Loading...

Knowledge Center


How to submit virus samples, false positives, clean files for false prevention, and detection disputes
Technical Articles ID:  KB71637
Last Modified:  3/16/2015
Rated:


Environment

McAfee DAT files
McAfee Labs
Multiple McAfee products

Summary

This article describes how to submit virus samples, false positive detections, company software or images, and detection disputes for Potentially Unwanted Programs (PUPs).

Possible reasons for submitting files:

Solution      Reason
Suspected malware detection failure (Virus not found) or Clean failure for detected malware
Suspected false positive detection either from the product or through Global Threat Intelligence (GTI)
Whitelisting Program: Submit your company's software to be considered for validation against DAT files
Dispute for PUP detection

Solution 1

Possible infected file submissions
If you have located a file that you believe is infected, but was not detected by your anti-virus software, or that was detected but was not cleaned, you can submit the sample to McAfee Labs for evaluation.

There are three methods for submitting potentially infected files:
  • ServicePortal (preferred option)
  • GetSusp (tool for analyzing a potentially infected system) 
  • Email
Submit samples to McAfee Labs through the ServicePortal:
  1. Locate any infected files to submit as infected samples. For information on how to find potentially infected files, see KB53094.
  2. Archive the samples in a password protected .zip file. Set the password to infected (all lowercase).

    For instructions on how to create a .zip file and password protect it, see the following:
  3. Log on to the ServicePortal at https://support.mcafee.com.
  4. Click the Service Requests tab.
  5. Click the Submit a Sample tab.
  6. Ensure that your contact details are correct under General Information.
  7. In the Submission Details section, add the following information:
     
    • Issue Type (required)
      • Artemis False (false positive detection from Global Threat Intelligence) 
      • Clean Failure
      • Detection Failure
      • Suspected False
      • VIL request with sample (Information request [Severity 5] to add or update an entry in the McAfee Labs Threat Library)
         
    • Scan Engine
    • DAT Version
    • Brief Description (100 characters maximum)
    • Description (full description of the issue; 2000 characters maximum)
       
  8. In the Samples section, click Browse and navigate to the .zip file that contains your collected samples.

    IMPORTANT: The .zip file must be no be larger than 10 MB and cannot have more than 30 files. You must set the password to infected (all lowercase). Do not submit anything other than potentially infected files or false positives. Any other files, such as log files and error reports, will not be processed or considered.
     
  9. Click Upload.
  10. When the file upload completes, click Submit.

    If your sample is successfully uploaded, you see a confirmation message and your new Service Request (SR) reference number. The SR number is also listed under your open SRs on the View Service Requests tab.

    If your sample was not successfully uploaded, an SR will still be created, but you must email the sample to virus_research@avertlabs.com. Remember to quote the SR reference number in your email and attach the password protected .zip file. See the Submit Samples to McAfee Labs via Email section for additional information.  
What to expect after uploading your sample
  • You will receive no further notifications until the sample has been analyzed.
  • If an Extra.DAT relating to your sample is posted to the ServicePortal, you will be informed of its availability via email. Check your Service Request on the relevant ServicePortal to download the Extra.DAT file.  You will not receive any Extra.DAT files via email or otherwise.
    • To manually check in and deploy an Extra.DAT through ePolicy Orchestrator, see KB67602.
    • For instructions to apply an Extra.DAT locally for VirusScan Enterprise 8.x and later, see KB50642.
    • For instructions to apply an extra.DAT to Security for Microsoft Exchange, see KB76201.
Submit samples to McAfee Labs with GetSusp:
Use the GetSusp utility to submit samples. Intel Security recommends that you use GetSusp as a first tool of choice when you analyze a suspect computer. To review the FAQs for GetSusp, see KB69385.
To download GetSusp, go to http://www.mcafee.com/us/downloads/free-tools/getsusp.aspx. You can use GetSusp to submit samples to McAfee Labs even if you do not have a valid Grant Number.

IMPORTANT:
  • The submitted file cannot be larger than 10 MB.
  • The maximum number of files that can be submitted is 30.
Submit samples to McAfee Labs via email:
You can submit samples directly to McAfee Labs by emailing virus_research@avertlabs.com and attaching the file(s) for review. When submitting samples via email, ensure your attachments are contained in password-protected .zip files with the password infected (all lowercase). If the automated system is unable to determine if there is a valid threat, your submission will be escalated for further analysis. For more information on creating a .zip file, see:
IMPORTANT: The .zip file must be not be larger than 10 MB and cannot have more than 30 files. 


Back to top

Solution 2

False positive submissions
If you think that a file has been falsely detected or incorrectly classified, follow this procedure to submit the sample to McAfee Labs.  

Submit false positive samples through the ServicePortal
The preferred method for submission is via the ServicePortal. See Solution 1 for instructions to submit samples using the ServicePortal.

When you use the ServicePortal to submit false positives, ensure that you select the appropriate Issue Type for your submission:
  • Artemis False (false positive detection from Global Threat Intelligence)
  • Suspected False (all other false positive detections) 

Email submissions
To submit a sample via email, please send it to McAfee Labs Virus Research at: virus_research@mcafee.com.

