Frequently asked questions about Symantec's Email Security.cloud Outlook Add-in button submission service.

1. What is the Email Submission service?
   The Email submission service lets your organization's end users submit suspected false-negative email messages to Symantec for analysis. The service is powered by a customized Microsoft Outlook add-in button that the end users can click on to send email messages that are suspected to be spam, phishing or malicious code for further analysis.
    
2. What are the Outlook add-in system requirements?
   See Email Submission add-in, support matrix for more information.
    
3. I have an Exchange environment running on version 2010 or below. Can I use the Outlook add-in?
   No, if your environment is using an Exchange server below and wish to submit spam false negative emails, please refer to the Email Submission Services page.
    
4. Where can the Email Submission service be configured?
   Administrators can configure the service under Services > Email Services > Email Submission Settings in the Symantec.Cloud Management portal.
    
5. Are there any steps to follow before deploying the Outlook Submission add-in to email clients?
   Yes, refer to how to Install Outlook Email Submission Add-in, Before you install section.
    
6. Can the Outlook submission add-in be installed for a selected group of users?
   No, administrators can only install the Outlook add-in for all or individual users as per the Microsoft platform.
    
7. Can Symantec report on the users that have submitted false negative messages?
   Not at this time, The reporting feature is on the roadmap for a future release. In the meantime, administrators can configure the service to copy email submissions messages to a malware administrator in the portal. This configuration allows for the specified administrator to receive a copy of the emails submitted to Symantec for analysis.
    
8. What are the user roles that an administrator needs to configure the Email Submission service in the Symantec Cloud Management Portal?

• Standard User Role with full access
• Custom Roles: View\Edit Configuration

8.  How does the email submission service determine whether an email is a false-negative spam or malicious?
   The email submission platform inspects the email's MIME type headers to determine how the Security Response Center handles the sample for further analysis.
    
9. What happens to the email after being submitted successfully?
   If configured correctly, a copy of the message is submitted to Symantec for analysis and the original message is moved to the user's Deleted Items folder.
    
10. What happens to missed spam submissions after being received by Symantec?
    The Security Response Center processes the received message using a sophisticated algorithm which groups the emails with other emails received from customers or through the extensive probe network. When a group of emails that are similar enough reaches a threshold, it becomes an attack.  At this point, an automated process or a Security Response technician will create a filter to respond to the attack as accurately as possible without creating a potential False Positive.  Adding the detection filter to the appropriate ruleset completes the process in our Security Response Center.  Your Inbox becomes protected from that attack after the ruleset replicates on the Brightmail filtering mail server.

11. Do administrators receive feedback on messages submitted as spam?
    Users or administrators would not receive any feedback on messages submitted as spam, due to the volume of submissions received.  The Security Response cannot offer any guarantee that the service will create new filters for every single spam submission. However, administrators should receive feedback on emails processed as malicious.

12. What happens to missed malware submissions after being received by Symantec??
    The Security Response Center processes the received message using the automation system to check if Symantec is aware of the malicious file. If it is a new threat, a member of the Security Response team will analyze the sample and will provide feedback on emails processed as malicious.

13. Do administrator receive feedback on messages submitted as malicious?
    Yes, administrators will receive a tracking number through email within 30 minutes of submitting the sample and results typically within 12 to 18 hours. If you need to escalate this submission, contact support and provide the submission tracking number.

    Symantec monitors submissions and implements detection if we determine that the message is malicious.

    Once Symantec has handled your submission, you will receive details on whether detection was added or not. If it has not been added, this can be due to the sample not being malicious, or the sample was improperly submitted.

14. One of my users submitted a possible malware email for analysis, but the administrator did not receive the email confirmation?
    Confirmation emails with the respective tracking number are only sent once in every 48 hours to the malware administrator per attachment's hash.  As an example, if two or more users submitted the same sample each, the administrator will receive one notification email since the hash for all the submission would be the same.
     
15. Is there an email size limit when submitting false negative emails using the Outlook submission add-in?
    Yes, the size limit applies to Exchange 2013, 2016 on-prem solutions, if the Exchange Web Service response is greater than 1 Megabyte. There is no limit when running a hybrid environment with Office 365, standalone Office 365 or Exchange Online.