Submit potential false positives from the product or through GTI to McAfee Labs

Contents
This article describes how to submit potential false positive detections from the product or through Global Threat Intelligence (GTI). A false positive is a malware detection triggered for a legitimate file. If you think that a file has been falsely detected, follow this procedure to submit the sample to McAfee Labs.

Click to expand the section you want to view:

Submit potential false positive samples through Technical Support (via ServicePortal)

Submit process:

Log on to the Service Portal using your Grant Number.
Click the Service Requests tab.
Click the Create a Service Request tab.
Select the Issue Type Malware.
Complete the submission details.
Upload the samples.
Click Submit. The sample is associated with the Service Request. You can now work with Technical Support.

Submit potential false positive samples through email submissions

To submit a sample using email, send it to McAfee Labs Virus Research at: virus_research@avertlabs.com.

Prefix the email subject line with the word FALSE. For example:

FALSE: In-house file detected by McAfee

Example of information to provide:

Review the submitted file as we think this detection is a false positive detection.

Product: VirusScan Enterprise 8.8
DAT version: 8125
Engine: 5800
Description of issue: This application has been developed as an in-house tool for cleaning our databases.

NOTE: Failure to supply all information requested above could result in delays with the analysis.

Submission requirements

It’s important to follow this information because not doing so causes a submission or sample processing failure. Failed sample submissions that don’t adhere to these requirements are discarded without further processing. You aren’t sent any notification to that effect.

Minimum data collection requirements are needed to process a sample. The following applies when engaging with Technical Support or McAfee Labs for:

Detection failures
Clean failures
False positives for Endpoint Security and VirusScan Enterprise
NOTE: For more information, see: KB91459 - Minimum data collection requirements for detection failures, clean failures, and false positives.

Requirements:

The sample must be in a password-protected .zip file. See the exceptions below for .7z. RAR and other formats aren’t be processed.
NOTES: Support for .7z file format:
- Supported when submitting samples to virus_research@avertlabs.com
- Not supported when submitted via the ServicePortal
Don’t take the following actions. The .zip file must be a single level.
- Don’t include .zip files within the .zip file, with or without password protection.
- Don’t include folder structures that are more than one level deep.
Taking any of the above actions can cause samples to not be processed.
The file extension of the password-protected .zip file must be .zip. Any other extensions, or lack of an extension, cause the sample to not be processed.
The total file path length must be 125 characters or less. For example, sample.zip/sample.docx would be counted as 22 characters.
When creating the .zip file, don’t use AES or other types of encryption available from the program; use only a password for protection.
You must use the word infected as the password for the .zip file. Any other password causes the sample to not be processed.
Don’t include more than 100 files within the .zip. More than 100 files causes the sample to not be processed. If you’ve more than 100 files, spread them across multiple submissions.
The .zip file can be no larger than 50 MB. Larger .zip files cause the sample to not be processed.

For more information about creating a .zip file:

What to expect after submitting your sample

After the sample has been analyzed, one of the following happens:

The sample is considered clean. Detection is suppressed, and is updated in the earliest DAT release.
Analysis of the file determines that the sample is properly detected. You’re notified of the results.

NOTE: If the submission response shows a detection and you believe the detection to still be invalid, contact Technical Support.

To contact Technical Support, go to the Create a Service Request page and log on to the ServicePortal.

If you are a registered user, type your User ID and Password, and then click Log In.
If you are not a registered user, click Register and complete the fields to have your password and instructions emailed to you.

Frequently asked questions

As a customer, how can I prevent our files from being falsely detected in the future?
McAfee Labs accepts samples into our Quality Assurance testing process, where they’re scanned with every DAT release to prevent false detections. For more information, see: KB85568 - How to submit your company's software to be considered for validation against DAT files (Whitelisting Program).

In the past, I’ve used the keyword NOAUTO in the subject line when submitting samples through email. Is that keyword no longer being recognized?
NOAUTO, which prevents the auto response message, is still an accepted keyword. But, to quickly identify and process possible false detections, McAfee Labs has enabled the new process using the FALSE keyword as described above.

Knowledge Center

Submit potential false positives from the product or through GTI to McAfee Labs

Environment

Summary

Related Information

Affected Products

Languages:

Glossary of Technical Terms

Title

Title

Knowledge Center

Submit potential false positives from the product or through GTI to McAfee Labs

Environment

Summary

Related Information

Affected Products

Languages:

Glossary of Technical Terms

Choose your region

Title

Title