My AV: Sending samples for verification....how-to/experiences..etc

Hi;

Just got this idea to make a post to ask you guys here about the way of sending samples to "your AV/Antimalware/anti-spyware program" when you have a file suspected/undetected as virus/malware. Maybe some questions like these:

1)What AV/security app:
2)How to send samples to your AV (can be via the AV gui or procedure/instruction..best with the URL)
3)Confirmation/response time upon submission..(got confirmation that they received it or responded but seems lke forever or did not respond at all)
4)Additional observations/experiences with the handling of your samples/file submitted (say, the way the CS handled your request or positive/negative feedbacks from CS)

Surely someone has had experiences sending samples/files for verification to your AV/security app before..may we know your thoughts/inputs/ideas/experiences so we may learn from them.

I believe this will help the members here especially the newbies or the not-so-learned ones who encounter problems with undetected viruses/false positives..etc.

Or any experiences about it/connected to it maybe....

I'll start.

Avira
- Avira Premium Security Suite10(w/out firewall and Proactive module)
- Submit via http://analysis.avira.com/samples/index.php or through Avira GUI.
- Confirmed response through email about samples 1 day. Response resolotion time 2-3days.
- Experienced submitted a sample that VirusTotal/Filterbit/Jotti's malware scan stated 45% as malware but still Avira claimed it is not a malware/virus.
- All in all prompt response to sample/file submission is okay. Never had any experience that they have not confirmed or responded. Always responds to users.

Prevx
-Prevx ver 3.0.5.220
- Through the Prevx Gui link to Prevx CS site. You can post there/upload files there(.txt/jpeg/bitmap/.log) or through email at report@prevxresearch.com procedure is
https://www.wilderssecurity.com/showthread.php?t=245129
- Just minutes after posting a message Prevx help responds promptly. Max is a day but usually just 5 hours or so.
- Cannot submit file samples through the site but only through email.
- Confirmation to resolution the response time was fast did not even take 24 hours. Always responds to users. The best/fastest I have experienced.

HitmanPro
-HitmanPro Build 117
-File submitted through contact to HitmanPro mod(erikloman). Can email support@surfright.nl.
-Response time 2-3days. Have no standard procedure for file submission yet. But erikloman went out of his busy schedule to assist me on the samples.

Malwarebytes
- Have to contact Malwarebytes forum to ask how to submit samples. I used to send samples via their website but the link is gone. Instructions from the forum are here http://forums.malwarebytes.org/index.php?showtopic=3228

Superantispyware
-Have to contact suppot from the site and make a ticket. http://www.superantispyware.com/support.html and here http://forums.superantispyware.com/index.php?/topic/2814-submitting-samples-to-superantispyware/
-Response time usually 2-3 days.
-Made me download a file SUPERSampleSubmit.exe that I used to submit the samples to them. After a week of follow-up had a response.
- All in all slow response. Needs constant follow-up.

Avast
- File submission through GUI as undetected malware or here http://www.avast.com/contacts
- No procedure for submitting files via email.
- Have not tried submitting samples yet but in avat forums there are reports that "usually" samples submitted to them via the GUI gets included in the next update but no confirmations. Samples sent via the email are responded but rarely.

Will add more next time. Hope you guys share your tips/experiences/observations on sending samples etc


Thank you.

 

That's not true. There is no web page from where you can submit files to avast. If you go to that link and click on report suspicious file you'll see that they reveal the email address to submit the file.
So for avast: File submission through GUI or email.

 

Interesting idea for a thread. Will contribute to it later if I'm able to.

 

@Hawk82,

Thanks for the reply.

I am sorry you must have misunderstood my post for Avast. Yes, the link posted contains the email address where you can send the samples. The reason I posted the URL(because it contains it). But there is no procedure for sending such samples as like Prevx's or Avira for that matter. Just an email address no how-to or what.

e.g: (Prevx)

* If you think that Prevx is wrongly detecting a file (false positive), please do a system scan by clicking "Scan Now" on the front screen of Prevx 3.0 and then save the scan log by clicking on Tools - Save Scan Results. Then, please send the scan log by e-mail at report@prevxresearch.com explaining the problem

* If you think that Prevx is not detecting a new malicious software, please pack the undetected file in a password protected RAR or 7z archive and use this password: 'infected' (without quotes)
Note: ZIP archives will be rejected by the mail server
---

Have you sent samples to avast? By email or GUI? What happened? May we know your observations on their reponse? Maybe you can share it here. It will be a nice to know/learn from Avast users themselves so other users and future users will know.

