IMPORTANT: The procedure outlined in this article must be followed only when it isn't possible to submit malware samples through the ServicePortal malware submission process. For instructions on how to submit samples through the ServicePortal, see KB68030 - Submit samples to Trellix Advanced Research Center for suspected malware detection failure.

Why submit via the Trellix Support Secure website?
The Advanced Research Center accepts malware submissions via the Trellix Support Secure website for the following two use-case scenarios:

• The customer samples are either too large or too many and can't easily be split for submission using the standard web submission method. The limit for ServicePortal submissions is 50 MB in size and no more than 100 files per archive file.


• There's a technical issue with the ServicePortal site and you aren't able to submit samples using the standard web submission method.

The Advanced Research Center requires that you use the standard method of submission through the ServicePortal as a first step because this service provides a better experience than the Trellix Support Secure website.

Standard submission methods vs. Trellix Support Secure website
The following list outlines the advantages of standard submission methods over via the Trellix Support Secure website:

• Monitoring: The Trellix Support Secure website isn't monitored. Submitted files aren't accessed until you contact Technical Support for analysis, even if the sample is known and an Extra.DAT is already available. You don't receive a response until we manually research the sample. The Trellix Support Secure website method can add significant delays to the process and increase the response time.


• Submission acknowledgment: When you submit through standard methods, you receive an email response to confirm that your submission has been received. The system informs you of the current classification of the samples, for example, clean, malicious, potentially unwanted program, inconclusive, or detected with Extra.DAT. When you submit samples via the Trellix Support Secure website, you receive no email and all responses come manually from Technical Support rather than automated systems.


• Deletion Policy: The Trellix Support Secure website policy deletes all samples after two weeks. If the sample isn't stored elsewhere, it can be purged from the server before the case is closed.


• Delays: There are numerous delays and manual effort when you submit samples through the Trellix Support Secure website instead of through the standard submission methods, where automation is used. Use the Trellix Support Secure website only when it isn't possible to submit files through the standard methods.


• Priority: Malware collections and bulk submissions account for hundreds of thousands of samples received at the Advanced Research Center each day. They're treated with a lower priority than customer samples that are processed through our automated systems. Malware collections and bulk submission samples are given a lower priority because we process customer samples, which are given the highest priority, first. When you submit a sample using the ServicePortal, the sample goes before collection processing and gets a priority analysis. If you submit a sample via the Trellix Support Secure website and it has been seen only in bulk submissions, it's processed at a slower rate than if it were submitted through standard methods.


• Automated driver authoring: If automation can generate a driver for a sample, it will. But, if a sample is generated because of a lower priority collection, it gets set to merge or release at a lower priority. Submissions received from customers always receive the highest priority, which is reflected in the merge or release as well. Any drivers written through automation for customer samples go into the DATs before those from bulk collections.


• Driver release: Drivers from automation, especially drivers generated because of customer submissions, are built using proven and tested templates. Drivers from automation can actually be released into the DATs faster than drivers generated by a human.


• Sample reprocessing: The Advanced Research Center tries to maintain as much current data as possible for samples, but there are billions of files in our collections. So, we can only reprocess so many samples per day and make sure that the data is accurate. But, any customer-submitted sample that doesn't have a current detection, or isn't known to be clean, is reprocessed daily to make sure that the data can be updated in the sample database. In this way, if there's any new data for the sample, there are multiple opportunities for an automated driver to be created.


• Automatic addition to operational tasks: The Advanced Research Center has systems that automatically monitor SampleDB or Automation for samples from customers with specific characteristics. These samples are highlighted and raised to our generic signature authoring team to work on new generic detections, and use those samples for release testing.


• Samples for machine learning: Machine learning systems process all customer-submitted samples to improve those systems, as well as the classification or detection rates of products such as ML Protect.


• Intelligent Sandbox (formerly Advanced Threat Defense) submissions: The back-end automation system has Intelligent Sandbox systems that are used as part of the processing of customer samples, which provides the Advanced Research Center with more intelligence on the file. It also provides the Intelligent Sandbox research team samples to improve the capabilities of Intelligent Sandbox.