FAQs for GetSusp

Technical Articles ID: KB69385
Last Modified: 2023-05-25 11:40:51 Etc/GMT

Environment

Trellix GetSusp

Summary

This article is a consolidated list of common questions and answers. It is intended for users who are new to the GetSusp tool, but can be of use to all users.

Contents:
Click to expand the section you want to view:

General—Product information covering miscellaneous topics

What is GetSusp?
GetSusp is a free tool that helps you find and log undetected malware, and allows you to automatically submit samples to our Advanced Threat Center. To find suspicious files, GetSusp uses heuristics and compares samples against the Global Threat Intelligence (GTI) database of known clean files. When you analyze a suspect computer, use GetSusp first.

See the GetSusp 5.0.0 Product Guide.

How is GetSusp different from other antimalware tools?
There are many free diagnostic tools available. But, you must analyze their output, isolate a suspect sample, and work out how to submit the files to the antivirus vendor. With GetSusp, there is no need for advanced technical knowledge to isolate undetected malware.

What is the difference between GetSusp and GetClean?
GetSusp helps you find and isolate undetected malware, and is available to our customers.

GetClean is a tool that helps you minimize false positives in your environment. This reduction minimizes the number of files you have to submit to our Advanced Threat Center and eliminates duplicate submissions. For more details about GetClean, see KB73044 - Introduction to GetClean.

Where can I get information about upcoming releases of GetSusp and more release information?
See the GetSusp Community Forum page.

Where can I send feedback regarding GetSusp?
You can provide feedback on the GetSusp Community Forum page.

Installation—Installation requirements for GetSusp, and deployment with ePolicy Orchestrator

What are the connectivity requirements for GetSusp?
GetSusp requires an internet connection to perform optimally. Outbound UDP port 53 and TCP port 80 must be allowed for GTI and known file database lookups to happen. The known file database is an Advanced Threat Center IT supported back-end server.

Where can I download the latest version of GetSusp?
The latest version is available from our GetSusp page.

Can I deploy GetSusp.exe to my end nodes with ePolicy Orchestrator?
Yes. You can download the ePolicy Orchestrator deployable version from our GetSusp page.
For more details about how to deploy the tool, see KB70405 - How to deploy the GetSusp utility to computers using ePolicy Orchestrator.

Usage—Information about using GetSusp

How do I use GetSusp?
For instructions, see our GetSusp page.

Does GetSusp support command-line switches?
Yes. For a list of all GetSusp switches, type getsusp.exe --? or getsusp.exe --Help from the command prompt, and press Enter.

After I start GetSusp, it creates a GetSusp.opt file. What is this file?
When you start GetSusp, it creates a GetSusp.opt file with your GetSusp user preferences. These preferences load the next time you use GetSusp, on the condition that GetSusp.opt is present in the same directory as GetSusp.exe.

What do I do if GetSusp.exe gets infected when I run it on a computer infected with a file infector, such as W32/Sality or W32/Virut?
GetSusp does not run as expected, and you see the following message:

GetSusp may be infected, cannot continue

GetSusp.exe is digitally signed and does an integrity check before it runs. To run GetSusp on a computer infected with a file infector, run it using the getsusp.exe --nc switch. This hidden switch disables integrity checking.

Functionality—Product features and functions, including offline scanning

What user or system details are collected?
The following information is collected:

Email address
Computer name
IP address
Operating system and Service Pack
File location
Information about installed Trellix products
Proxy settings, if system or manual proxy is set

Some users might not want to transmit samples, system data, or share their email address with our Advanced Threat Center. Those users can choose the option in the GetSusp tool to not submit results to Advanced Threat Center. Your email address enables Advanced Threat Center to communicate with you regarding the results of the scan.

Can I prevent GetSusp from sending samples or information from my computer?
GetSusp connects to Global Threat Intelligence (GTI) to match files found on your computer. If you do not want files and logs to be submitted to Advanced Threat Center, run the scan in offline mode. The files and logs harvested will not be uploaded to Advanced Threat Center. But, because there are no online lookups to the allow list database, results are degraded.

How does GetSusp complete most system scans in three to five minutes?
System scans generally take between three and five minutes. This timing is irrespective of the size of the hard disk. The scans are fast because GetSusp scans are limited to running processes, the Windows registry, and file locations used by malware.

Why does GetSusp not identify my suspected malware?
The malware must be actively running on your computer or have an associated registry startup entry for GetSusp to identify it. GetSusp identifies only suspicious executable files. GetSusp does not scan documents, scripts, media, and other file formats. We plan to add Rootkit scanning to GetSusp in a future release.

Sample Submissions—How to submit samples

How can I send a GetSusp submission larger than 50 MB to Advanced Research Center?
Advanced Threat Center supports only .zip files up to 50 MB. For GetSusp submissions larger than 50 MB, contact Technical Support.

How can I manually submit a file using GetSusp?
You can use the UPLOAD option in GetSusp to manually point to suspect files and send the files to the Advanced Threat Center.

How do I follow up with Advanced Threat Center for support on a GetSusp submission?
For tracking purposes, you receive an email with a Reference Work Item ID from Virus_Research@avertlabs.com. Our Advanced Research Center uses the email address you provided under GetSusp Preferences. Use the Work Item ID to follow up with Technical Support.

What is the Service Level Agreement (SLA) for sample submissions using the GetSusp tool?
Currently there is no SLA for sample submissions.

Related Information

To contact Technical Support, go to the Create a Service Request page and log on to the ServicePortal.

If you are a registered user, type your User ID and Password, and then click Log In.
If you are not a registered user, click Register and complete the fields to have your password and instructions emailed to you.

Affected Products

Threat Prevention and Removal

Languages:

This article is available in the following languages:

Knowledge Center

FAQs for GetSusp

Environment

Summary

Related Information

Affected Products

Languages:

Title

Title

Knowledge Center

FAQs for GetSusp

Environment

Summary

Related Information

Affected Products

Languages:

Choose your region

Title

Title