Loading...

Knowledge Center


How to submit potential false positives from the product or through Global Threat Intelligence to McAfee Labs
Technical Articles ID:   KB85567
Last Modified:  5/22/2019
Rated:


Environment

McAfee DAT files
McAfee Labs
Multiple McAfee products

NOTE: This article applies only to McAfee business and enterprise products. If you need information or support for McAfee consumer or small business products, visit https://service.mcafee.com.

Summary

This article describes how to submit potential false positive detections from the product or through Global Threat Intelligence (GTI). A false positive is a malware detection triggered for a legitimate file. If you think that a file has been falsely detected, follow this procedure to submit the sample to McAfee Labs.  

Contents
Click to expand the section you want to view:

The preferred method for submission is the ServicePortal.
  1. Log on to the ServicePortal at https://support.mcafee.com using your Grant Number.
  2. Click the Service Requests tab.
  3. Click the Submit a Sample tab.
  4. Complete the submission details. Ensure that you select the appropriate Issue Type for your submission: Suspected False.
  5. Upload the samples.
  6. Click Submit. A Sample Submission Service Request is created on the ServicePortal, which you can use to track progress. This system is automated and no support agents are assigned to submissions. The Service Request number is provided only for tracking purposes and is not monitored.
To submit a sample using email, send it to McAfee Labs Virus Research at: virus_research@avertlabs.com
  • Prefix the email subject line with the word FALSE. For example:

    FALSE: In-house file detected by McAfee
  • Example of information to provide: 
Please review the submitted file as we think this detection is a false positive detection.

Product: VirusScan Enterprise 8.8
DAT version: 8125
Engine: 5800
Description of issue: This application has been developed as an in-house tool for cleaning our databases.

NOTE: Failure to supply all information requested above could result in delays with the analysis.

It is important that this information is followed because not doing so causes a submission or sample processing failure. Submissions or samples that have failed as a result of not adhering to these requirements are discarded without further processing, and you are not sent any notification to that effect.

When engaging Technical Support or McAfee Labs for detection failures, clean failures, and false positives for Endpoint Security and VirusScan Enterprise, there are additional minimum data collection requirements that are required to process the sample. See KB91459 for more information.

Requirements:
  • The sample must be in a password-protected .zip or .7z file. RAR and other formats are not processed.
  • The .zip file must be a single level. Do not include .zip files within the .zip file, with or without password protection, and do not include folder structures that are more than one level deep. Not following these requirements can cause samples to not be processed.
  • The file extension of the password-protected .zip file must be .zip or .7z. Any other extensions, or lack of an extension, cause the sample to not be processed.
  • When creating the .zip file, do not use AES or other types of encryption available from the program; use only a password for protection.
  • You must use the word infected as the password for the .zip or .7z file. Any other password causes the sample to not be processed.
  • Do not include more than 100 files within the .zip or .7z file. More than 100 files causes the sample to not be processed. If you have more than 100 files, spread them across multiple submissions.
  • The .zip file can be no larger than 50 MB. Larger .zip or .7z files cause the sample to not be processed.

For more information about creating a .zip file:

After the sample has been analyzed, one of the following happens:
  • The sample is considered clean. Detection is suppressed, and is updated in the earliest DAT release.
  • Analysis of the file determines that the sample is properly detected. You are notified of the results.
NOTE: If the submission response shows a detection and you believe the detection to still be invalid, contact Technical Support.

To contact Technical Support, log on to the ServicePortal and go to the Create a Service Request page at https://support.mcafee.com/ServicePortal/faces/serviceRequests/createSR:
  • If you are a registered user, type your User Id and Password, and then click Log In.
  • If you are not a registered user, click Register and complete the required fields. Your password and logon instructions will be emailed to you.
As a customer, how can I prevent our files from being falsely detected in the future?
McAfee Labs accepts samples into our Quality Assurance testing process, where they are scanned with every DAT release to prevent false detections. For more information, see KB85568.

In the past, I have used the keyword NOAUTO in the subject line when submitting samples through email. Is that keyword no longer being recognized?
NOAUTO, which prevents the auto response message, is still an accepted keyword. But, to quickly identify and process possible false detections, McAfee Labs has enabled the new process using the FALSE keyword as described above.

Rate this document

Beta Translate with

Select a desired language below to translate this page.

Glossary of Technical Terms


 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.