This is the sixth in my Security Series of Connect articles. For more information on how to keep your enterprise environment secure using often-overlooked capabilities of Symantec Endpoint Protection (and the OS upon which it functions), see Mick's Greatest Hits: Index of Helpful Connect Security Articles. This article was last updated November 2019.
This new "Symantec Insider Tip" article aims to provide advice and examples of how to get your suspicious files to the correct team, in the correct format, with all the correct information necessary for speedy processing.
Symantec's Official Article
By "submission" I mean sending questionable files to Symantec's Security Response department for analysis. Please read the following article for the official word on the submissions process.
How to Use the Web Submission Process to Submit Suspicious Files
Article URL http://www.symantec.com/docs/TECH102419
- As of November 2019, it is recommended to use the new SymSubmit site for all submissions. See Using SymSubmit for details!
- The Not Detected by Symantec tab is for suspected missed Malware and phishing sites.
- The Incorrectly Detected by Symantec tab is for suspected False Positives.
- Never simply attach the suspicious malware sample to your Technical Support case. This file will be deleted. It will not make its way to the correct team.
What to Submit
Symantec adds protection against thousands of new threats every day. Definitions are continuously updated in response to submissions received by customers, so please submit:
Malicious files that are engineered to attack Android, Linux, Mac and other non-Windows systems are also submitted through the same web portals. There's no special URL necessary for non-Windows threats.
What Not to Submit
In almost all cases, Security Response needs the undetected malicious executable file which is responsible for the infection. Submitting any of the following to them will be of little use.
- Text files, .ini files, .xml files and similar
- Files that have been corrupted or locked by a threat like Trojan.Cryptolocker. Likewise, the "DECRYPT_INSTRUCTION" left by the cryptolocker will not enable Symantec to enhance the definitions against that threat.
- Phishing mails (these are not harmful files in themselves- if there is a mail with a suspicious file attached, submit that .msg or .eml without opening the attachment. If the mail has a URL link to an .exe or .zip and that file has been downloaded by the end user, submit it WITHOUT OPENING OR RUNNING IT. For sake of safety, don't intentionally download whatever payload is on the suspicious URL. Submit the suspicious URL and let Security Response download it safely.)
- Suspicious mails that do not have attachments. (Spam, with or without links) See either Manually submitting missed spam, newsletters, marketing, suspicious urls and false positive messages to the Symantec Security Response Center or Spam email missed (False Negative) in Symantec.cloud, depending on your Symantec AntiSpam product.
- Files that have been digitally signed by Microsoft or another major vendor.
- Files that are already detected by SEP or another Symantec security product (.vbn for example)
- Spam- seriously, the suspected malware portal is not the place for spammed .pdf phishing lures. Contact your AntiSpam vendor for instructions on those!
- Screenshots of the malicious file or the damage it has done
- Output from the SymDiag diagnostic tool (send those .sdbz or .sdbd files to Technical Support, not directly to Security Response!)
- Any materials related to a new or existing Technical Support case
- Spam (please! No more spam!)
|For safety reasons, anything submitted to Security Response stays in Security Response. Those files cannot be forwarded on to other departments.
The web portal system will not be able to process:
- Single files larger than 100 MB
- Compressed (zipped) files larger than 100 MB
- Compressed (zipped) files with more than 9 files inside
- Compressed into a format other that ZIP or RAR
How to Submit It
When filling out the form, you will need to provide your name, company name, email address and Support ID number. You can also enter comments into the Additional File Information field.
- Please be sure that the email address used for submissions is a Contact Email address associated with your company's account. Otherwise the submission may not be processed as quickly as your contract entitles.
As of December 2015, it is now possible to submit a File Submission, a URL Submission or a Hash Submission (suspicious MD5 or SHA-256). See Does Symantec Detect This: An Illustrated Guide to Public Hash Submission for details on this newest submission method!
Ensuring Everything is On Track
Immediately after submitting, there will be an acknowledgement screen displayed. (As on May 2018, this acknowledgement screen contains a Tracking Number.) A short time later, an email will be dispatched containing the submission's Tracking Number and some additional details.
[TRACKING]: Symantec Security Response Automation (Tracking #XXXXXXXX)
Use that reference should you need to make contact with any questions. If hours pass without receiving a Tracking Number, please check your junk mail folder or the email processing rules within your company. If there still is no sign of the mail, contact Technical Support to ensure that the submission has in fact been successfully recived and is being queued up for processing. (They can identify the submission using the unique MD5 hash of one of the submitted files or the email address that was specified.)
