Loading...

Knowledge Center

How to submit samples to McAfee Labs for suspected malware detection failure (Virus not found) or Clean failure for detected malware
Technical Articles ID:   KB68030
Last Modified:  5/8/2019
Rated:

Environment

McAfee DAT files
McAfee Labs
Multiple McAfee products

NOTE: This article applies only to McAfee business and enterprise products. If you need information or support for McAfee consumer or small business products, visit https://service.mcafee.com.

Summary

If you have a file that you think is infected but was not detected by your McAfee anti-virus software, or that was detected but was not cleaned, use the instructions in this article. Then submit the sample to McAfee Labs for evaluation. McAfee Labs can receive samples for review and potential inclusion into the daily DAT file releases or GTI File Reputation for future detection.

Contents
Click to expand the section you want to view:

When engaging Technical Support or McAfee Labs for detection failures, clean failures, and false positives for Endpoint Security and VirusScan Enterprise, there are additional minimum data collection requirements that are required to process the sample. See KB91459 for more information.

Follow the sample submission method below based on the issue type:
  • Clean failure: If a malware detection occurred and the action is "Clean Failed," email the sample to virus_research@avertlabs.com and immediately open a Malware-related Service Request using the ServicePortal at https://support.mcafee.com or by contacting Technical Support.
  • Virus Information Library (VIL) request (with sample): If you have a malware sample and require details about its behavior, email the sample to virus_research@avertlabs.com and immediately open a Malware-related Service Request using the ServicePortal at https://support.mcafee.com or by contacting Technical Support.
  • Detection failure: If you have a file that is not detected by McAfee, submit the sample to McAfee Labs using the ServicePortal.
  • Suspected false positive: If you have a file that you suspect is falsely detected by McAfee, submit the sample to McAfee Labs using the instructions in KB85567.
The preferred method for submission is the ServicePortal.
  1. Log on to the ServicePortal at https://support.mcafee.com using your Grant Number.
  2. Click the Service Requests tab.
  3. Click the Submit a Sample tab.
  4. Click Continue.
  5. Complete the submission details.
  6. Upload the samples.
  7. Click Submit. A Sample Submission Service Request is created on the ServicePortal, which you can use to track progress. This system is automated and no support agents are assigned to submissions. The Service Request number is provided only for tracking purposes and is not monitored.

Below are other methods to submit samples for review:
  • Web Gateway: If you are using Web Gateway, follow the product-specific instructions in KB62662 to collect and submit samples.
  • Advanced Threat Defense: If you are using Advanced Threat Defense, follow the product-specific instructions in KB83659 to collect and submit samples.
  • GetSusp: GetSusp is a free tool that helps you find and log undetected malware. GetSusp has built-in submission capabilities that allow you to automatically submit samples to McAfee Labs.

    To review the FAQs for GetSusp, see KB69385
    To download GetSusp, go to: http://www.mcafee.com/us/downloads/free-tools/getsusp.aspx
     
  • FTP: Submissions through FTP are accepted only if the samples exceed the limits for the ServicePortal, or if there is a technical issue with the ServicePortal or email submission. In this case, follow the instructions in KB87703 to submit the samples through FTP.
It is important that this information is followed because not doing so will cause a submission or sample processing failure. Submissions or samples that have failed as a result of not adhering to these requirements is discarded without further processing, and you are not sent any notification to that effect.

Requirements:
  • The sample must be in a password-protected .zip or .7z file. RAR and other formats will not be processed.
  • The .zip file must be a single level. Do not include .zip files within the .zip file, with or without password protection, and do not include folder structures that are more than one level deep. These actions can cause samples to not be processed.
  • The file extension of the password-protected .zip file must be .zip or .7z. Any other extensions, or lack of an extension, causes the sample to not be processed.
  • When creating the .zip file, do not use AES or other types of encryption available from the program; use only a password for protection.
  • You must use the word infected as the password for the .zip or .7z file. Any other password causes the sample to not be processed.
  • Do not include more than 100 files within the .zip or .7z file. More than 100 files causes the sample to not be processed. If you have more than 100 files, spread them across multiple submissions.
  • The .zip file can be no larger than 50 MB. Larger .zip or .7z files cause the sample to not be processed.
For more information about creating a .zip file:
Do not submit additional files other than the suspected file as it resides on the system. If you do, it will cause delays in processing, and might cause the submission to fail by increasing the total number of files or size over the permitted thresholds. The following list contains some examples of what not to send:
  • Log files from scans, such as On-Demand or On-Access Log files
  • Screenshots
  • .eml or .msg files (submit only the files that are attached to the emails, not the email itself)
  • Reports created by forensics tools
  • String dumps
  • Network traffic dumps
Submit only the suspicious files.
You will receive no further notifications until the sample has been analyzed. Track progress in the Service Request that you created on the ServicePortal. If an Extra.DAT relating to your sample is posted to the ServicePortal, you will be informed of its availability in an email. Check your Service Request on the ServicePortal to download the Extra.DAT file. You will not receive any Extra.DAT files through email or otherwise:
  • To manually check in and deploy an Extra.DAT through ePolicy Orchestrator, see KB67602.
  • For instructions on how to apply an Extra.DAT locally for Endpoint Security, see the "Load an Extra.DAT file" section of the Endpoint Security Product Guide.
  • For instructions on how to apply an Extra.DAT locally for VirusScan Enterprise, see KB50642.
  • For instructions on how to apply an Extra.DAT to Security for Microsoft Exchange, see KB76201.
  • For instructions on how to apply an Extra.DAT to Security for SaaS Endpoint Protection, see KB51459.
  • For instructions on how to combine one or more Extra.DAT files, see KB68061.

Related Information

See also:
  • For information about how to submit potential false positives from the product or through Global Threat Intelligence (GTI) to McAfee Labs, see KB85567.
  • For information about how to submit your company's software to be considered for validation against DAT files (Whitelisting Program), see KB85568.
  • For information about how to submit samples for an application vendor dispute of a PUP detection, see KB85569.

Rate this document

Beta Translate with

Select a desired language below to translate this page.

Glossary of Technical Terms


 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.