Files in quarantine, wondering how to submit for analysis.

Hello,

I have some files in NOD32 "Quarantine" that say "probably a variant of" and then the virus name.

Just wondering, do I locate where the virus is located and attach that file or what exactly do I need to do to submit it right through NOD32 for analysis?

Also, what would I need to put for the comment? This is my first time noticing this, so I just want to know what I need to do .

Thanks,

Gracie

 

You can just submit the file that is in Quarantine.

 

Is it actually a false positive? If not, there's NO NEED to submit them. With file submission enabled, they are submitted automatically unless you untick the "Submit for analysis" checkbox in an alert window.

 

Hi Marcos,

Well, I am not sure if it is a false positive. It says 3 of the files is in the cache of some Netscape folder on my computer. Another file is located in system restore. For the ThreatSense feature of NOD32, for suspicious files I have it set to Submit without asking and enabled for anonymous statistical information. So I would or would not need to submit the files in quarantine?

 

Marcos knows better but I think not necessary .

Because of the fact NOD32 writes "probably a variant of" it doesn't mean that it is a false positive . It is just that NOD32 relies on heuristics and it found a variant of a threat already known . Most of the detections I have seen are with similar names such as
probably a variant of ...
a variant of ...
just the name of the application ... (e.g. is W32 Adware When U Save Now)

You should submit files that are not detected at all , files that you do believe are false positives and files that are detected as "New Heur PE virus"

samples@eset.com

 

Hi, oh ok I see. So when I come across files that are not detected at all or files that are detected as "New Heur PE virus", do I need to put the file in a winRAR archive or winZIP and then submit it? I just want to be sure to do it right if need to be in the future .

Gracie

 

This is not necessary even if you run into a file flagged as NewHeur_PE. This is quite common and we receive tons of such samples via ThreatSense on a daily basis. It's simply beyond any human capabilities to analyse all of them and frankly, only very few of them are false positives (from my observation I'd say less than 0,1% are fp).

If you suspect a file to be a false positive, encrypt it with WinZIP/WinRAR, protect the archive with the password "infected" and send it to samples @ eset.com with "False positive" in the subject while enclosing further information as to what program it belongs to, where it can be downloaded from, etc. in the email body.

 

Oh ok I understand now, thank you very much for the help Marcos and everyone .

Gracie