 

@ALookingInView,

Please do so contribute at your liesure for learning purposes and as guide for users(newbies most especially). If there is no procedure and you don't know how then through here someone maybe can have an idea how-to do it. This is also for us to know how the AV/security app companies that we love interface with user needs such as this. I have a couple of experiences (not AV/security apps) who are so bad at helping the user I ended up not using the software at all. Good software sticks to your mind as well as bad service.

Cheers!

 

Sunbelt VIPRE/VIPRE Premium:

http://www.sunbeltsecurity.com/threat/default.aspx

If you're a VIPRE user, you can also use this form to request their malware removal service (which is free to users of their products) along with allowing you to submit samples of undetected threats.

F-Secure:

https://analysis.f-secure.com/portal/login.html

you have to be registered on their SAS portal to submit malware samples to them.

 

Agree,i'm still young and i don't want to put my glasses on.

 

Agreed, I am "young" also, even though I wear glasses all the time
But it's still hard reading those tiny letters.

 

Hi guys ,

Gosh...pardon for the size and font. I will. Just a sec. Better!

@mounds;

How about experences as to response time..anything that you observed there..?

I contacted them2x before when I won a license for 6mo I think that was last May or something. Response was prompt through email but it was on installation inquiries. It went on for about a week and then I had to follow it up for a week with no response...:-( Was instructed to post at facebook for other posts...But this is another matter altogether.

----

Sure would like to see some inputs/ideas/observations from Panda, AVG, BitDefender, Kaspersky,GData, Emsisoft, Eset, Dr.WEb, TrendMicro, McAfee(heard Intel bought it....) Norton..etc.

Thanks!

 

Interesting thread.

- Kaspersky
- Two ways of sending samples; either by using the webform here: http://support.kaspersky.com/virlab/helpdesk.html or by sending email to them. There's an option to send a file to them in the GUI, which launches the user's default mail application.
- After sending the sample it usually takes from a few minutes to a few hours before their automated systems send a confirmation email that they've received the sample and are analyzing it. The results of the analysis come later.
- The analysis results have always came fast, at best I've been waiting only 3 minutes, at worst about 24 hours.

 

-Panda Security
-sent via email
-I have always got an automated response, and I have always gotten a confirm after submitting samples.
-Samples added very quickly

-Dr Web
-Sent via email and web submission forum
-It seems totally random, sometimes I get a response sometimes not. It took 3 requests sent in to get the YIM FP fixed.

-Kaspersky
-Send in via Email
-I always get in automated response, I have never however got the response about confirming a malware sample. I did however get one response before on an FP report.
-Speed depends on type of malware.

-Avast
-Sent in via email
-No automated response, I did however talk to the labs once about what I thought was an FP which was actually a hacked site.
-Samples are added very quickly

-Norman
-Sent in via email
-Never ever heard a response but sample adding it normally added in the next update so very quick.

-Avira
-Submitted via webform.
-Normally get a response in 2 days
-Very quick sample submission.

-Sunbelt
-Sent in via webform
-Normally always get a response
-Very quick on adding samples

-FortiGuard
-Sent via email
-One of my favorite to submit samples to, always get a response in 24 hours. I have never once not got a response from them at all.
-Depends on sample type of adding speed.

-Quickheal
-Sent via webform
-Only submitted one sample before but had very quick analysis
-Don't know really I sent one sample which was a Script malware that was being added by others as trojan startpage and they told me it was not malicious so it would not be added.

 

@Rampastein / Ibrad,

Thanks for responses / experience and observations here. Some links perhaps for newbies sake

Data shared here is/will go a long way for users.

----

Please feel free to add anything you seem to find relevant/connected.

Thanks again

 

I think all AV's that have an engine over at VT/Jottis are able to harvest any samples submitted?

Not really sure on that though

 

To submit false positives and/or false negatives for Returnil:

Default: RVS 2010/RSS 2011 include automated collection of suspicious program behaviors and files for deeper analysis with our server side AI/Machine learning technology. You can check what is there to be sent to us by looking in the upload queue.

False pos/neg: Place the file or files within a password protected archive (RAR, ZIP, 7z, etc) and send to our technical support address with as much information about the contents as possible (where, what, how, etc): support (dash) tech (at) returnil (dot) com

Regards
Mike

 

Yes, the participating AV vendors all get copies of the samples uploaded to the specific service. If you do not have an engine that is used by the applicable service, they offer subscriptions to qualified, but non-participating AV/AM vendors as well...for a fee.

