Loading...

Knowledge Center


Minimum data collection requirements to engage Technical Support or McAfee Labs for detection failures, clean failures, and false positives with Endpoint Security and VirusScan Enterprise
Technical Articles ID:   KB91459
Last Modified:  7/30/2019
Rated:


Environment

McAfee Endpoint Security (ENS) Threat Prevention 10.x
McAfee VirusScan Enterprise (VSE) 8.x

Summary

This article provides the minimum data collection requirements to engage Technical Support or McAfee Labs for the following types of issues.

Contents
Click to expand the section you want to view:

Description: The customer has a threat that is not covered by McAfee. The customer is requesting coverage for this threat.

Requirements: Provide the following required information.
  • Submit a sample as described in KB68030.
  • Is the file part of an active infection in the environment?
  • What was the initial entry point – email or URL? Provide details if available.
  • Where was the sample found on the system? Provide the file path, registry location, and any other relevant information.
  • Why is the file suspected as malware? What suspicious behaviors were seen?
  • If submitting a list of hashes without an active infection, provide the source of these hashes. Was the file coming from internal threat hunting, third-party intelligence sharing, or a blog? Provide relevant information, including a link to or copy of the report if available.
IMPORTANT: If you submit a list of hashes without an active infection, the samples must be available to be sourced for McAfee to review and add coverage. If a sample is unable to be sourced, then a sample must be submitted.
 
Description: When the product triggers a detection, but does not remove additional components of the malware.
  • Example 1: ENS detects and deletes the malicious file, but registry entries (such as service entries or run keys) are left behind.
  • Example 2: ENS triggers a !mem detection, which indicates that there was a detection in running process memory, but the file spawning the infected process is not detected.
Requirements: Provide the following required information.
  • Submit the detected sample from the Quarantine. The default quarantine location for ENS and VSE is C:\Quarantine.
  • Submit the remnants as a sample as described in KB68030.
  • Is the file part of an active infection in the environment?
  • What was the initial entry point – email or URL? Provide details if available.
  • Where was the sample found on the system? Provide the file path, registry location, and any other relevant information.
  • Why is the file suspected as malware? What suspicious behaviors were seen?
  • Submit the relevant scan logs showing the clean failure.
    • ENS:
      %deflogdir%\OnAccessScan_Activity.log
      %deflogdir%\OnDemandScan_Activity.log
      %deflogdir%\ExploitPrevention_Activity.log
      %deflogdir%\AdaptiveThreatProtection_Activity.log
    • VSE:
      %deflogdir%\OnAccessScanLog.txt
      %deflogdir%\OnDemandScanLog.txt
Description: A production application, or components of this application, are being detected, and are suspected to be incorrect detections.

Requirements: For McAfee Labs to properly analyze a file and determine whether it is a false positive, all the following required information must be provided.
  • Submit a sample as described in KB85567.
  • Was it an internal application or third-party software? If third-party software, who is the vendor and what is the application name and version?
  • Provide a detailed description of the file and how it is being used.
  • Provide the installer, source, or a download URL if available.
  • Where was the sample found on the system? Provide the file path, registry location, and any other relevant information.
  • Submit the relevant scan logs showing the detections.
    • ENS:
      %deflogdir%\OnAccessScan_Activity.log
      %deflogdir%\OnDemandScan_Activity.log
      %deflogdir%\ExploitPrevention_Activity.log
      %deflogdir%\AdaptiveThreatProtection_Activity.log
    • VSE:
      %deflogdir%\OnAccessScanLog.txt
      %deflogdir%\OnDemandScanLog.txt
Description: An application, or components of this application, is being detected as a PUP, or is not being detected, and this detection is suspected to be incorrect.

Requirements: Provide the following required information.
  • Detection Failure:
    • Submit a sample as described in KB68030.
    • Is the file part of an active infection in the environment?
    • What was the initial entry point – email, URL, or installer? Provide details if available.
    • Where was the sample found on the system? Provide the file path, registry location, and any other relevant information.
    • Was the file suspected as a PUP? If the sample is a PUP, provide the full installation package or download location for the program.
    • Why is the file suspected as a PUP? What behaviors were seen?
  • False Positive:
    • Submit a sample as described in KB85567.
    • Was it an internal application or third-party software? If third-party software, who is the vendor and what is the application name and version?
    • Provide a detailed description of the file and how it is being used.
    • Provide the installer, source, or a download URL if available. Typically, McAfee needs the full installation package to fully vet whether an application violates the McAfee PUP policy.
    • Where was the sample found on the system? Provide the file path, registry location, and any other relevant information.
    • Submit the relevant scan logs showing the detections.
      • ENS:
        %deflogdir%\OnAccessScan_Activity.log
        %deflogdir%\OnDemandScan_Activity.log
        %deflogdir%\ExploitPrevention_Activity.log
        %deflogdir%\AdaptiveThreatProtection_Activity.log
      • VSE:
        %deflogdir%\OnAccessScanLog.txt
        %deflogdir%\OnDemandScanLog.txt


    IMPORTANT: If an application violates the McAfee PUP policy, McAfee Labs will add a detection for the application. If a PUP detection is added and you use the application, add a PUP exclusion to prevent detection for the application. The following article describes how to enable PUP detection, and how to set an exclusion: https://www.mcafee.com/enterprise/en-gb/threat-center/pups-configuration.html. An explanation of the McAfee PUP policy is available in the following location: https://www.mcafee.com/enterprise/en-us/assets/misc/ms-pup-policy.pdf.

Rate this document

Beta Translate with

Select a desired language below to translate this page.

Languages:

This article is available in the following languages:

English United States
Spanish Spain

Glossary of Technical Terms


 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.