Loading...

Knowledge Center


How to submit potential false positives from the product or through Global Threat Intelligence to McAfee Labs
Technical Articles ID:   KB85567
Last Modified:  3/20/2019
Rated:


Environment

McAfee DAT files
McAfee Labs
Multiple McAfee products

Summary

This article describes how to submit potential false positive detections from the product or through Global Threat Intelligence (GTI).

NOTE: This article applies only to McAfee business and enterprise products. If you need information or support for McAfee consumer or small business products, visit https://service.mcafee.com.
 
A false positive is a malware detection triggered for a legitimate file. If you think that a file has been falsely detected, follow this procedure to submit the sample to McAfee Labs.  

Submit potential false positive samples through the ServicePortal
The preferred method for submission is the ServicePortal.
  1. Log on to the ServicePortal at https://support.mcafee.com using your Grant Number.
  2. Click the Service Requests tab.
  3. Click the Submit a Sample tab.
  4. Complete the submission details. Ensure that you select the appropriate Issue Type for your submission: Suspected False.
  5. Upload the samples.
  6. Click Submit. A Sample Submission Service Request is created on the ServicePortal, which you can use to track progress. This system is automated and no support agents are assigned to submissions. The Service Request number is provided only for tracking purposes and is not monitored.
Submit potential false positive samples through email submissions
To submit a sample using email, send it to McAfee Labs Virus Research at virus_research@avertlabs.com.
  • Prefix the email subject line with the word FALSE. For example:

    FALSE: In-house file detected by McAfee
  • Example of information to provide: 
Please review the submitted file as we think this detection is a false positive detection.

Product: VirusScan Enterprise 8.8
DAT version: 8125
Engine: 5800
Description of issue: This application has been developed as an in-house tool for cleaning our databases.

NOTE: Failure to supply all information requested above could result in delays with the analysis.

Submission requirements
It is important that this information is followed because not doing so causes a submission or sample processing failure. Submissions or samples that have failed as a result of not adhering to these requirements are discarded without further processing, and you are not sent any notification to that effect.
  • The sample must be in a password-protected .zip or .7z file. RAR and other formats are not processed.
  • The .zip file must be a single level. Do not include .zip files within the .zip file, with or without password protection, and do not include folder structures that are more than one level deep. Not following these requirements can cause samples to not be processed.
  • The file extension of the password-protected .zip file must be .zip or .7z. Any other extensions, or lack of an extension, cause the sample to not be processed.
  • When creating the .zip file, do not use AES or other types of encryption available from the program; use only a password for protection.
  • You must use the word infected as the password for the .zip or .7z file. Any other password causes the sample to not be processed.
  • Do not include more than 100 files within the .zip or .7z file. More than 100 files causes the sample to not be processed. If you have more than 100 files, spread them across multiple submissions.
  • The .zip file can be no larger than 50 MB. Larger .zip or .7z files cause the sample to not be processed.

For more information about creating a .zip file:

Additional requirements
Provide the following information:
  • Is the sample from a third-party vendor application or a customer built application?  
  • If the sample is from a third-party vendor application, who is the vendor, and what is the application name and version?  
  • What is the purpose of the application?  
  • Submit logs showing the detection. Log locations are as follows:

    NOTE: The specific logs required depend on which component detected the software. There are Adaptive Threat Protection logs, on-access scan logs, and on-demand scan logs. Collect a Minimum Escalation Requirements (MER) file to ensure that all required logs are collected.
     
    • Endpoint Security:

      C:\ProgramData\McAfee\Endpoint Security\Logs\OnDemandScan_Activity.log
      C:\ProgramData\McAfee\Endpoint Security\Logs\OnAcessScan_Activity.log
      C:\ProgramData\McAfee\Endpoint Security\Logs\AdaptiveThreatProtection_Activity.log
       
    • VirusScan Enterprise:

       C:\ProgramData\McAfee\DesktopProtection\OnDemandScanLog.txt
       C:\ProgramData\McAfee\DesktopProtection\OnAccessScanLog.txt
Potentially Unwanted Program (PUP) requirements:
Submit the full installation package for the PUP. This package is needed for McAfee Labs to determine PUP coverage. Programs that violate the McAfee PUP policy are classified as a PUP: https://www.mcafee.com/enterprise/en-us/assets/misc/ms-pup-policy.pdf.

If the sample violates the McAfee PUP policy, McAfee Labs will not remove coverage. If needed, configure an exclusion by detection name in Endpoint Security or VirusScan Enterprise.

What to expect after submitting your sample
After the sample has been analyzed, one of the following happens:
  • The sample is considered clean. Detection is suppressed, and is updated in the earliest DAT release.
  • Analysis of the file determines that the sample is properly detected. You are notified of the results.

Frequently asked questions
As a customer, how can I prevent our files from being falsely detected in the future?
McAfee Labs accepts samples into our Quality Assurance testing process, where they are scanned with every DAT release to prevent false detections. For more information, see KB85568.

In the past, I have used the keyword NOAUTO in the subject line when submitting samples through email. Is that keyword no longer being recognized?
NOAUTO, which prevents the auto response message, is still an accepted keyword. But, to quickly identify and process possible false detections, McAfee Labs has enabled the new process using the FALSE keyword as described above.

Rate this document

Beta Translate with

Select a desired language below to translate this page.

Glossary of Technical Terms


 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.