As of May 14, 2024, Knowledge Base (KB) articles will only be published and updated in our new Trellix Thrive Knowledge space.
Log in to the Thrive Portal using your OKTA credentials and start searching the new space. Legacy KB IDs are indexed and you will be able to find them easily just by typing the legacy KB ID.
This article provides the minimum data collection requirements to engage Technical Support or Trellix Labs for the following types of issues.
Contents
Click to expand the section you want to view:
Description: There's an active infection in the environment and the product doesn't detect the malware samples. You're requesting coverage for this threat.
What was the initial entry point — email or URL? Provide details, if available.
Where was the sample found on the system? Provide the file path, registry location, and any other relevant information.
Why is the file suspected as malware? What suspicious behaviors were seen?
How many systems is this detection failure impacting? Be as accurate as possible.
How many of the systems are production servers, and what are their purposes?
Are there any other noteworthy considerations for the impacted systems?
Description: You're requesting coverage for sample hashes sourced via internal or external sourcing. Hash list escalations are considered informational, because they have no customer impact. This request type is treated as a lower Severity.
Requirements: Provide the following information:
Why are the hashes suspected as malware? What suspicious behaviors are associated with the hashes?
Provide the source of the hashes. Was the file coming from internal threat hunting, third-party intelligence sharing, or a blog? Provide relevant information, including a link to or copy of the report if available.
IMPORTANT: Don't submit multiple families of malware under the same request. Each individual variant requires a separate Service Request with its own citation to a source for the indicated hashes. The samples must be available to be sourced for us to review and add coverage. If a sample is unable to be sourced, you must submit a sample. To submit a sample, follow the instructions provided in KB68030 - Submit samples to Trellix Advanced Research Center for suspected malware detection failure.
Description: When the product triggers a detection, but doesn't remove some components of the malware.
Example 1: ENS detects and deletes the malicious file, but registry entries (such as service entries or run keys) are left behind.
Example 2: ENS triggers a !memdetection. This detection indicates that there's a detection found in a process in memory. But, the file spawning the infected process isn't detected.
Requirements: Provide the following information:
Submit the detected sample from the Quarantine. The default quarantine location for ENS and VSE is C:\Quarantine.
Is this an internal application or third-party software? If third-party software, who's the vendor and what's the application name and version? Provide a detailed description of the file and how it's being used.
Provide the detection name and relevant logs or ePO threat event of the detection.
NOTES:
If the submitted sample is unable to replicate due to missing dependencies or files, additional information or data is needed. This requirement is for complete and accurate analysis for whitelisting non-malicious files related to the detection as appropriate.
Detections at times are bound to change or suppress due to several factors. Hence, if the detection happened on an older date, rerun the application with the latest DATs or content and submit the latest logs or threat event if detection continues.
ENS: %deflogdir%\OnAccessScan_Activity.log (DAT and Global Threat Intelligence detection) %deflogdir%\OnDemandScan_Activity.log (DAT and Global Threat Intelligence detection) %deflogdir%\ExploitPrevention_Activity.log (Exploit Prevention detection) %deflogdir%\AdaptiveThreatProtection_Activity.log (ATP/suspect, JTI/suspect, Real Protect detection)
Application Control / Solidcore: Solidcore.log S3diag.log
Log location:
Windows Vista and later: C:\ProgramData\McAfee\Solidcore\Logs
Other Windows operating systems: C:\documents and settings\all users\application data\mcafee\common framework\
Non-Windows: /var/log/mcafee/solidcore
Description: A production application, or components of this application, are not detected, but must be scanned for performance reasons or issues impacting the functionality of the application.
Requirements: Provide the following information so Trellix Labs can analyze the file and determine if it should be whitelisted:
Is this an internal application or third-party software?
If third-party software, who's the vendor and what's the application name and version? Provide a detailed description of the file and how it's being used.
Describe why this file or application should be whitelisted.
NOTES:
If the submitted sample can't run or replicate owing to missing dependencies or files, you must provide the additional information or files.
This information is required for complete and accurate analysis for whitelisting non-malicious files.
Submitting a whitelisting request doesn't guarantee that whitelisting will occur.
Description: An application, or components of this application, are being detected as a potentially unwanted program. Or, it's not being detected and this detection is suspected to be incorrect.
Is the file part of an active infection in the environment?
What was the initial entry point — email, URL, or installer? Provide details if available.
Where was the sample found on the system? Provide the file path, registry location, and any other relevant information.
Was the file suspected as a potentially unwanted program? If the sample is a potentially unwanted program, provide the full installation package or download location for the program.
Why is the file suspected as a potentially unwanted program? What behaviors were seen?
Was it an internal application or third-party software? If third-party software, who is the vendor and what's the application name and version?
Provide a detailed description of the file and how it's being used.
Provide the installer, source, or a download URL if available. Typically, we need the full installation package to fully vet whether an application violates our potentially unwanted program policy.
What's the "Threat Name" found in ePO or on the product console for this detection?
Where was the sample found on the system? Provide the file path, registry location, and any other relevant information.
Submit the relevant scan logs showing the detections.
IMPORTANT: If an application violates the potentially unwanted program policy, Trellix Labs adds a detection for the application. If a potentially unwanted program detection is added and you use the application, add a potentially unwanted program exclusion to prevent detection for the application. For instructions to enable potentially unwanted program detection, and to set an exclusion, see the Product Guide.