Last Modified: 10/1/2015
McAfee DAT files
Multiple McAfee products
This article describes how to submit suspected malware samples to McAfee Labs.
McAfee Labs can receive suspected malware samples for review and potential inclusion into the daily DAT file releases or GTI File Reputation for future detection.
There are two primary methods to submit samples for review:
- ServicePortal: Using your Grant Number, you can log in to the ServicePortal and Submit samples to McAfee Labs.
- Email: Samples can be attached to an email and sent to email@example.com.
- Sample must be in a password protected .zip file - 7Zip, RAR, and other formats will not be processed.
- The .zip file should be a single level. In other words, no .zip files within the .zip file (with or without password protection), and no folder structures more than one level deep. This can cause samples to not be processed.
- The file extension of the password protected .zip file must be .zip. Any other extensions, or lack of an extension, will cause the sample to not be processed.
- When creating the .zip file, do not use AES or other types of encryption available from the program; just use a password for protection.
- The password must be infected. Any other password will cause the sample to not be processed.
- There can be no more than 30 files contained within the zip file. More files will cause the sample to not be processed. If you have more than 30 files, spread them across multiple submissions.
- The .zip file can be no larger than 10 MB. Larger .zip files will cause the sample to not be processed.
For more information on creating a .zip file:
- Using WinZip (http://kb.winzip.com/kb/entry/78/)
- Using Windows file compression (http://support.microsoft.com/kb/306531)
What not to submit
Submitting additional files other than the suspected file as it resides on the system can and will cause delays in processing, or even cause the submission to fail by increasing the total number of files or size over the permitted thresholds. The following list contains some examples of what not to send:
- Log files from scans, such as On-Demand or On-Access Log files.
- .eml/.msg files. Only the files attached to the emails should be submitted, not the email itself.
- Reports created by forensics tools.
- String dumps.
- Network traffic dumps.
If an Extra.DAT relating to your sample is posted to the ServicePortal, you will be informed of its availability in an email. Check your Service Request on the ServicePortal to download the Extra.DAT file. You will not receive any Extra.DAT files via email or otherwise.
- To manually check in and deploy an Extra.DAT through ePolicy Orchestrator, see KB67602.
- For instructions to apply an Extra.DAT locally for VirusScan Enterprise 8.x and later, see KB50642.
- For instructions to apply an extra.DAT to Security for Microsoft Exchange, see KB76201.
- For instructions to apply an extra.DAT to Security for SaaS Endpoint Protection, see KB51459.
- For instructions to combine one or more extra.DAT, see KB68061.
Submit samples to McAfee Labs with GetSusp
To review the FAQs for GetSusp, see KB69385.
To download GetSusp, go to http://www.mcafee.com/us/downloads/free-tools/getsusp.aspx.
KB85568 - How to submit your company's software to be considered for validation against DAT files (Whitelisting Program)
KB85569 - How to submit samples in the case of an application vendor dispute of a PUP detection
Threat Prevention and Removal
Beta Translate with
Select a desired language below to translate this page.
Glossary of Technical Terms
Please take a moment to browse our Glossary of Technical Terms.