Knowledge Center

Possible infected file submissions
If you have located a file that you believe is infected, but was not detected by your McAfee software, or that was detected but was not cleaned, you can submit the sample to McAfee Labs for evaluation.

There are three methods for submitting potentially infected files:

• McAfee ServicePortal (preferred option for McAfee customers)
• GetSusp (tool for analyzing a potentially infected system) 
• Email

1. Locate any infected files to submit as infected samples. For information on how to find potentially infected files, see KB53094.
2. Archive the samples in a password protected .zip file. Set the password to infected (all lowercase).
   
   For instructions on how to create a .zip file and password protect it, see the following:
   • Using WinZip (http://kb.winzip.com/kb/entry/78/)
   • Using Windows file compression (http://support.microsoft.com/kb/306531)
      
3. Log in to the McAfee ServicePortal at https://support.mcafee.com.
4. Click the Service Requests tab.
5. Click the Submit a Sample tab.
6. Ensure that your contact details are correct under General Information.
7. In the Submission Details section, add the following information:
    
   • Issue Type (required)
     • Artemis False (false positive detection from Global Threat Intelligence) 
     • Clean Failure
     • Detection Failure
     • Suspected False
     • VIL request with sample (Information request [Severity 5] to add or update an entry in the McAfee Threat Library)
        
   • Scan Engine
   • DAT Version
   • Brief Description (100 characters maximum)
   • Description (full description of the issue; 2000 characters maximum)
      
8. In the Samples section, click Browse and navigate to the .zip file that contains your collected samples.
   
   IMPORTANT: The .zip file must be no be larger than 10 MB and cannot have more than 30 files. You must set the password to infected (all lowercase). Do not submit anything other than potentially infected files or false positives. Any other files, such as log files and error reports, will not be processed or considered.
    
9. Click Upload.
10. When the file upload completes, click Submit.
    
    If your sample is successfully uploaded, you see a confirmation message and your new Service Request (SR) reference number. The SR number is also listed under your open SRs on the View Service Requests tab.
    
    If your sample was not successfully uploaded, an SR will still be created, but you must email the sample to virus_research@avertlabs.com. Remember to quote the SR reference number in your email and attach the password protected .zip file. See the Submit Samples to McAfee Labs via Email section for additional information.  

• You will receive no further notifications until the sample has been analyzed.
• If an Extra.DAT relating to your sample is posted to the ServicePortal, you will be informed of its availability via email. Check your Service Request on the relevant ServicePortal to download the Extra.DAT file.  You will not receive any Extra.DAT files via email or otherwise.
  • To manually check in and deploy an Extra.DAT through ePolicy Orchestrator, see KB67602.
  • For instructions to apply an Extra.DAT locally for VirusScan Enterprise 8.x and later, see KB50642.
  • For instructions to apply an extra.DAT to McAfee Security for Microsoft Exchange, see KB76201.

• The submitted file cannot be larger than 10 MB.
• The maximum number of files that can be submitted is 30.

False positive submissions
If you think that a file has been falsely detected or incorrectly classified, follow this procedure to submit the sample to McAfee Labs.  

Submit false positive samples through the McAfee ServicePortal
The preferred method for submission is via the McAfee ServicePortal. See Solution 1 for instructions to submit samples using the ServicePortal.

When you use the ServicePortal to submit false positives, ensure that you select the appropriate Issue Type for your submission:

• Artemis False (false positive detection from Global Threat Intelligence)
• Suspected False (all other false positive detections) 

Email submissions
To submit a sample via email, please send it to McAfee Labs Virus Research at: virus_research@mcafee.com.

• Prefix the email subject line with the word FALSE. For example:
  
  FALSE: In-house file being detected by McAfee

• Ensure that you include the On Access / On Demand Scan log files of the McAfee product along with the DAT and Engine versions in use at the time. Also, include any other relevant information regarding why you think the file has been incorrectly detected. This information is helpful when analyzing the sample.
  
  Information to provide: (example)
  
  Please review the submitted file as we believe this is a false detection.
  
  Product: VirusScan Enterprise 8.8
  DAT version: 6587
  Engine: 5400
  Description of issue: This application has been developed as an in-house tool for cleaning our databases. Please see the attached OAS/ODS log file showing this detection by VirusScan.
  
  NOTE: Failure to supply all of the information requested above might result in delays with the analysis.

After the sample has been analyzed, one of the following happens:

• The sample is considered clean. Detection is suppressed and will be updated in the earliest DAT release.
• The sample is incorrectly classified. It will be reclassified and detection will be updated in the earliest DAT release.
• Analysis of the file determines that the sample is properly detected. You will be notified of the results.

As a customer, how can I prevent our files from being falsely detected in the future?
McAfee Labs gladly accepts samples into our Quality Assurance testing process where they are scanned with every DAT release to prevent false detections. See Solution 3 for information on how to submit your company software or images to McAfee Labs to be considered for validation against McAfee DAT files.

In the past, I have used the keyword NOAUTO in the subject line when submitting samples via email. Is that keyword no longer being recognized?
NOAUTO, which prevents the auto response message, is still an accepted keyword. However, to quickly identify and process possible false detections, McAfee has enabled the new process using the FALSE keyword as described above.

Clean software submissions for whitelisting (false prevention)
McAfee Labs (formerly McAfee Avert Labs) Core Security Updates Team utilizes a False Positive Test Rig as part of our extensive pre-release testing. This test rig is a large array of catalogued data, used by the Core Security Updates team to guard against false positives occurring in released DATs. It consists of a collection of known clean data, acquired by McAfee from commercial software vendors, including Intel®, Microsoft and IBM. Additionally, the McAfee False Prevention team also actively targets data from the Internet for download to the rig.

McAfee also offers its customers, partners, and other third-party software manufacturers the opportunity to submit their own proprietary software for inclusion in this rig. This significantly reduces the chances of a DAT causing false positives on unique customer applications or data. The False Positive Test Rig is located on an isolated network, and the data it contains is used only for false-positive identification testing.

Before every DAT release, the data on the false rig is scanned to identify false positive detections. Any identifications are passed to McAfee Labs researchers for analysis. The McAfee Labs Research team have final sign off on every release of a DAT.

Data submission process

IMPORTANT:

• If you submit data for inclusion to the False Positive Test Rig, ensure that you are legally entitled to distribute the software outside of your organization. McAfee cannot be held responsible for unauthorized software distribution.
• Customers, partners, and other users should resolve any existing detection or interoperability issues prior to contacting the McAfee False Prevention (Data Submissions) team using the guidelines in Solution 2.

• Notify McAfee of a download location by contacting: datasubmission@mcafee.com
• Upload files to the False Submission FTP site. To request an FTP account, contact: datasubmission@mcafee.com 

• Company name
• Contact name
• Address
• Contact phone number (including country code)
• Contact email address
• McAfee SAM or Account Manager name
• McAfee products used (including product version and patch level)
• Any Scan or product settings used
• If posting by traditional mail, confirm the count of media enclosed, including the number of files
• Description of submission contents (for example: bespoke product, internal data, software functionality and purpose)
• Any other relevant information (such as frequency of updates)

PUP dispute submissions
If you think McAfee has incorrectly classified your software as a PUP (for example Adware or Spyware) complete the McAfee Detection Dispute Submission Form. For further details see https://secure.mcafee.com/apps/mcafee-labs/dispute-form.aspx.

NOTE: This procedure is intended for software developers and software producers and not to be confused with procedures for submitting other false detections or interoperability issues.