Submit samples to McAfee Labs for suspected malware detection failure

Technical Articles ID: KB68030
Last Modified: 4/20/2021

Environment

McAfee DAT files
McAfee Labs
Multiple McAfee products

{CONSREDIR.EN_US}

Summary

Use the instructions in this article if:

You have a file that you think is infected, but was not detected with your McAfee antivirus software.
Or
The file detected but was not cleaned.

Submit the sample to McAfee Labs. McAfee Labs reviews samples for potential inclusion into the regular DAT file releases or Global Threat Intelligence (GTI) File Reputation.

Contents
Click to expand the section you want to view:

Issue types and submission methods

Minimum data collection requirements are needed to process a sample. The following applies when engaging with Technical Support or McAfee Labs for:

Detection failures
Clean failures
False positives for Endpoint Security and VirusScan Enterprise

For instructions, see: KB91459 - Minimum data collection requirements for detection failures, clean failures, and false positives.

Follow the sample submission method below based on the issue type:

Clean failure: If a malware detection occurred and the action is "Clean Failed", take the following action:
- Email the sample to virus_research@avertlabs.com.
- Immediately open a Malware-related Service Request using the ServicePortal at https://support.mcafee.com or by contacting Technical Support.
Virus Information Library (VIL) request (with sample): If you have a malware sample and require details about its behavior, take the following action:
- Email the sample to virus_research@avertlabs.com.
- Immediately open a Malware-related Service Request using the ServicePortal at https://support.mcafee.com or by contacting Technical Support.
Detection failure: If you have a file that is not detected, submit the sample using one of the options in this article.

Submit samples through the ServicePortal (Automated, no live support)

The preferred method for submission is the ServicePortal. Using this method does not assign a Technical Support agent to the Service Request. The Service Request number is provided only for tracking purposes and is not monitored.

Log on to the ServicePortal at https://support.mcafee.com using your Grant Number.
Click the Service Requests tab.
Click the Submit a Sample tab.
Complete the submission details. Make sure that you select the appropriate Issue Type for your submission: Detection Failure.
Upload the samples.
Click Submit. A Sample Submission Service Request is created on the ServicePortal, which you can use to track progress. This system is automated and no Technical Support agents are assigned to submissions. The Service Request number is provided only for tracking purposes and is not monitored. If immediate assistance is needed, you must open a Service Request with Technical Support.

Submit samples through email submissions

To submit a sample using email, send it to McAfee Labs Virus Research at: virus_research@avertlabs.com.

NOTE: If you submit a file for a missed detection and automation is unable to add coverage for the detection, open a Service Request to have a McAfee Labs engineer review the sample.

Prefix the email subject line with the word Detection Failure. For example:

Detection Failure: Malware not detected by VSE

Example of information to provide:

Review the submitted file as we think this detection is a missed detection.

Product: VirusScan Enterprise 8.8
DAT version: 8125
Engine: 5800
Description of issue: This application encrypts all files on the affected systems.

NOTE: Failure to supply all information requested above could result in delays with the analysis.

Submit samples through Technical Support (via ServicePortal)

Use this method only if you have:

A critical issue with malware not being detected.
Or
If automation is not able to add detection for a submitted sample.

Log on to the ServicePortal at https://support.mcafee.com using your Grant Number.
Click the Service Requests tab.
Click the Create a Service Request tab.
Select the Issue Type Malware.
Complete the submission details.
Upload the samples.
Click Submit. The sample is associated with the Service Request. You can now work with Technical Support.

Other methods to submit samples for review

Web Gateway: Collect and submit samples using the product-specific instructions in: KB62662 - How to submit Web Gateway virus and antimalware samples for analysis.
Advanced Threat Defense: Collect and submit samples using the product-specific instructions in: KB83659 - How to submit false positive or false negative virus and antimalware samples for Advanced Threat Defense.
GetSusp: GetSusp is a free tool that helps you find and log undetected malware. GetSusp has built-in submission capabilities that allow you to automatically submit samples to McAfee Labs.

See KB69385 - FAQs for GetSusp.
To download GetSusp, go to: http://www.mcafee.com/us/downloads/free-tools/getsusp.aspx.
FTP: Submissions through FTP are accepted only if:
- The samples exceed the limits for the ServicePortal.
  Or
- There is a technical issue with the ServicePortal or email submission.

In the above cases, submit the samples through FTP using: KB87703 - Guidelines for submitting malware samples to McAfee Labs through available FTP servers.

Submission requirements

It is important that this information is followed because not doing so, causes a submission or sample processing failure. Failed sample submissions that did not adhere to these requirements are discarded without further processing. You are not sent any notification to that effect.

Requirements:

The sample must be in a password-protected .zip file. RAR and other formats are not be processed.
NOTES: Support for .7z file formats are:
- Supported when submitting samples to virus_research@avertlabs.com
- Not supported when submitted via the ServicePortal
The .zip file must be a single level. Do not include .zip files within the .zip file, with or without password protection. Also, do not include folder structures that are more than one level deep. These actions can cause samples to not be processed.
The total file path length must be 125 characters or less. For example, 'sample.zip/sample.docx' would be counted as 22 characters.
The file extension of the password-protected .zip file must be .zip. Any other extensions, or lack of an extension, causes the sample to not be processed.
When creating the .zip file, do not use AES or other types of encryption available from the program; use only a password for protection.
You must use the word infected as the password for the .zip file. Any other password causes the sample to not be processed.
Do not include more than 100 files within the .zip file. More than 100 files causes the sample to not be processed. If you have more than 100 files, spread them across multiple submissions.
The .zip file can be no larger than 50 MB. Larger .zip files cause the sample to not be processed.

For more information about creating a .zip file:

Using WinZip: http://kb.winzip.com/kb/entry/78/
Using Windows file compression: http://support.microsoft.com/kb/306531

What not to submit

Do not submit more files other than the suspected file as it resides on the system. Doing so, can cause delays in processing. It might also cause the submission to fail by increasing the total number of files or size over the permitted thresholds. The following list contains some examples of what not to send:

Log files from scans, such as on-demand or on-access log files
Screenshots
.eml or .msg files (submit only the files that are attached to the emails, not the email itself)
Reports created by forensics tools
String dumps
Network traffic dumps

Submit only the suspicious files.

What to expect after submitting your sample

You receive no further notifications until the sample has been analyzed. Track progress in the Service Request that you created on the ServicePortal.

If an Extra.DAT relating to your sample is posted to the ServicePortal, you are informed of its availability in an email. To download the Extra.DAT file, view your Service Request on the ServicePortal. You do not receive any Extra.DAT files through email.

To apply an Extra.DAT file, see the following instructions:

Related Information

Affected Products

Endpoint Security Threat Prevention 10.7.x
Endpoint Security Threat Prevention 10.6.x
Threat Prevention and Removal
VirusScan Enterprise 8.8

Languages:

This article is available in the following languages:

German
English United States
Spanish Spain
French
Italian
Japanese
Portuguese Brasileiro
Chinese Simplified

Glossary of Technical Terms

Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.

Knowledge Center

Submit samples to McAfee Labs for suspected malware detection failure

Environment

Summary

Related Information

Affected Products

Languages:

Glossary of Technical Terms

Title

Title

Knowledge Center

Submit samples to McAfee Labs for suspected malware detection failure

Environment

Summary

Related Information

Affected Products

Languages:

Glossary of Technical Terms

Choose your region

Title

Title