As of May 14, 2024, Knowledge Base (KB) articles will only be published and updated in our new Trellix Thrive Knowledge space.
Log in to the Thrive Portal using your OKTA credentials and start searching the new space. Legacy KB IDs are indexed and you will be able to find them easily just by typing the legacy KB ID.
Submit samples to Trellix Advanced Research Center for suspected malware detection failure
Technical Articles ID:
KB68030
Last Modified: 2023-05-16 11:31:53 Etc/GMT
Environment
DAT files
Trellix Advanced Research Center
Summary
Follow the instructions presented in this article if you face any of the issues below:
You have a file that you think is infected, but isn't detected by your antivirus software.
The file is detected but isn't cleaned.
Contents
Click to expand the section you want to view:
Review the two options below and choose the option that fits your needs:
Malware Service Request:
You open the Service Request through the Technical Support ServicePortal and a Technical Support Engineer (TSE) is assigned. All updates and communications flow through the TSE. This type of Service Request is suited when you need timely updates and prefer human interaction.
Use this method for the following:
Active malware infection in the customer's environment
Clean failures, where malware is detected and deleted, but some Indicators of Compromise remain on the system following a reboot
Remnants left behind (registry entries, files left on disk)
Virus Information Library (VIL) requests (with a sample)
Product countermeasures
Behavioral analysis
False detections
Detection failures that automation is unable to resolve or that are impacting business
Trellix Advanced Research Center or Automation Service Request:
For this type of malware submission, you can submit the sample through the Submit a sample option in the ServicePortal. This option submits the sample and creates a Service Request. This method is completely automation driven and no additional information is needed. But, automation doesn't handle false positives. If you need to check for detection failure and don't want any human interactions, or the issue isn't urgent or business impacting, you can opt for this method.
Use this method for the following:
Large sample batches (10 or more samples that need analysis)
Collections from automated perimeter devices
Detection failures with no business impact or that aren't an active outbreak or urgent issue
Unknown files (is this malicious?) with no business impact or that are not an active outbreak or urgent issue
Choose your issue type and follow the submission instructions:
NOTE:For false positives, open a Malware Service Request instead of a Submit a sample Service Request, as automation can't handle false-positive requests.
Coverage request:
A coverage request is when the environment isn't infected, but you want coverage for compliance or safeguard. Such requests are considered to be of severity 3 or 4. Customers need to share the source of the hashes against which they seek coverage. To open an individual Service Request for each campaign, see KB91459 - Minimum data collection requirements for detection failures, clean failures, and false positives.
Depending on the number of hashes submitted, the Trellix Advanced Research Center might take time in providing coverage. Also, no Extra.DAT is shared, but the coverage is added internally. For more information, see KB93747 - Information and FAQs for Extra.DATs and coverage requests.
NOTE:Anyrun, Jose Sandbox, and VirusTotal aren't considered as sources.
Option #1:
Open a Malware Service Request through the ServicePortal.
Option #2:
Open a Trellix Advanced Research Center Service Request directly through the Submit a sample option. Trellix Advanced Research Center automation handles this Service Request and there's no human intervention. All updates are sent to your email address by the automation.
Instructions for submitting a sample:
Place the file in a ZIP folder. Make sure the ZIP folder has a .zip extension. Preferably use WinRAR/7z.
Make the .zip password protected with the word "infected" without quotes.
Submit samples through the ServicePortal (automated, no live support), also known as a Trellix Advanced Research Center Service Request:
The preferred method for submission is the ServicePortal. Using this method doesn't assign a TSE to the Service Request. The Service Request number is provided only for tracking purposes and isn't monitored.
Complete the submission details. Make sure that you select the appropriate Issue Type for your submission: Detection Failure.
Upload the samples.
Click Submit. A Sample Submission Service Request is created on the ServicePortal, which you can use to track progress. This system is automated and no TSE is assigned to submissions. The Service Request number is provided only for tracking purposes and isn't monitored. If immediate assistance is needed, you must open a Service Request with Technical Support.
Other methods of sample submission (SFTP, Secure Web Gateway, Intelligent Sandbox, GetSusp):
GetSusp:GetSusp is a free tool that helps you find and log undetected malware. GetSusp has built-in submission capabilities that allow you to automatically submit samples to Trellix Advanced Research Center. See KB69385 - FAQs for GetSusp. To download GetSusp, go to the GetSusp downloads site.
Don't submit log files, screenshots, source URLs, PDFs (hash coverage), or reports. Attach these items to the Service Request.