causes a submission or sample processing failure.
Failed sample submissions that did not adhere to these requirements, is discarded without further processing. You are not sent any notification to that effect.

Requirements:

The sample must be in a password-protected .zip file. RAR and other formats are not be processed.
NOTES: Support for .7z file formats are:
- Supported when submitting samples to virus_research@avertlabs.com
- Not supported when submitted via the McAfee ServicePortal
The .zip file must be a single level. Do not include .zip files within the .zip file, with or without password protection, and do not include folder structures that are more than one level deep. These actions can cause samples to not be processed.
The file extension of the password-protected .zip file must be .zip. Any other extensions, or lack of an extension, causes the sample to not be processed.
When creating the .zip file, do not use AES or other types of encryption available from the program; use only a password for protection.
You must use the word infected as the password for the .zip file. Any other password causes the sample to not be processed.
Do not include more than 100 files within the .zip file. More than 100 files causes the sample to not be processed. If you have more than 100 files, spread them across multiple submissions.
The .zip file can be no larger than 50 MB. Larger .zip files cause the sample to not be processed.

For more information about creating a .zip file:

Using WinZip: http://kb.winzip.com/kb/entry/78/
Using Windows file compression: http://support.microsoft.com/kb/306531

What not to submit

Do not submit more files other than the suspected file as it resides on the system. Doing so, can cause delays in processing. It might also cause the submission to fail by increasing the total number of files or size over the permitted thresholds. The following list contains some examples of what not to send:

Log files from scans, such as On-Demand or On-Access Log files
Screenshots
.eml or .msg files (submit only the files that are attached to the emails, not the email itself)
Reports created by forensics tools
String dumps
Network traffic dumps

Submit only the suspicious files.

What to expect after submitting your sample

You receive no further notifications until the sample has been analyzed. Track progress in the Service Request that you created on the ServicePortal.
If an Extra.DAT relating to your sample is posted to the ServicePortal, you are informed of its availability in an email. To download the Extra.DAT file, view your service request on the ServicePortal. You do not receive any Extra.DAT files through email.

To manually check in and deploy an Extra.DAT through ePolicy Orchestrator, see KB67602.
For instructions on how to apply an Extra.DAT locally for Endpoint Security, see the "Load an Extra.DAT file" section of the Endpoint Security Product Guide. To view all guides, see https://docs.mcafee.com/bundle?value=357
For instructions on how to apply an Extra.DAT locally for VirusScan Enterprise, see KB50642.
For instructions on how to apply an Extra.DAT to Security for Microsoft Exchange, see KB76201.
For instructions on how to combine one or more Extra.DAT files, see KB68061.

Related Information

Affected Products

Threat Prevention and Removal

Languages:

This article is available in the following languages:

German
English United States
Spanish Spain
French
Italian
Japanese
Korean
Dutch
Portuguese Brasileiro
Chinese Simplified
Chinese Traditional

Glossary of Technical Terms

Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.

Knowledge Center

Environment

Summary

Related Information

Affected Products

Languages:

Glossary of Technical Terms

Title

Title

Featured Solutions

Explore Our Portfolio

Security Outcomes

Industries

Products

Featured Solutions

Explore Our Portfolio

MVISION Products

Services & Training

Threat Research

Our Researchers

Threat Landscape Dashboard

Tools

Contact Us

Resources

Downloads

Product Help

Connect with Us

Explore

Our Company

Our Efforts

Other Resources

Careers

Partnerships

Knowledge Center

Environment

Summary

Related Information

Affected Products

Languages:

Glossary of Technical Terms

Choose your region

Title

Title