This article provides the minimum data collection requirements to engage Technical Support or McAfee Labs for the following types of issues.
Contents
Click to expand the section you want to view:
Description: There is an active infection in the environment and McAfee does not detect the malware samples. You are requesting coverage for this threat.
What was the initial entry point – email or URL? Provide details, if available.
Where was the sample found on the system? Provide the file path, registry location, and any other relevant information.
Why is the file suspected as malware? What suspicious behaviors were seen?
Description: You are requesting coverage for sample hashes sourced via internal or external sourcing. Hash list escalations are considered informational, because they have no customer impact.
Requirements: Provide the following information:
Why are the hashes suspected as malware? What suspicious behaviors are associated with the hashes?
Provide the source of the hashes. Was the file coming from internal threat hunting, third-party intelligence sharing, or a blog? Provide relevant information, including a link to or copy of the report if available.
IMPORTANT: Do not submit multiple families of malware under the same request. Each individual variant requires a separate Service Request with its own citation to a source for the indicated hashes. The samples must be available to be sourced for McAfee to review and add coverage. If a sample is unable to be sourced, you must submit a sample. Follow the instructions in KB68030 if you need to submit a sample.
Description: When the product triggers a detection, but does not remove some components of the malware.
Example 1: ENS detects and deletes the malicious file, but registry entries (such as service entries or run keys) are left behind.
Example 2: ENS triggers a !memdetection. This detection indicates that there was a detection found in a process in memory. But the file spawning the infected process is not detected.
Requirements: Provide the following information:
Submit the detected sample from the Quarantine. The default quarantine location for ENS and VSE is C:\Quarantine.
Submit the remnants as a sample as described in KB68030.
Is the file part of an active infection in the environment?
What was the initial entry point – email or URL? Provide details if available.
Where was the sample found on the system? Provide the file path, registry location, and any other relevant information.
Why is the file suspected as malware? What suspicious behaviors were seen?
Submit the relevant scan logs showing the clean failure.
MOVE AV Multi-Platform
OAS: C:\Program Files (x86)\McAfee\MOVE AV Server\mvserver.log
OAS: C:\Program Files (x86)\McAfee\MOVE AV Client\mvagent.log
ODS: Same logs as OAS above, but first enable Debug logging as per KB87799
MOVE AV Agentless: /opt/McAfee/move/logs/mvsvc.log
Description: A production application, or components of this application, are being detected, and are suspected to be incorrect detections.
Requirements: The following must be provided for McAfee Labs to properly analyze a file and determine whether it is a false positive:
Description: An application, or components of this application, are being detected as a potentially unwanted program. Or, it is not being detected and this detection is suspected to be incorrect.
Is the file part of an active infection in the environment?
What was the initial entry point – email, URL, or installer? Provide details if available.
Where was the sample found on the system? Provide the file path, registry location, and any other relevant information.
Was the file suspected as a potentially unwanted program? If the sample is a potentially unwanted program, provide the full installation package or download location for the program.
Why is the file suspected as a potentially unwanted program? What behaviors were seen?
Was it an internal application or third-party software? If third-party software, who is the vendor and what is the application name and version?
Provide a detailed description of the file and how it is being used.
Provide the installer, source, or a download URL if available. Typically, McAfee needs the full installation package to fully vet whether an application violates the McAfee potentially unwanted program policy.
Where was the sample found on the system? Provide the file path, registry location, and any other relevant information.
Submit the relevant scan logs showing the detections.
IMPORTANT: If an application violates the McAfee potentially unwanted program policy, McAfee Labs adds a detection for the application. If a potentially unwanted program detection is added and you use the application, add a potentially unwanted program exclusion to prevent detection for the application. For instructions to enable potentially unwanted program detection, and to set an exclusion, see the Product Guide. An explanation of the McAfee potentially unwanted program policy is available in the following location: https://www.mcafee.com/enterprise/en-us/assets/misc/ms-pup-policy.pdf.
