How to provide a Malware Sample/Analysis Subject to VMware Technical Support for NSX Threat Response requests
search cancel

How to provide a Malware Sample/Analysis Subject to VMware Technical Support for NSX Threat Response requests

book

Article ID: 337698

calendar_today

Updated On:

Products

VMware vDefend Network Detection and Response

Issue/Introduction

This article outlines best practices for submitting a potentially malicious file attachment on a Support Request. 

VMware Technical Support may occasionally need to collect detection data and the artifact for investigating False Positive, False Negative, or other detection questions in the NSX product. These files will be analyzed by support engineers and threat researchers to improve the detection efficacy of the product. 

For submitting malicious URL or domains, see KB: How to provide malicious domain/URL’s to VMware Technical Support for NSX Threat Response requests

After you obtain the necessary file, you must upload it to VMware.

Environment

VMware NSX Network Detection and Response

Resolution

Details:
Occasionally a file sample will be needed in order to further investigate support requests on: 
  • False positives  (FP) 
  • False negatives (FN) 
  • General questions on detection coverage 
This article provides a guideline for customers to safely handle a potentially malicious file sample before uploading it to the VMware Support Request. 

Steps: 
  1. If the file is publicly available, do not send the file on the Support Request. Search for the hash on www.virustotal.com (VT): 
    1. If the hash is known to VT, a sample can be downloaded by VMware Technical Support. If available on VT, provide the support engineer the file hash details on the Support Request and skip steps 2-3 
  2. Put the file in question in an encrypted ZIP archive with the password "infected" - any other password you prefer can also be used, but please share it with the support engineer 
  3. Upload the password-protected archive to the Support Request  
  4. In the Support Request, please provide additional details on your FP/FN assessment or threat issue. 
Important: 
Do not upload any malicious files without taking the above steps