Submit samples to Labs for suspected malware detection failure

Environment

DAT files
Labs

Summary

Follow the instructions presented in this article if you face any of the issues below:

You have a file that you think is infected, but isn't detected by your antivirus software.
The file is detected but isn't cleaned.

Contents
Click to expand the section you want to view:

Choose what type of Service Request fits your needs

Review the two options below and choose the option that fits your needs:

Malware Service Request:
You open the Service Request through the Technical Support ServicePortal and a Technical Support Engineer (TSE) is assigned. All updates and communications flow through the TSE. This type of Service Request is suited when you need timely updates and prefer human interaction.

Use this method for the following:
- Active malware infection in the customer's environment
- Clean failures, where malware is detected and deleted, but some Indicators of Compromise remain on the system following a reboot
- Remnants left behind (registry entries, files left on disk)
- Virus Information Library (VIL) requests (with a sample)
- Product countermeasures
- Behavioral analysis
- False detections
- Detection failures that automation is unable to resolve or that are impacting business
Labs or Automation Service Request:
For this type of malware submission, you can submit the sample through the Submit a sample option in the ServicePortal. This option submits the sample and creates a Service Request. This method is completely automation driven and no additional information is needed. But, automation doesn't handle false positives. If you need to check for detection failure and don't want any human interactions, or the issue isn't urgent or business impacting, you can opt for this method.

Use this method for the following:
- Large sample batches (10 or more samples that need analysis)
- Collections from automated perimeter devices
- Detection failures with no business impact or that aren't an active outbreak or urgent issue
- Unknown files (is this malicious?) with no business impact or that are not an active outbreak or urgent issue

Issue types and submission methods

Choose your issue type and follow the submission instructions:

Clean failure, detection failure, or VIL
Coverage request
Submit samples through the ServicePortal (automated, no live support), also known as a Labs Service Request
Other methods of sample submission (SFTP, email, Web Gateway, Advanced Threat Defense, GetSusp)

For specific submission requirements, see KB91459 - Minimum data collection requirements for detection failures, clean failures, and false positives.

Clean failure, detection failure, or VIL:
Open a Malware Service Request as follows.

Open a Malware Service Request through the ServicePortal. Select the Create a Service Request option and select Malware as the product.
Upload the sample on that Service Request. Use the option Submit a sample.
Attach the relevant logs or ePO Threat Events to the Service Request.
Provide the details described in KB91459 - Minimum data collection requirements for detection failures, clean failures, and false positives.

NOTE: For false positives, open a Malware Service Request instead of a Submit a sample Service Request, as automation cannot handle false positive requests.

Coverage request:
A coverage request is when the environment isn't infected, but you want coverage for compliance or safeguard. Such requests are considered to be of severity 3 or 4. Customers need to share the source of the hashes against which they seek coverage. To open an individual Service Request for each campaign, see KB91459 - Minimum data collection requirements for detection failures, clean failures, and false positives.

Depending on the number of hashes submitted, Labs might take time in providing coverage. Also, no Extra.DAT is shared, but the coverage is added internally. For more information, see KB93747 - Information and FAQs for Extra.DATs and coverage requests.

NOTE: Anyrun, Jose sandbox, and VirusTotal aren't considered as sources.

Option #1:

Open a Malware Service Request through the ServicePortal.
Provide the source of the hashes that require coverage. The source can be a threat advisory, blog, or internal research based on artifacts in the wild. But, the source should bear the hashes. For more information, see KB91459 - Minimum data collection requirements for detection failures, clean failures, and false positives.

Option #2:
Open a Labs Service Request directly through the Submit a sample option. Labs automation handles this Service Request and there's no human intervention. All updates are sent to your email address by the automation.

Instructions for submitting a sample:

Place the file in a ZIP folder. Make sure the ZIP folder has a .zip extension. Preferably use WinRAR/7z.
Make the .zip password protected with the word "infected" without quotes.
Log on to the ServicePortal.
Click Submit a sample.
Click the Service Request.
Upload the file.
Click Submit.

Submit samples through the ServicePortal (automated, no live support), also known as a Labs Service Request:
The preferred method for submission is the ServicePortal. Using this method doesn't assign a TSE to the Service Request. The Service Request number is provided only for tracking purposes and isn't monitored.

Log on to the ServicePortal.
Click the Service Requests tab.
Click the Submit a Sample tab.
Complete the submission details. Make sure that you select the appropriate Issue Type for your submission: Detection Failure.
Upload the samples.
Click Submit. A Sample Submission Service Request is created on the ServicePortal, which you can use to track progress. This system is automated and no TSE is assigned to submissions. The Service Request number is provided only for tracking purposes and isn't monitored. If immediate assistance is needed, you must open a Service Request with Technical Support.

Other methods of sample submission (SFTP, email, Web Gateway, Advanced Threat Defense, GetSusp):

SFTP submission: See KB87703 - Guidelines for submitting malware samples to Labs through available FTP servers.
Email submission (automation handled): To submit a sample using email, send it to Labs Virus Research at virus_research@avertlabs.com. Automation doesn't handle false positive detections. Inform the Service Request owner about the sample submission.
Web Gateway: Collect and submit samples by following the product-specific instructions provided in KB62662 - How to submit Web Gateway virus and antimalware samples for analysis.
Advanced Threat Defense: Collect and submit samples by following the product-specific instructions provided in KB83659 - How to submit false positive or false negative virus and antimalware samples for Advanced Threat Defense.
GetSusp: GetSusp is a free tool that helps you find and log undetected malware. GetSusp has built-in submission capabilities that allow you to automatically submit samples to Labs. See KB69385 - FAQs for GetSusp. To download GetSusp, go to the GetSusp downloads site.

What not to submit

Don't submit log files, screenshots, source URLs, PDFs (hash coverage), or reports. Attach these items to the Service Request.

Knowledge Center

Submit samples to Labs for suspected malware detection failure

Environment

Summary

Related Information

Affected Products

Languages:

Title

Title

Knowledge Center

Submit samples to Labs for suspected malware detection failure

Environment

Summary

Related Information

Affected Products

Languages:

Choose your region

Title

Title