Submit potential false positives from the product or through GTI to McAfee Labs

Technical Articles ID: KB85567
Last Modified: 4/27/2021

Environment

McAfee DAT files
McAfee Labs
Multiple McAfee products

NOTE: This article applies only to McAfee business and enterprise products. If you need information or support for McAfee consumer or small business products, visit https://service.mcafee.com.

Summary

Contents
This article describes how to submit potential false positive detections from the product or through Global Threat Intelligence (GTI). A false positive is a malware detection triggered for a legitimate file. If you think that a file has been falsely detected, follow this procedure to submit the sample to McAfee Labs.

Click to expand the section you want to view:

Submit potential false positive samples through Technical Support (via ServicePortal)

Submit process:

Log on to the ServicePortal at https://support.mcafee.com using your Grant Number.
Click the Service Requests tab.
Click the Create a Service Request tab.
Select the Issue Type Malware.
Complete the submission details.
Upload the samples.
Click Submit. The sample is associated with the Service Request. You can now work with Technical Support.

Submit potential false positive samples through email submissions

To submit a sample using email, send it to McAfee Labs Virus Research at: virus_research@avertlabs.com.

NOTE: If you submit a .bup file for a false positive detection, you must open a Service Request with Technical Support after submitting the sample. The sample automation is unable to handle .bup files and Technical Support needs to make sure that the sample gets successfully processed.

Prefix the email subject line with the word FALSE. For example:

FALSE: In-house file detected by McAfee

Example of information to provide:

Review the submitted file as we think this detection is a false positive detection.

Product: VirusScan Enterprise 8.8
DAT version: 8125
Engine: 5800
Description of issue: This application has been developed as an in-house tool for cleaning our databases.

NOTE: Failure to supply all information requested above could result in delays with the analysis.

Submission requirements

It is important to follow this information because not doing so causes a submission or sample processing failure. Failed sample submissions that did not adhere to these requirements are discarded without further processing. You are not sent any notification to that effect.

Minimum data collection requirements are needed to process a sample. The following applies when engaging with Technical Support or McAfee Labs for:

Detection failures
Clean failures
False positives for Endpoint Security and VirusScan Enterprise
NOTE: For more information, see: KB91459 - Minimum data collection requirements for detection failures, clean failures, and false positives.

Requirements:

The sample must be in a password-protected .zip file. See the exceptions below for .7z. RAR and other formats are not be processed.
NOTES: Support for .7z file format:
- Supported when submitting samples to virus_research@avertlabs.com
- Not supported when submitted via the ServicePortal
Do not take the following actions. The .zip file must be a single level.
- Do not include .zip files within the .zip file, with or without password protection.
- Do not include folder structures that are more than one level deep.
Taking any of the above actions can cause samples to not be processed.
The file extension of the password-protected .zip file must be .zip. Any other extensions, or lack of an extension, cause the sample to not be processed.
The total file path length must be 125 characters or less. For example, sample.zip/sample.docx would be counted as 22 characters.
When creating the .zip file, do not use AES or other types of encryption available from the program; use only a password for protection.
You must use the word infected as the password for the .zip file. Any other password causes the sample to not be processed.
Do not include more than 100 files within the .zip. More than 100 files causes the sample to not be processed. If you have more than 100 files, spread them across multiple submissions.
The .zip file can be no larger than 50 MB. Larger .zip files cause the sample to not be processed.

For more information about creating a .zip file:

Using WinZip: http://kb.winzip.com/kb/entry/78/
Using Windows file compression: http://support.microsoft.com/kb/306531

What to expect after submitting your sample

After the sample has been analyzed, one of the following happens:

The sample is considered clean. Detection is suppressed, and is updated in the earliest DAT release.
Analysis of the file determines that the sample is properly detected. You are notified of the results.

NOTE: If the submission response shows a detection and you believe the detection to still be invalid, contact Technical Support.

To contact Technical Support, go to the Create a Service Request page and log on to the ServicePortal.

If you are a registered user, type your User ID and Password, and then click Log In.
If you are not a registered user, click Register and complete the fields to have your password and instructions emailed to you.

Frequently asked questions

As a customer, how can I prevent our files from being falsely detected in the future?
McAfee Labs accepts samples into our Quality Assurance testing process, where they are scanned with every DAT release to prevent false detections. For more information, see: KB85568 - How to submit your company's software to be considered for validation against DAT files.

In the past, I have used the keyword NOAUTO in the subject line when submitting samples through email. Is that keyword no longer being recognized?
NOAUTO, which prevents the auto response message, is still an accepted keyword. But, to quickly identify and process possible false detections, McAfee Labs has enabled the new process using the FALSE keyword as described above.

Related Information

Affected Products

Endpoint Security Adaptive Threat Protection
Endpoint Security Threat Prevention 10.7.x
Endpoint Security Threat Prevention 10.6.x
Threat Prevention and Removal
VirusScan Enterprise 8.8

Languages:

This article is available in the following languages:

German
English United States
Spanish Spain
French
Italian
Japanese
Korean
Dutch
Portuguese Brasileiro
Chinese Simplified
Chinese Traditional

Glossary of Technical Terms

Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.

Knowledge Center

Submit potential false positives from the product or through GTI to McAfee Labs

Environment

Summary

Related Information

Affected Products

Languages:

Glossary of Technical Terms

Title

Title

Knowledge Center

Submit potential false positives from the product or through GTI to McAfee Labs

Environment

Summary

Related Information

Affected Products

Languages:

Glossary of Technical Terms

Choose your region

Title

Title