FAQs for GetSusp
Technical Articles ID: KB69385
Last Modified: 3/4/2014
Rated:
Last Modified: 3/4/2014
Rated:
Environment
McAfee GetSusp
Summary
This article is a consolidated list of common questions and answers. It is mainly intended for users who are new to the GetSusp tool, but can be of use to all users.
Contents
General
GetSusp.exe is digitally signed and does an integrity check before it runs. To run GetSusp on a computer infected with a file infector, run it using the getsusp.exe --nc switch. This hidden switch disables integrity checking.
Why does GetSusp not identify my suspected malware?
The malware must be actively running on your computer or have an associated registry startup entry for GetSusp to identify it. GetSusp identifies only suspicious executable files. GetSusp does not scan documents, scripts, media, and other file formats. McAfee plans to add Rootkit scanning to GetSusp in a future release.
Back to Contents
Alternatively:
Contents
| General | For product information covering miscellaneous topics. |
| Installation | Installation requirements for GetSusp, and deployment with ePolicy Orchestrator. |
| Usage | Information about using GetSusp. |
| Functionality | Product features and functions, including offline scanning. |
| Sample submissions | Ways to submit samples. |
General
What is GetSusp?
GetSusp is a free tool that helps you find and log undetected malware, and allows you to automatically submit samples to McAfee Labs. To find suspicious files, GetSusp uses heuristics and compares samples against the McAfee Global Threat Intelligence (GTI) database of known clean files. When you analyze a suspect computer, use GetSusp first.
For the GetSusp Product Guide, see article PD23648.
How is GetSusp different from other anti-malware tools?
There are many free diagnostic tools available, but you must analyze their output, isolate a suspect sample, and work out how to submit the files to the anti-virus vendor. With GetSusp there is no need for advanced technical knowledge to isolate undetected malware.
What is the difference between GetSusp and GetClean?
GetSusp helps you find and isolate undetected malware, and is available to all McAfee customers.
GetClean is a tool that helps you minimize false positives in your environment, reducing the number of files you have to submit to McAfee and eliminating duplicate submissions. It is available only to McAfee Platinum support customers. For more details about GetClean, see KB73044.
Where can I get information about upcoming releases of GetSusp and additional release information?
See the McAfee GetSusp <current_version> post in McAfee Communities at: https://community.mcafee.com/message/216447.
Where can I send feedback regarding GetSusp?
You can provide feedback on the McAfee GetSusp Community Forum page at: https://community.mcafee.com/groups/getsusp30-beta-feedback.
Back to Contents
GetSusp is a free tool that helps you find and log undetected malware, and allows you to automatically submit samples to McAfee Labs. To find suspicious files, GetSusp uses heuristics and compares samples against the McAfee Global Threat Intelligence (GTI) database of known clean files. When you analyze a suspect computer, use GetSusp first.
For the GetSusp Product Guide, see article PD23648.
How is GetSusp different from other anti-malware tools?
There are many free diagnostic tools available, but you must analyze their output, isolate a suspect sample, and work out how to submit the files to the anti-virus vendor. With GetSusp there is no need for advanced technical knowledge to isolate undetected malware.
What is the difference between GetSusp and GetClean?
GetSusp helps you find and isolate undetected malware, and is available to all McAfee customers.
GetClean is a tool that helps you minimize false positives in your environment, reducing the number of files you have to submit to McAfee and eliminating duplicate submissions. It is available only to McAfee Platinum support customers. For more details about GetClean, see KB73044.
The article referenced above is available to registered ServicePortal users only.
To view registered articles:
To view registered articles:
- Log in to the ServicePortal at http://support.mcafee.com.
- Type the Article ID in the Search the Knowledge Center field on the Home page.
- Click Search or press ENTER.
Where can I get information about upcoming releases of GetSusp and additional release information?
See the McAfee GetSusp <current_version> post in McAfee Communities at: https://community.mcafee.com/message/216447.
Where can I send feedback regarding GetSusp?
You can provide feedback on the McAfee GetSusp Community Forum page at: https://community.mcafee.com/groups/getsusp30-beta-feedback.
Back to Contents
Installation
What are the connectivity requirements for GetSusp?
GetSusp requires an Internet connection to perform optimally. Outbound UDP port 53 and TCP port 80 must be allowed for GTI and known file database lookups to happen. The known file database is a McAfee IT supported back end server.
Where can I download the latest version of GetSusp?
The latest version is available from http://www.mcafee.com/us/downloads/free-tools/getsusp.aspx.
Can I deploy GetSusp.exe to my end nodes with ePolicy Orchestrator?
Yes. You can download the ePolicy Orchestrator deployable version from http://downloadcenter.mcafee.com/products/mcafee-avert/getsusp/getsusp-ePO.zip.
For further details on how to deploy the tool, see article KB70405.
Back to Contents
How do I use GetSusp?
For usage instructions, see http://www.mcafee.com/us/downloads/free-tools/how-to-use-getsusp.aspx.
Does GetSusp support command line switches?
Yes. For a list of all GetSusp switches, type getsusp.exe --? or getsusp.exe --Help from the command prompt, and press ENTER.
After I launch GetSusp, it creates a GetSusp.opt file. What is this file?
When you launch GetSusp, it creates a GetSusp.opt file with your GetSusp user preferences. These preferences are loaded the next time you use GetSusp, on the condition that GetSusp.opt is present in the same directory as GetSusp.exe.
