How to submit potential false positives from the product or through Global Threat Intelligence to McAfee Labs
Technical Articles ID:
KB85567
Last Modified: 9/1/2020
Environment
McAfee DAT files
McAfee Labs
Multiple McAfee products
NOTE: This article applies only to McAfee business and enterprise products. If you need information or support for McAfee consumer or small business products, visit https://service.mcafee.com.
Summary
Contents
This article describes how to submit potential false positive detections from the product or through Global Threat Intelligence (GTI).A false positive is a malware detection triggered for a legitimate file. If you think that a file has been falsely detected, follow this procedure to submit the sample to McAfee Labs.
Click Submit. The sample is associated with the Service Request. You can now work with Technical Support.
The preferred method for submission is the ServicePortal.
NOTE: If you submit a .bup file for a false positive detection, you must open a Service Request with Technical Support after submitting the sample. The sample automation is unable to handle .bup files, and Technical Support needs to make sure that the sample gets successfully processed.
Complete the submission details. Make sure that you select the appropriate Issue Type for your submission: Suspected False.
Upload the samples.
Click Submit. A Sample Submission Service Request is created on the ServicePortal, which you can use to track progress. This system is automated and no support agents are assigned to submissions. The Service Request number is provided only for tracking purposes and is not monitored.
NOTE: If you submit a .bup file for a false positive detection, you must open a Service Request with Technical Support after submitting the sample. The sample automation is unable to handle .bupfiles and Technical Support needs to make sure that the sample gets successfully processed.
Prefix the email subject line with the word FALSE. For example:
FALSE: In-house file detected by McAfee
Example of information to provide:
Review the submitted file as we think this detection is a false positive detection.
Product: VirusScan Enterprise 8.8 DAT version: 8125 Engine: 5800 Description of issue: This application has been developed as an in-house tool for cleaning our databases.
NOTE: Failure to supply all information requested above could result in delays with the analysis.
It is important to follow this information because not doing so causes a submission or sample processing failure. Failed sample submissions that did not adhere to these requirements are discarded without further processing. You are not sent any notification to that effect.
Minimum data collection requirements are needed to process a sample. The following applies when engaging with Technical Support or McAfee Labs for:
Detection failures
Clean failures
False positives for Endpoint Security and VirusScan Enterprise.
The sample must be in a password-protected .zip file. See the exceptions below for .7z. RAR and other formats are not be processed. NOTES: Support for .7z file format:
Not supported when submitted via the ServicePortal
Do not take the following actions:
The .zip file must be a single level.
Do not include .zip files within the .zip file, with or without password protection
Do not include folder structures that are more than one level deep.
Taking any of the above actions, can cause samples to not be processed.
The file extension of the password-protected .zip file must be .zip. Any other extensions, or lack of an extension, cause the sample to not be processed.
When creating the .zip file, do not use AES or other types of encryption available from the program; use only a password for protection.
You must use the word infected as the password for the .zip file. Any other password causes the sample to not be processed.
Do not include more than 100 files within the .zip. More than 100 files causes the sample to not be processed. If you have more than 100 files, spread them across multiple submissions.
The .zip file can be no larger than 50 MB. Larger .zip files cause the sample to not be processed.
If you are a registered user, type your User Id and Password, and then click Log In.
If you are not a registered user, click Register and complete the required fields. Your password and logon instructions will be emailed to you.
As a customer, how can I prevent our files from being falsely detected in the future?
McAfee Labs accepts samples into our Quality Assurance testing process, where they are scanned with every DAT release to prevent false detections. For more information, see KB85568.
In the past, I have used the keyword NOAUTO in the subject line when submitting samples through email. Is that keyword no longer being recognized?
NOAUTO, which prevents the auto response message, is still an accepted keyword. But, to quickly identify and process possible false detections, McAfee Labs has enabled the new process using the FALSE keyword as described above.
Related Information
For information about
How to submit samples to McAfee Labs for suspected malware detection failure (Virus not found), see KB68030.
How to submit your company's software to be considered for validation against DAT files (Whitelisting Program), see KB85568.
How to submit samples when an application vendor disputes a PUP detection, see KB85569.