Last Modified: 02/20/2014
Multiple McAfee Products
This article describes how to submit virus samples, false positive detections, company software or images, and detection disputes for Potentially Unwanted Programs (PUPs).
Possible reasons for submitting files:
- Suspected malware detection failure (virus not found) or Clean failure for detected malware
- Suspected false positive detection either from the product or through Global Threat Intelligence (GTI)
- Submit your company's software or image to be considered for validation against McAfee DAT files
- Dispute for Potentially Unwanted Program detection
If you have located a file that you believe is infected, but was not detected by your McAfee software or that was detected but was not cleaned, you can submit the sample to McAfee Labs for evaluation.
There are three methods for submitting potentially infected files:
- McAfee ServicePortal/Platinum Portal (preferred option for McAfee customers)
- GetSusp (tool for analyzing a potentially infected system)
Submit Samples to McAfee Labs through McAfee Service Portal or Platinum Portal:
- Locate any infected files to submit as infected samples. For information on how to find potentially infected files, see KB53094.
- Archive the samples in a password protected .zip file. Set the password to infected (all lower case).
For instructions on how to create a .zip file and password protect it, see the following:
- Log in to the McAfee support portal at https://support.mcafee.com
- Click the Service Requests tab.
- Click the Submit a Sample tab.
- Ensure that your contact details are correct under General Information.
- In the Submission Details section, add the following information:
- Issue Type (required)
- Artemis False (false positive detection from Global Threat Intelligence)
- Clean Failure
- Detection Failure
- Suspected False
- VIL request with sample. (Request to add or update an entry in the McAfee Threat Library)
- Scan Engine
- DAT Version
- Brief Description (100 characters maximum)
- Description (full description of the issue, 2000 characters maximum)
- Issue Type (required)
- In the Samples section, click Browse and navigate to the .zip file that contains your collected samples.
IMPORTANT: The .zip file must be no be larger than 10 MB and cannot have more than 30 files. You must set the password to infected (all lower case). Do not submit anything other than potentially infected files or false positives. Any other files, such as log files and error reports will not be processed or considered.
- Click Upload.
- When the file upload completes, click Submit.
If your sample is successfully uploaded, you see a confirmation message and your new Service Request (SR) reference number. The SR number is also listed under your open SRs on the View Service Requests tab.
If your sample was not successfully uploaded, an SR will still be created, but you must email the sample to email@example.com. Remember to quote the SR reference number in your email and attach the password protected .zip file. See the Submit Samples to McAfee Labs via Email section for additional information.
What to expect after uploading your sample
- You will receive not further notifications until the sample has been analyzed.
- If an Extra.DAT relating to your sample is posted to the Portal, you will be informed of its availability via email. Check your Service Request on the relevant ServicePortal to download the Extra.DAT file You will not receive any Extra.DAT files via email or otherwise.
Submit Samples to McAfee Labs with GetSusp:
Use the GetSusp utility to submit samples. McAfee recommends that you use GetSusp as a first tool of choice when you analyze a suspect computer. To review the FAQs for GetSusp, see KB69385.
To download GetSusp, go to http://www.mcafee.com/us/downloads/free-tools/getsusp.aspx. You can use GetSusp to submit samples to McAfee even if you do not have a valid Grant Number.
IMPORTANT: The submitted file cannot be larger than 10 MB.
Submit Samples to McAfee Labs via Email:
You can submit samples directly to McAfee Labs by emailing firstname.lastname@example.org and attaching the file(s) for review. When submitting samples via email, ensure your attachments are contained in password-protected .zip files with the password infected (all lower case). If the automated system is unable to determine if there is a valid threat, your submission will be escalated for further analysis. For more information on creating a .zip file, see:
- Using WinZip (http://kb.winzip.com/kb/entry/78/)
- Using Windows file compression (http://support.microsoft.com/kb/306531)
False Positive Submissions
If you think that a file has been falsely detected or incorrectly classified, follow this procedure to submit the sample to McAfee Labs.
Submit False Positive samples through the McAfee support portal
The preferred method for submission is via the McAfee support portal (Platinum Portal/ServicePortal). See Solution 1 above for instructions to submit samples through the support portals.
When you use the support portal to submit fales positives, ensure that you select the appropriate Issue Type for your submission:
- Artemis False (false positive detection from Global Threat Intelligence)
- Suspected False (all other false positive detections)
To submit a sample via email, please send it to McAfee Labs Virus Research at: email@example.com.
- Prefix the email subject line with the word FALSE. For example:
FALSE: In-house file being detected by McAfee
- Ensure that you include the On Access / On Demand Scan log files of the McAfee product along with the DAT and Engine versions in use at the time. Also, include any other relevant information regarding why you think the file has been incorrectly detected. This information is helpful when analyzing the sample.