What do I do if GetSusp.exe gets infected when I run it on a computer infected with a file infector such as W32/Sality or W32/Virut?
GetSusp does not run as expected, and you see the following message:
For usage instructions, see http://www.mcafee.com/us/downloads/free-tools/how-to-use-getsusp.aspx.
Does GetSusp support command line switches?
Yes. For a list of all GetSusp switches, type getsusp.exe --? or getsusp.exe --Help from the command prompt, and press ENTER.
After I launch GetSusp, it creates a GetSusp.opt file. What is this file?
When you launch GetSusp, it creates a GetSusp.opt file with your GetSusp user preferences. These preferences are loaded the next time you use GetSusp, on the condition that GetSusp.opt is present in the same directory as GetSusp.exe.
What do I do if GetSusp.exe gets infected when I run it on a computer infected with a file infector such as W32/Sality or W32/Virut?
GetSusp does not run as expected, and you see the following message:
GetSusp may be infected, cannot continue
GetSusp.exe is digitally signed and does an integrity check before it runs. To run GetSusp on a computer infected with a file infector, run it using the getsusp.exe --nc switch. This hidden switch disables integrity checking.
What user or system details are collected?
Email address, computer name, IP address, operating system and service pack, file location, and information about installed McAfee products are collected. Users who do not want to transmit samples, system data, or share their email address with McAfee, can choose the option within the GetSusp tool to not submit results to McAfee. Your email address will enable McAfee to communicate with you regarding the results of the scan.
Can I prevent GetSusp from sending samples or information from my computer to McAfee?
GetSusp connects to McAfee Global Threat Intelligence (GTI) to match files found on your computer. If you do not want files and logs to be submitted to McAfee, run the scan in offline mode. The files and logs harvested will not be uploaded to McAfee. However, because there are no online lookups to the whitelist database, results will be degraded.
Email address, computer name, IP address, operating system and service pack, file location, and information about installed McAfee products are collected. Users who do not want to transmit samples, system data, or share their email address with McAfee, can choose the option within the GetSusp tool to not submit results to McAfee. Your email address will enable McAfee to communicate with you regarding the results of the scan.
Can I prevent GetSusp from sending samples or information from my computer to McAfee?
GetSusp connects to McAfee Global Threat Intelligence (GTI) to match files found on your computer. If you do not want files and logs to be submitted to McAfee, run the scan in offline mode. The files and logs harvested will not be uploaded to McAfee. However, because there are no online lookups to the whitelist database, results will be degraded.
How does GetSusp complete most system scans in three to five minutes?
System scans generally take between three and five minutes, irrespective of the size of the hard disk. This is because GetSusp scans are limited to running processes, the Windows registry, and file locations utilized by malware.
System scans generally take between three and five minutes, irrespective of the size of the hard disk. This is because GetSusp scans are limited to running processes, the Windows registry, and file locations utilized by malware.
Why does GetSusp not identify my suspected malware?
The malware must be actively running on your computer or have an associated registry startup entry for GetSusp to identify it. GetSusp identifies only suspicious executable files. GetSusp does not scan documents, scripts, media, and other file formats. McAfee plans to add Rootkit scanning to GetSusp in a future release.
Back to Contents
How can I send a GetSusp submission larger than 10 MB to McAfee Labs?
McAfee Labs only supports ZIP files up to 10 MB. You can submit larger samples to an FTP location provided by McAfee Technical Support. In this scenario, select the MD5 only option to submit metadata. After the file is whitelisted, or hashed, the ZIP file size is reduced.
How can I manually submit a file using GetSusp?
You can use the UPLOAD option in GetSusp to manually point to suspect files and send these to McAfee.
How do I follow up with McAfee for support on a GetSusp submission?
For tracking purposes, you will receive an email with a Reference Work Item ID from Virus_Research@avertlabs.com. McAfee uses the email address you provided under GetSusp Preferences. Use the Work Item ID to follow up with McAfee Technical Support.
McAfee Labs only supports ZIP files up to 10 MB. You can submit larger samples to an FTP location provided by McAfee Technical Support. In this scenario, select the MD5 only option to submit metadata. After the file is whitelisted, or hashed, the ZIP file size is reduced.
How can I manually submit a file using GetSusp?
You can use the UPLOAD option in GetSusp to manually point to suspect files and send these to McAfee.
How do I follow up with McAfee for support on a GetSusp submission?
For tracking purposes, you will receive an email with a Reference Work Item ID from Virus_Research@avertlabs.com. McAfee uses the email address you provided under GetSusp Preferences. Use the Work Item ID to follow up with McAfee Technical Support.
For contact details:
Go to http://www.mcafee.com/us/about/contact-us.aspx#ht=tab-techsupport and select your country from the drop-down list. Alternatively:
Log in to the ServicePortal at https://support.mcafee.com:
- If you are a registered user, type your User Id and Password, and click Log In.
- If you are not a registered user, click Register and complete the required fields. Your password and login instructions will be emailed to you.
Affected Products
Threat Prevention and Removal
Languages:
This article is available in the following languages:
GermanEnglish United States
Spanish Spain
French
Italian
Japanese
Korean
Dutch
Portuguese Brasileiro
Chinese Simplified
Chinese Traditional
Beta
Translate
with
Select a desired language below to translate this page.
