IMPORTANT: The procedure outlined in this article must be followed only when it is not possible to submit malware samples through the ServicePortal malware submission process. For instructions on how to submit samples through the ServicePortal, see
KB68030.
This article explains acceptable use-case scenarios for when you can submit samples using the following FTP servers:
FTP server location |
Comments |
support-ftp.mcafee.com |
Standard FTP |
support-sftp.mcafee.com |
Secure FTP |
Why submit with FTP?
McAfee Labs accepts malware submissions through FTP sites for the following two use-case scenarios:
- The customer samples are either too large or too many and cannot easily be split for submission using the standard web or email submission methods. The limits for ServicePortal and email submissions are 50 MB in size and no more than 100 files per archive file.
- There is a technical issue with the ServicePortal site and email submission, and you are not able to submit samples using these methods.
McAfee Labs requires that you use the standard method
of submission through the ServicePortal as a first step because this service provides a better experience than the FTP site.
Standard submission methods vs. FTP
The following list outlines the advantages of standard submission methods over FTP:
- Monitoring: FTP sites are not monitored. Submitted files are not accessed until you contact Technical Support for analysis, even if the sample is known and an Extra.DAT is already available. You will not receive a response until we manually check the sample. This FTP method can add significant delays to the process and increase the response time.
- Submission acknowledgement: When you submit through standard methods, you receive an email response to confirm that your submission was received. The system informs you of the current classification of the samples, for example, clean, malicious, Potentially Unwanted Program (PUP), inconclusive, or detected with Extra.DAT. When you submit samples through FTP, you receive no email and all responses come manually from Technical Support rather than automated systems.
- Deletion Policy: The FTP server policy deletes all samples after two weeks. If the sample is not stored elsewhere, it could be purged from the server before the case is closed.
- Delays: There are numerous delays and manual effort when you submit samples through the FTP sites instead of through the standard submission methods, where automation is used. Use the FTP sites only when it is not possible to submit files through the standard methods.
- Priority: Malware collections and bulk submissions account for hundreds of thousands of samples received at McAfee Labs each day. They are treated with a lower priority than customer samples that are processed through our automated systems. Malware collections and bulk submissions samples are at lower priority because we process customer samples, which are the highest priority, first. When you submit a sample using the ServicePortal or email, the sample goes before collections processing and gets a priority analysis. If you submit a sample using FTP and it has been seen only in bulk submissions, it is processed at a slower rate than if it was submitted through standard methods.
- Automated driver authoring: If automation can generate a driver for a sample, it will. But, if a sample is generated because of a lower priority collection, it gets set to merge or release at a lower priority. Submissions received from customers always receive the highest priority, which is reflected in the merge or release as well. Any drivers written by automation for customer samples go into the DATs before any from bulk collections.
- Driver release: Drivers from automation, especially drivers generated because of customer submissions, are built using proven and tested templates. Drivers from automation can actually be released into the DATs faster than drivers generated by a human.
- Sample reprocessing: McAfee Labs tries to maintain as much current data as possible for samples, but there are billions of files in our collections. So, we can only reprocess so many samples per day and ensure the data is accurate. But, any customer-submitted sample that does not have a current detection, or is not known to be clean, is reprocessed daily to ensure that the data can be updated in the sample database. In this way, if there is any new data for the sample, there are multiple opportunities for an automated driver to be created.
- Automatic addition to operational tasks: McAfee Labs has systems that automatically monitor SampleDB or Automation for samples from customers with specific characteristics. These samples are highlighted and raised to our generic signature authoring team to work on new generic detections, and use those samples for release testing.
- Samples for machine learning: Machine Learning systems process all customer-submitted samples to improve those systems, and the classification or detection rates of products such as Real Protect.
- Advanced Threat Defense (ATD) submissions: The back-end automation system has ATD systems that are used as part of the processing of customer samples, which provides McAfee Labs with more intelligence on the file. It also provides the ATD research team samples to improve the capabilities of ATD.
- Generic.tra: Workflow creates the Extra.DATs, not the automation systems.
NOTES:
- Any generic.tra that is created is an SED. SED stands for Signed Extra.DAT, and allows for additional verbs to be used in the driver.
- The repair or cleaning routine used for a generic.tra is the same generic cleaning routine used in most of the drivers and SEDs in the DATs. They have the same repair capability.
- In addition to this functionality, by delivering a generic.tra, the samples moved to a queue for humans to look at, receive a generic.tra response.