HTH
Mike

 

Thanks for verification Mike.

So in effect if you upload to VT/Jottis you are virtually sending samples to all AV vendors that have their engines at those sites.

 

@Franklin/Coldmoon,

Hmmm..very interesting there...nice piece of information there thanks!

I think I have experienced a sample before that I uploaded to VirusTotal/Jotti's that had no detection but was detected by my AV...don't have the file now ( can't even remember when...I'll try to check from old discs...)but I was with Avira Personal back then. I hope Prevx will be included in VirusTotal/Jotti's.

Thanks!

 

Guys , we already have such topic (very similar actually) and it is even in the sticky ones : https://www.wilderssecurity.com/showthread.php?t=277780

 

@3GUSER,

I did not know of a similar thread that is existing. Had looked at it and most of it are email address'.
There are differences though as stated in the first post..

re:

1)What AV/security app:
2)How to send samples to your AV (can be via the AV gui or procedure/instruction..best with the URL) --- not based on email only ---
3)Confirmation/response time upon submission..(got confirmation that they received it or responded but seems lke forever or did not respond at all)
4)Additional observations/experiences with the handling of your samples/file submitted (say, the way the CS handled your request or positive/negative feedbacks from CS)

Though the email address is essential I believe #3 and #4 makes it all the more "on the point of the user" say, on issues they encountered/experienced.

It's on the one who will post if he prefers to share "...additional observations/experiences" . User point of view on "his" AV or AV's he has used.

But it's a comprehensive list. Did not see such a wide/lengthy list of email address. First time for me. The list is a keeper. Together with this post it will make a very good reference.

Cheers!

 

You don't have to create support ticket to submit samples to SUPERAntiSpyware.

We provide a simple dedicated tool (SUPERSampleSubmit) to allow users to submit samples with ease - you can submit .ZIP, .RAR and uncompressed files.

We don't do "custom analysis" of files - if we did, we would never have time to develop the product nor produce definitions - we receive well over 25,000+ samples PER DAY that need analyzed - if we responded to each submission nothing would get done.

If files submitted are threats we add them to our definitions, or else they stay in our sample database "forever" and can be cross referenced should the need arise.

As for false positives, we have a BUILT-IN reporting system in the product, it couldn't get much simpler than that - I guess we could come and pick up your computer for you LOL

 

I must say I wish we had a tool like SuperSampleSubmit that would send files to all vendors along with our email for those that do responses. I just used the tool for the first time today and I figure it did its job right, file submitted quickly so I figured it uploaded correctly.

 

The address for submitting to Microsoft is:

https://www.microsoft.com/security/portal/Submission/Submit.aspx

Microsoft gets samples from VirusTotal too; a lot of them, so customer submissions get higher priority.

 

Sunbelt: always fast regardless of what I need (support, sample submission, etc) - sample submissions generally result in an automated response, sometimes a hand-typed response and sigs deployed via update shortly after.

F-Secure: submission via their online sample system- if their automated analysis engine detects a threat, the threat is then immediately detected via their Deepguard system (which includes their cloud engine)- the few times where something wasn't detected automatically, I received a hand-typed response from one of their analysts within a couple hours.

 

Thanks for the replies guys. Lot of info here.

@SUPERAntiSpy,

I did submit samples to SASpy I think 2007 or 2008 when I was still using SASPy free and had problems wiht the Core/Trace definitions not downloading correctly. I was with avastFree ver4 also then. That is what I did created a suport ticket first. I did not know what to do (was busy also that time...was also the time I got hit badly by a virus...from the office) thus created one.

Now I have not an issue with SASPy nearly a year now(with Pro version now).

So this is a great thing as this info is striaght from Superantispyware developers! Thanks. This information will go a long way for newbies and enthusiasts alike.


@Ibrad,

Yeah, I too like that. I wish MBAM will also have that.

@mounds,

Thanks for the reply and the share about your experience with their support.

--

Well, the response is a big thing for people who send sample files for verification. They are unsure so they ask questions and help/assistance. Of course there are a certain number of people who will just let it be and decide for themselves( some with the help of onlibe scanner such as VT/Jotti's etc) what to do. But the thing here is that good service/support sticks and is definitely a "factor" in selecting a product.

Thanks for the share guys!