This article outlines best practices for submitting a potentially malicious file attachment on a Support Request. 

VMware Technical Support may occasionally need to collect detection data and the artifact for investigating False Positive, False Negative, or other detection questions in the NSX product. These files will be analyzed by support engineers and threat researchers to improve the detection efficacy of the product. 

For submitting malicious URL or domains, see KB: How to provide malicious domain/URL’s to VMware Technical Support for NSX Threat Response requests

After you obtain the necessary file, you must upload it to VMware.

VMware NSX Network Detection and Response

Details:
Occasionally a file sample will be needed in order to further investigate support requests on: 

• False positives  (FP) 
• False negatives (FN) 
• General questions on detection coverage 

This article provides a guideline for customers to safely handle a potentially malicious file sample before uploading it to the VMware Support Request. 

Steps: 

1. If the file is publicly available, do not send the file on the Support Request. Search for the hash on www.virustotal.com (VT): 
   1. If the hash is known to VT, a sample can be downloaded by VMware Technical Support. If available on VT, provide the support engineer the file hash details on the Support Request and skip steps 2-3 
2. Put the file in question in an encrypted ZIP archive with the password "infected" - any other password you prefer can also be used, but please share it with the support engineer 
3. Upload the password-protected archive to the Support Request  
4. In the Support Request, please provide additional details on your FP/FN assessment or threat issue. 

Important: 
Do not upload any malicious files without taking the above steps