Loading...

Knowledge Center


How to submit false positive or false negative virus and anti-malware samples for Advanced Threat Defense
Technical Articles ID:   KB83659
Last Modified:  2/15/2019
Rated:


Environment

McAfee Advanced Threat Defense (ATD)

Summary

If you are using ATD and notice false positives or false negatives, use the following instructions to submit samples for analysis.

IMPORTANT:
  • For instructions on how to submit samples to the McAfee Labs in general, see KB68030.
  • For instructions on submitting spam and phishing samples for other products, see KB59415.
  • For instructions on submitting false positives with Global Threat Intelligence (GTI), see KB85567.

Solution

To submit a false positive:
  1. Obtain a sample:
    For steps to obtain, compress, and encrypt the sample directly from the ATD appliance, see the Advanced Threat Defense Product Guide for your release.
     
  2. Submit the sample:
    View the ATD analysis result page and check its report on the sample to determine where to submit it:
    • Engine Name, Gateway Anti-Malware:
      Submit to the Gateway Anti-Malware team (formerly Secure Anti Malware).
       
      • Submit by Email:
        Send an email with the sample file attached to virus_research_gateway@avertlabs.com and add Possible False to the subject line of the email to notify the team the sample is a False Positive. After the sample has been received, it will be validated for detection issues and whether it is a known clean file, a possible false detection, or an unknown file. A sample that is a possible false detection or unknown file will be reviewed for further processing.
        NOTE: After a submission status is confirmed, an email update is sent to the submitter.
         
      • Submit by Service Request:
        Perform the submission steps in KB85567 to submit suspected false positive detections for analysis.
         
    • Engine Name, Anti-Malware:
      Submit to McAfee Labs.
      Perform the submission steps in KB85567 to submit suspected false positive detections for analysis.
       
    • Engine Name, GTI File Reputation:
      • If the sample is a file:
        Submit to McAfee Labs.
        Perform the submission steps in KB85567 to submit suspected false positive detections for analysis.
         
      • If the sample is a URL (http://www.sample.com):
        Submit to the URL reputation team.
        Perform the submission steps in KB62504 to submit the URL for classification analysis.
         
    • Engine Name, Sandbox:
      Submit a sample to McAfee Labs; the case will be directed to ATD Support.
      • Open a Service Request and include the submission ID in the Problem Description field. See the Related Information section for details.

Solution

To submit a false negative:
  1. Obtain a sample:
    For steps to obtain, compress, and encrypt the sample directly from the ATD appliance, see the Advanced Threat Defense Product Guide for your release.
     
  2. Submit the sample to McAfee Labs:
    Follow the method documented in KB68030. You will receive an Analysis ID after the submission is received.
     
  3. Open a Service Request include the Analysis ID from McAfee Labs in the Problem Description field. See the Related Information section for contact details.

    IMPORTANT: Do not send the malware to the Technical Support Engineer or upload it as part of this Service Request. Technical Support will validate the sandbox configuration and determine if further action is necessary.

Rate this document

Beta Translate with

Select a desired language below to translate this page.

Glossary of Technical Terms


 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.