Learn how to submit false negatives for the following Symantec.cloud email services:

• Symantec Email Security.cloud
• Symantec Advanced Threat Protection (ATP): Email

What is a false negative?

A false negative occurs when an email containing malware that has been incorrectly identified as being clean of security threats.  (See What is malware? below for an important distinction.)

Submit false negative malware samples via Symantec outlook add-in button

You can use this submission method available in the Symantec.cloud portal under Services > Email Services > Email Submission Service Settings.

For further details regarding the outlook add-in submission button, please check Symantec Email Submission Add-in for Email Security.cloud 

Submit false negative malware samples via ClientNet Portal

Before submitting a false negative malware sample, perform an Email Track and Trace to verify that the logs for the email exist on the Symantec.cloud infrastructure. If you cannot locate the email using Email Track and Trace, review the headers of the email to verify that it came through Symantec.cloud before proceeding with the submission.

Follow these guidelines when submitting a false negative malware sample:

• Provide the full sample email in .MSG or .EML format.
• Upload only a single email sample per submission. Do not upload multiple email samples at once.
• Do not upload only the suspected malware; a full sample is required for verification that the sample came through Symantec.cloud.

To submit a false negative

1. Log in to the Symantec.cloud console.
2. Click Support > Symantec Intelligence
3. Select Submit Evidence from the Symantec Security Center page
4. Submit the following information:
   • Contact name
   • Email address
   • Site ID number
   • The email message in .EML or .MSG format. Symantec recommends one email message per submission.
     
     Note: Do not submit compressed files that are password-protected.
      
5. Click Submit. You will receive notice on-screen that the submission was successful.

What's next?

You will receive a tracking number through email within 30 minutes of submitting the sample and results typically within 12 to 18 hours. If you need to escalate this submission, contact support and provide the submission tracking number.

Symantec monitors submissions and implements detection if we determine that the message is malicious.

Once your submission has been handled by Symantec, you will receive details on whether detection was added or not. If detection was not added, this could be due either to the sample not being malicious, or the sample was improperly submitted.

I have provided a sample but have not heard back from Symantec

If you have provided a legitimate sample and have not received a response from Symantec within 24 hours, contact support with your submission tracking number.

WARNING: Do not attach suspicious files directly to your case.

Request for more information

For more information regarding blocked malware that is not available in Advanced Threat Incidents section in the Symantec.cloud portal, contact support and provide the submission tracking number.

What is malware?

Malware is software that is intended to damage or disable computers and computer systems. Symantec will add detection for malware email attachments.

If an email contains a phishing or malicious link in nature, submissions will not result in a malware detection. For example, documents that contain no code but an attempt to social engineer the recipient into visiting a phishing page are classified as threat artifacts rather than malware.

To report these, please follow our Anti-Spam False Negative process described in Submit false negative spam emails missed by Symantec.cloud.