Information to provide: (example)
Please review the submitted file as we believe this is a false detection.
Product: VirusScan Enterprise 8.8
DAT version: 6587
Description of issue: This application has been developed as an in-house tool for cleaning our databases. Please see the attached OAS/ODS log file showing this detection by VirusScan.
NOTE: Failure to supply all of the information requested above might result in delays with the analysis.
- The sample is considered clean. Detection is suppressed and will be updated in the earliest DAT release.
- The sample is incorrectly classified. It will be reclassified and detection will be updated in the earliest DAT release.
- Analysis of the file determines that the sample is properly detected. You will be notified of the results.
As a customer, how can I prevent our files from being falsely detected in the future?
McAfee Labs gladly accepts samples into our Quality Assurance testing process where they are scanned with every DAT release to prevent false detections. See Solution 3 for information on how to submit your company software or images to McAfee Labs to be considered for validation against McAfee DAT files.
In the past, I have used the keyword NOAUTO in the subject line when submitting samples via email. Is that keyword no longer being recognized?
NOAUTO, which prevents the autoresponse message, is still an accepted keyword. However, to quickly identify and process possible false detections, McAfee has enabled the new process using the FALSE keyword as described above.
McAfee Labs (formerly McAfee Avert Labs) Core Security Updates Team utilizes a False Positive Test Rig as part of our extensive pre-release testing. This test rig is a large array of catalogued data, used by the Core Security Updates team to guard against false positives occurring in released DATs. It consists of a collection of known clean data, acquired by McAfee from commercial software vendors, including Microsoft and IBM. Additionally, the McAfee Production team also actively targets data from the Internet for download to the rig.
McAfee also offers its customers, partners, and other third-party software manufacturers the opportunity to submit their own Corporate Operating Environment (COE) images or proprietary software for inclusion in this rig. This significantly reduces the chances of a DAT causing false positives on unique customer applications or data. The False Positive Test Rig is located on an isolated network, and the data it contains is used only for false-positive identification testing.
Before every DAT release, the data on the false rig is scanned to identify false positive detections. Any identifications are passed to McAfee Labs researchers for analysis. The McAfee Labs Research team have final sign off on every release of a DAT.
Data Submission Process
IMPORTANT: If you submit data for inclusion to the False Positive Test Rig, ensure that you are legally entitled to distribute the software outside of your organization. McAfee cannot be held responsible for unauthorized software distribution.
If you want files to be included, they can be submitted using the following methods:
- Via a CD or DVD to the address listed at the end of this article
- Notify McAfee of a download location by contacting: firstname.lastname@example.org
- Upload files to the False Submission FTP site. To request an FTP account, contact: email@example.com
The supported submission formats are ISO, ZIP, or pre-extracted. Presently, McAfee is unable to process Norton Ghost or other proprietary image formats, but can accept VMware images. If you are submitting specific applications or data rather than a full COE image, submit the extracted contents of the installation package in addition to the installer.
After the data is processed and moved to the scanning rig, a confirmation email will be sent to you. The expected time between McAfee receiving the data and it being processed will vary depending upon the size of the submission and current workloads, but should not exceed two working days from receipt of the submission.
What happens to the submitted data?
Where possible, the data is extracted and hashes are created to uniquely identify each file. These hashes are compared against a database of existing data, and those we already have are discarded. Any new data not currently held on the False Rig will be included on the rig and scanned with each DAT release.
Include as much information as possible with any submission, including (but not limited to), the following:
- Company name
- Contact name
- Contact phone number (including country code)
- Contact email address
- McAfee SAM or Account Manager name
- McAfee products used (including product version and patch level)
- Any Scan or product settings used
- If posting by traditional mail, confirm the count of media enclosed, including the number of files
- Description of submission contents (for example: bespoke product, internal data, full COE image)
- Any other relevant information (such as frequency of updates)
If you are using the postal service, send all submissions to the following address:
NOTE: McAfee recommends that media is sent via recorded delivery or traceable courier delivery.
False Rig Submission
c/o McAfee Labs Core Security Updates Team
BUCKS HP19 8ED
For further information or questions, contact the Core Security Updates team at: firstname.lastname@example.org
If you think McAfee has incorrectly classified your software as a Potentially Unwanted Program (PUP) such as spyware, complete the McAfee Detection Dispute Submission Form. For further details see https://secure.mcafee.com/apps/mcafee-labs/dispute-form.aspx.
NOTE: This procedure is intended for software developers and software producers and not to be confused with procedures for submitting other detections.