  • Prefix the email subject line with the word FALSE. For example:

    FALSE: In-house file being detected by McAfee
  • Ensure that you include the On Access / On Demand Scan log files of the anti-virus product along with the DAT and Engine versions in use at the time. Also, include any other relevant information regarding why you think the file has been incorrectly detected. This information is helpful when analyzing the sample.

    Information to provide: (example)

    Please review the submitted file as we believe this is a false detection.

    Product: VirusScan Enterprise 8.8
    DAT version: 6587
    Engine: 5400
    Description of issue: This application has been developed as an in-house tool for cleaning our databases. Please see the attached OAS/ODS log file showing this detection by VirusScan.

    NOTE: Failure to supply all of the information requested above might result in delays with the analysis.

After the sample has been analyzed, one of the following happens:

  • The sample is considered clean. Detection is suppressed and will be updated in the earliest DAT release.
  • The sample is incorrectly classified. It will be reclassified and detection will be updated in the earliest DAT release.
  • Analysis of the file determines that the sample is properly detected. You will be notified of the results.
Frequently asked questions
As a customer, how can I prevent our files from being falsely detected in the future?
McAfee Labs gladly accepts samples into our Quality Assurance testing process where they are scanned with every DAT release to prevent false detections. See Solution 3 for information on how to submit your company software or images to McAfee Labs to be considered for validation against McAfee DAT files.

In the past, I have used the keyword NOAUTO in the subject line when submitting samples via email. Is that keyword no longer being recognized?
NOAUTO, which prevents the auto response message, is still an accepted keyword. However, to quickly identify and process possible false detections, McAfee Labs has enabled the new process using the FALSE keyword as described above.

Solution 3

Clean software submissions for whitelisting (false prevention)
McAfee Labs (formerly McAfee Avert Labs) Core Security Updates Team uses a False Positive Test Rig as part of our extensive pre-release testing. This test rig is a large array of catalogued data, used by the Core Security Updates team to guard against false positives occurring in released DATs. It consists of a collection of known clean data, acquired from commercial software vendors, including Intel®, Microsoft, and IBM. Additionally, the McAfee False Prevention team also actively targets data from the Internet for download to the rig.

McAfee Labs also offers customers, partners, and other third-party software manufacturers the opportunity to submit their own proprietary software for inclusion in this rig. This significantly reduces the chances of a DAT causing false positives on unique customer applications or data. The False Positive Test Rig is located on an isolated network, and the data it contains is used only for false-positive identification testing.

Before every DAT release, the data on the false rig is scanned to identify false positive detections. Any identifications are passed to McAfee Labs researchers for analysis. The McAfee Labs Research team have final sign off on every release of a DAT.

Data submission process

IMPORTANT:
  • If you submit data for inclusion to the False Positive Test Rig, ensure that you are legally entitled to distribute the software outside of your organization. Intel Security cannot be held responsible for unauthorized software distribution.
  • Customers, partners, and other users should resolve any existing detection or interoperability issues prior to contacting the McAfee False Prevention (Data Submissions) team using the guidelines in Solution 2.
If you want files to be included, they can be submitted using the following methods:
 
The supported submission formats are ZIP, RAR, or pre-extracted. Presently, McAfee Labs is unable to process Norton Ghost, ISO, VMware, or other proprietary image formats. If you are submitting specific applications or data, please submit the extracted contents of the installation package in addition to the installer to ensure all components are whitelisted.

After the data is processed and moved to the scanning rig, a confirmation email will be sent to you. The expected time between McAfee Labs receiving the data and it being processed will vary depending upon the size of the submission and current workloads, but should not exceed two working days from receipt of the submission.


What happens to the submitted data?
Where possible, the data is extracted and hashes are created to uniquely identify each file. These hashes are compared against a database of existing data, and those we already have are discarded. Any new data not currently held on the False Rig will be included on the rig and scanned with each DAT release.


Submission details
Include as much information as possible with any submission, including (but not limited to), the following:
  • Company name
  • Contact name
  • Address
  • Contact phone number (including country code)
  • Contact email address
  • SAM or Account Manager name
  • Products used (including product version and patch level)
  • Any Scan or product settings used
  • If posting by traditional mail, confirm the count of media enclosed, including the number of files
  • Description of submission contents (for example: bespoke product, internal data, software functionality and purpose)
  • Any other relevant information (such as frequency of updates)
For further information or questions, contact the False Prevention team at: datasubmission@mcafee.com

Solution 4

PUP dispute submissions
If you think your product has been incorrectly classified as a PUP (for example Adware or Spyware) complete the Detection Dispute Submission Form. For further details see https://secure.mcafee.com/apps/mcafee-labs/dispute-form.aspx.

NOTE: This procedure is intended for software developers and software producers and not to be confused with procedures for submitting other false detections or interoperability issues.

Rate this document

Did this article resolve your issue?

Please provide any comments below

Beta Translate with

Select a desired language below to translate this page.

Glossary of Technical Terms


Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.