Submissions may be processed quickly or it may require several days. This all depends on the current amount of activity in the worldwide threat landscape- something beyond Symantec's control.
When analysis is complete, another email will be dispatched which contains an overview of the findings.
[CLOSED]: Symantec Security Response Automation (Tracking #XXXXXXXX)
If that suspicious file has been confirmed to be malicious, this mail will contain information on how to download new Rapid Release definitions so you can apply protection throughout your organization. See Sequence Makes Sense for details on how to translate that Rapid Release Sequence number into a human-readable date and version.
What to do while Submissions are being Processed
If you have submitted a file that you believe is malicious, don't just wait for Security Response to produce definitions against it! There are important actions that must be taken in order to prevent that infection from spreading its damage throughout your network. See Step 3. Quarantine the Infected Computers in the following article:
Best Practices for Troubleshooting Viruses on a Network
Article URL http://www.symantec.com/docs/TECH122466
If you can't just pull the network cable on the infected computer, there are many ways SEP's components can lock down the system and the network and help slow the spread of the threat.
FAQ for Y-O-U
Q. Can't I just email the malicious file to Symantec?
A. No, the only method of getting suspicious content to Security Response is via the web portal. Sales, Tech Support and other departments within Symantec cannot receive potentially malicious content.
Q. Can I submit password-protected archives? I received an unexpected .zip mail attachment from some ransom email address I've never heard of. The text in the mail body instructed me to open the .zip immediately and provided me with the password necessary to do so. They also promise there is candy involved. Sweet, sweet candy!
A. Yes, you can submit password-protected archives! As of September 2019, there is a new field in the submission page for providing that password. If that matches that of the password-protected .zip, it will be opened and the contents processed. (And, please, never open unexpected mail attachments from strangers. Even if they promise you candy.)
Q. I thought SEP was automatically making a lot of submissions of files in the background- why don't I get Tracking Numbers for those?
A. When configured to do so, SEP will send anonymous data to Security Response. Symantec Response and the Global Intelligence Network use this submitted information to quickly formulate responses to new and developing security threats. The data that you submit improves Symantec's ability to respond to threats and customize protection. (So, please do always allow submissions!)
As the information submitted is done so anonymously, there is no way to trace it back and send out a tracking number. The article below has details:
Enabling or disabling client submissions to Symantec Security Response
Article URL http://www.symantec.com/docs/HOWTO81000
Q. We have found a mountain of malicious files! We've put them all in one giant 500 MB .zip. I can submit that, right?
A. Sorry, no. Think of all the freight deliveries coming into a city. Rather than building a supersized railroad with tracks 100 feet apart and a car big as a cruise ship, all the incoming goods are divided up into a long train of standard-sized freight cars. That's the way the delivery system is designed. The same goes for submissions to Security Response. Each .zip needs to have no more than 9 files within and a decompressed size of 100 MB or else it will go off the tracks.
Q. What if the file I need to submit is larger than 100 MB?
A. Malicious files are generally (but not always!) smaller than that. For large files, check with Tech Support. They can supply instructions on how to proceed.
Q. In my spare time I am building a comprehensive collection of every executable that has ever existed. Wow, there's a heaping cartload, and I'm only up to 1996! Just in case one of them may have been malicious, I'll submit these beauties all at once to Security Response to see if there has ever been a variant of virus, worm, or whatsit that your engineers have never seen.
A. Thanks, but no. Please only submit files that are suspected of being malware involved in a current outbreak on your own network. Our resources are committed to helping combat today's real-world security threats.
Q. I write code for my company, which has a BCS/PCS support contract with Symantec. Is there any way to submit my latest build to Symantec earlier than its public release to make sure there won't be False Positives on this new (and initially unknown) version?
A. If you have a Premium contract, please contact your Technical Account Manager (TAM) for details on whitelisting.
Note that this whitelisting program is open for Symantec's Premium customers only and will require up to a week to process files. Please allow ample time! If the software is already publically available and is being detected by Symantec products, use the False Positive portal instead.
Q. Oops! I made a submission to the wrong place! I sent a suspicious file to the False Positive portal when I meant to send it through the doorway for suspected malware. You can swap that around easily enough, right?
A. It's best just to make a new submission to the correct team. That will get it in front of the right pair of eyes most quickly.
If in doubt about whether or not to submit a particular file, please do ask! Tech Support has trained experts who can examine a diagnostic and swiftly spot the suspicious materials within. They can also provide best practice and recommendations that can help keep your network, data and users safe.
Many thanks for reading! Please do leave comments and feedback below.