Files in quarantine, wondering how to submit for analysis.

Discussion in 'NOD32 version 2 Forum' started by gracie123, Jan 4, 2007.

Thread Status:
Not open for further replies.
  1. gracie123

    gracie123 Registered Member


    I have some files in NOD32 "Quarantine" that say "probably a variant of" and then the virus name.

    Just wondering, do I locate where the virus is located and attach that file or what exactly do I need to do to submit it right through NOD32 for analysis?

    Also, what would I need to put for the comment? This is my first time noticing this, so I just want to know what I need to do :).


  2. Carver

    Carver Registered Member

    You can just submit the file that is in Quarantine.
  3. Marcos

    Marcos Eset Staff Account

    Is it actually a false positive? If not, there's NO NEED to submit them. With file submission enabled, they are submitted automatically unless you untick the "Submit for analysis" checkbox in an alert window.
  4. gracie123

    gracie123 Registered Member

    Hi Marcos,

    Well, I am not sure if it is a false positive. It says 3 of the files is in the cache of some Netscape folder on my computer. Another file is located in system restore. For the ThreatSense feature of NOD32, for suspicious files I have it set to Submit without asking and enabled for anonymous statistical information. So I would or would not need to submit the files in quarantine?
  5. ASpace

    ASpace Guest

    Marcos knows better but I think not necessary .

    Because of the fact NOD32 writes "probably a variant of" it doesn't mean that it is a false positive . It is just that NOD32 relies on heuristics and it found a variant of a threat already known . Most of the detections I have seen are with similar names such as
    probably a variant of ...
    a variant of ...
    just the name of the application ... (e.g. is W32 Adware When U Save Now)

    You should submit files that are not detected at all , files that you do believe are false positives and files that are detected as "New Heur PE virus" :thumb:
  6. gracie123

    gracie123 Registered Member

    Hi, oh ok I see. So when I come across files that are not detected at all or files that are detected as "New Heur PE virus", do I need to put the file in a winRAR archive or winZIP and then submit it? I just want to be sure to do it right if need to be in the future :).

  7. Marcos

    Marcos Eset Staff Account

    This is not necessary even if you run into a file flagged as NewHeur_PE. This is quite common and we receive tons of such samples via ThreatSense on a daily basis. It's simply beyond any human capabilities to analyse all of them and frankly, only very few of them are false positives (from my observation I'd say less than 0,1% are fp).

    If you suspect a file to be a false positive, encrypt it with WinZIP/WinRAR, protect the archive with the password "infected" and send it to samples @ with "False positive" in the subject while enclosing further information as to what program it belongs to, where it can be downloaded from, etc. in the email body.
  8. gracie123

    gracie123 Registered Member

    Oh ok I understand now, thank you very much for the help Marcos and everyone :).

Thread Status:
Not open for further replies.