How to submit false positive or false negative virus and antimalware samples for Advanced Threat Defense or Intelligent Sandbox

Environment

Advanced Threat Defense (ATD)
Trellix Intelligent Sandbox (TIS)

Summary

If you use ATD/TIS and notice false positives or false negatives, use the following instructions to submit samples for analysis.

IMPORTANT:

For instructions on how to submit samples to the Trellix Advanced Research Center in general, see KB68030 - Submit samples for suspected malware detection failure.
For instructions on how to submit spam and phishing samples for other products, see KB59415 - How to use the Enterprise Spam Submission tool.
For instructions on how to submit false positives with Global Threat Intelligence (GTI), see KB85567 - Submit potential false positives from the product or through GTI to Trellix Advanced Research Center.

Contents
Click to expand the section you want to view:

Submit a false positive

Obtain a sample. For steps to obtain, compress, and encrypt the sample directly from the ATD/TIS appliance, see the product guide for your version.
Submit the sample. To determine where to submit the sample, view the analysis result page and check its report on the sample:
- Engine Name, Gateway Antimalware:
  Submit to the Gateway Antimalware team.
  - Submit by Email:
    Send an email with the sample file attached to virus_research_gateway@avertlabs.com. Notify the team that the sample is a False Positive. Add Possible False to the subject line of the email. After the sample has been received, it will be validated for detection issues and whether it's a known clean file, a possible false detection, or an unknown file. A sample that's a possible false detection or unknown file is reviewed for further processing.
    
    NOTE: After a submission status is confirmed, an email update is sent to the submitter.
  - Submit by Service Request:
    To submit suspected false-positive detections for analysis, perform the submission steps in KB85567 - Submit potential false positives from the product or through GTI to Trellix Advanced Research Center.
- Engine Name, Antimalware:
  Submit to Trellix Advanced Research Center:
  To submit suspected false-positive detections for analysis, perform the submission steps in KB85567 - Submit potential false positives from the product or through GTI to Trellix Advanced Research Center.
- Engine Name, GTI File Reputation:
  - If the sample is a file:
    Submit to Trellix Advanced Research Center. To submit suspected false-positive detections for analysis, perform the submission steps in KB85567 - Submit potential false positives from the product or through GTI to Trellix Advanced Research Center.
  - If the sample is a URL (http://www.sample.com):
    Submit to the URL reputation team. To submit the URL for classification analysis, perform the submission steps in KB62504 - How to address a website, URL, or IP address that is miscategorized or uncategorized.
- Engine Name, Sandbox:
  Submit a sample to Trellix Advanced Research Center; the case is directed to ATD Support. Open a Service Request and include the submission ID in the "Problem Description" field. See the "Related Information" section for details.

Submit a false negative

Obtain a sample. For steps to obtain, compress, and encrypt the sample directly from the ATD/IS appliance, see the product guide for your version.
Submit the sample to Trellix Advanced Research Center. Follow the steps in KB68030 - Submit samples to Trellix Advanced Research Center for suspected malware detection failure. You'll receive an Analysis ID after the submission is received.
Open a Service Request and include the Analysis ID from Trellix Advanced Research Center in the "Problem Description" field. See the "Related Information" section for contact details.

IMPORTANT: Don't send the malware to the Technical Support Engineer or upload it as part of this Service Request. Technical Support validates the Sandbox configuration and determines if further action is needed.

Related Information

To contact Technical Support, go to the Create a Service Request page and log on to the ServicePortal.

If you are a registered user, type your User ID and Password, and then click Log In.
If you are not a registered user, click Register and complete the fields to have your password and instructions emailed to you.

For product documents, go to the Product Documentation portal.

Knowledge Center

How to submit false positive or false negative virus and antimalware samples for Advanced Threat Defense or Intelligent Sandbox

Environment

Summary

Related Information

Affected Products

Languages:

Title

Title

Knowledge Center

How to submit false positive or false negative virus and antimalware samples for Advanced Threat Defense or Intelligent Sandbox

Environment

Summary

Related Information

Affected Products

Languages:

Choose your region

Title

Title