Knowledge Center

If you have a file that you think is infected, but was not detected by your McAfee anti-virus software, or that was detected but was not cleaned, you can submit the sample to McAfee Labs for evaluation using the instructions in this article.

McAfee Labs can receive samples for review and potential inclusion into the daily DAT file releases or GTI File Reputation for future detection.

There are two primary methods to submit samples for review:

• ServicePortal: Using your Grant Number, you can log on to the ServicePortal and submit samples to McAfee Labs.
• Email: You can attach samples to an email sent to McAfee Labs.

Below are other methods to submit samples for review:

• Web Gateway: If you are using Web Gateway, follow the product-specific instructions in KB62662 to collect and submit samples.
• Advanced Threat Defense: If you are using Advanced Threat Defense, follow the product-specific instructions in KB83659 to collect and submit samples.
• GetSusp: GetSusp is a free tool that helps you find and log undetected malware. GetSusp has built-in submission capabilities that allow you to automatically submit samples to McAfee Labs.
  
  To review the FAQs for GetSusp, see KB69385.
  To download GetSusp, go to http://www.mcafee.com/us/downloads/free-tools/getsusp.aspx.
   
• FTP: Submissions through FTP are accepted only if the samples exceed the limits for the ServicePortal, of if there is a technical issue with the ServicePortal or email submission. In this case, follow the instructions in KB87703 to submit the samples through FTP.

Submission requirements
It is very important that this information is followed because not doing so will cause a submission or sample processing failure. Submissions or samples that have failed as a result of not adhering to these requirements will be discarded without further processing, and you will not receive any notification to that effect.

• The sample must be in a password-protected .zip or .7z file. RAR and other formats will not be processed.
• The .zip file must be a single level. Do not include .zip files within the .zip file, with or without password protection, and do not include folder structures that are more than one level deep. This can cause samples to not be processed.
• The file extension of the password-protected .zip file must be .zip or .7z. Any other extensions, or lack of an extension, will cause the sample to not be processed.
• When creating the .zip file, do not use AES or other types of encryption available from the program; use only a password for protection.
• You must use the word infected as the password for the .zip or .7z file. Any other password will cause the sample to not be processed.
• Do not include more than 100 files within the .zip or .7z file. More than 100 files will cause the sample to not be processed. If you have more than 100 files, spread them across multiple submissions.
• The .zip file can be no larger than 50 MB. Larger .zip or .7z files will cause the sample to not be processed.

For more information on creating a .zip file:

• Using WinZip (http://kb.winzip.com/kb/entry/78/)
• Using Windows file compression (http://support.microsoft.com/kb/306531)

What not to submit
Submitting additional files other than the suspected file as it resides on the system will cause delays in processing, and might cause the submission to fail by increasing the total number of files or size over the permitted thresholds. The following list contains some examples of what not to send:

• Log files from scans, such as On-Demand or On-Access Log files
• Screenshots
• .eml or .msg files (submit only the files that are attached to the emails, not the email itself)
• Reports created by forensics tools
• String dumps
• Network traffic dumps

Submit only the suspicious files.

What to expect after uploading your sample
You will receive no further notifications until the sample has been analyzed. A Sample Submission Service Request is created on the ServicePortal, which you can use to track progress. This is an automated system and no support agents are assigned to submissions. The Service Request number is provided only for tracking purposes and is not monitored.

If an Extra.DAT relating to your sample is posted to the ServicePortal, you will be informed of its availability in an email. Check your Service Request on the ServicePortal to download the Extra.DAT file. You will not receive any Extra.DAT files via email or otherwise:

• To manually check in and deploy an Extra.DAT through ePolicy Orchestrator, see KB67602.
• For instructions to apply an Extra.DAT locally for Endpoint Security, see the “Load an Extra.DAT file” section of the Endpoint Security Product Guide.
• For instructions to apply an Extra.DAT locally for VirusScan Enterprise, see KB50642.
• For instructions to apply an Extra.DAT to Security for Microsoft Exchange, see KB76201.
• For instructions to apply an Extra.DAT to Security for SaaS Endpoint Protection, see KB51459.
• For instructions to combine one or more Extra.DAT, see KB68061.

To submit samples to McAfee Labs using email:
Attach the samples to an email and send the email to virus_research@avertlabs.com.

To submit samples to McAfee Labs using the ServicePortal:

1. Log on to the ServicePortal at https://support.mcafee.com using your Grant Number.
2. Click the Service Requests tab.
3. Click the Submit a Sample tab.
4. Click Continue.
5. Complete the submission details.
6. Upload the samples.
7. Click Submit.