Knowledge Center

How to submit samples to McAfee Labs for suspected malware detection failure (Virus not found) or Clean failure for detected malware
Technical Articles ID:  KB68030
Last Modified:  10/1/2015


McAfee DAT files
McAfee Labs
Multiple McAfee products


This article describes how to submit suspected malware samples to McAfee Labs.

McAfee Labs can receive suspected malware samples for review and potential inclusion into the daily DAT file releases or GTI File Reputation for future detection.

There are two primary methods to submit samples for review:

  • ServicePortal: Using your Grant Number, you can log in to the ServicePortal and Submit samples to McAfee Labs.
  • Email: Samples can be attached to an email and sent to virus_research@avertlabs.com.



If you have located a file that you believe is infected, but was not detected by your anti-virus software, or that was detected but was not cleaned, you can submit the sample to McAfee Labs for evaluation.

Submission requirements
It is very important that this information is followed because not doing so will cause a submission or sample processing failure. Submissions or samples that have failed as a result of not following the requirements will be closed without further processing.
  • Sample must be in a password protected .zip file - 7Zip, RAR, and other formats will not be processed.
  • The .zip file should be a single level. In other words, no .zip files within the .zip file (with or without password protection), and no folder structures more than one level deep. This can cause samples to not be processed.
  • The file extension of the password protected .zip file must be .zip. Any other extensions, or lack of an extension, will cause the sample to not be processed.
  • When creating the .zip file, do not use AES or other types of encryption available from the program; just use a password for protection.
  • The password must be infected. Any other password will cause the sample to not be processed.
  • There can be no more than 30 files contained within the zip file. More files will cause the sample to not be processed. If you have more than 30 files, spread them across multiple submissions.
  • The .zip file can be no larger than 10 MB. Larger .zip files will cause the sample to not be processed.
Samples that fail to adhere to these requirements will be discarded and you will not receive any notification to that effect.

For more information on creating a .zip file:

NOTE: When submitting samples and opening a case, customers are advised to attach a VSE MER from the infected system, so that Access Protection (AP), On-Access (OA), and On-Demand (OD) settings and logs can be checked. For how to use the MER tool with supported McAfee products, see KB59385.

What not to submit
Submitting additional files other than the suspected file as it resides on the system can and will cause delays in processing, or even cause the submission to fail by increasing the total number of files or size over the permitted thresholds. The following list contains some examples of what not to send:
  • Log files from scans, such as On-Demand or On-Access Log files.
  • Screenshots.
  • .eml/.msg files. Only the files attached to the emails should be submitted, not the email itself.
  • Reports created by forensics tools.
  • String dumps.
  • Network traffic dumps.
Only the suspicious files should be submitted.

What to expect after uploading your sample
You will receive no further notifications until the sample has been analyzed.

If an Extra.DAT relating to your sample is posted to the ServicePortal, you will be informed of its availability in an email. Check your Service Request on the ServicePortal to download the Extra.DAT file. You will not receive any Extra.DAT files via email or otherwise.
  • To manually check in and deploy an Extra.DAT through ePolicy Orchestrator, see KB67602.
  • For instructions to apply an Extra.DAT locally for VirusScan Enterprise 8.x and later, see KB50642.
  • For instructions to apply an extra.DAT to Security for Microsoft Exchange, see KB76201.
  • For instructions to apply an extra.DAT to Security for SaaS Endpoint Protection, see KB51459.
  • For instructions to combine one or more extra.DAT, see KB68061.

Submit samples to McAfee Labs with GetSusp
GetSusp is a free tool that can assist in finding suspicious samples on a system. GetSusp has its own built-in submission capabilities that should be utilized to submit packages created by GetSusp.

To review the FAQs for GetSusp, see KB69385.

To download GetSusp, go to http://www.mcafee.com/us/downloads/free-tools/getsusp.aspx.

Rate this document

Did this article resolve your issue?

Please provide any comments below

Beta Translate with

Select a desired language below to translate this page.

Glossary of Technical Terms

Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.