Submit suspicious files to Symantec Security Response

book

Article ID: 151293

calendar_today

Updated On:

Products

Protection Engine for Cloud Services Scan Engine Protection for SharePoint Servers Mail Security for Microsoft Exchange Protection Engine for NAS Endpoint Protection

Issue/Introduction

Learn how to submit suspicious files found in your environment to Symantec Security Response for further review.

Resolution

How do I submit suspicious files to Symantec?

As of November 2019, all customers (home users and Enterprise) can submit suspected missed malware files and phishing websites to SymSubmit. Please use the Not Detected by Symantec tab.

Note:  Do not send any malicious/detected/suspected files via email or upload to cases.  The submission portal is the only acceptable option for submitting files to Security Response.

What information is needed to submit through the web submission site?

You need to provide the following information:

  • Customer type
  • Contact name
  • Email address
  • Support ID number (This is also known as Site ID.  This only applies to Enterprise customers)

Note: In the past, you may have used your Contact ID number to submit files to Security Response. The use of the Contact ID number for submissions has been discontinued in favor of the Support ID number in order to simplify submissions. Please use your Support ID number going forward.

Where can I find my Support ID number?

Your Support ID number is written on your Symantec support certificate or was provided by your Designated Support Engineer (DSE)/Customer Success Manager (CSM).

Note: The submission site will ignore the hyphens.  

If you have difficulty locating your Support ID, please open a case for additional assistance.

How many files can I submit?

You can upload multiple files at once by using WinZip or WinRar. As of September 2019, a zipped file can be password-protected.

The maximum total size for one submission is 100 MB. Do not submit more than 9 files in any zip file, regardless of size.

Note: Some file types, like .jar and .cab, may be containers that include files exceeding the maximum file count.

Can I provide information or ask questions at this site?

The web submission form includes a field to detail symptoms you believe are associated with this file. Symantec Security Response does not provide answers to questions posed in this form. If you need further information, please contact Technical Support.

How do I proceed when an email prompts to download a file from a suspicious URL?

WARNING: Do not download the file under any circumstances!

SymSubmit can also accept malicious URLs which serve a malware file. Symantec Security Response will attempt to download the file from the link and process it like a standard submission.

For emails which prompt for credentials rather than download a file, submit to your AntiSpam vendor.  The suspected missed malware portal is not for phishing mails, phishing attachments or missed spam, though it is possible to paste in the URL of undetected phishing websites.

What happens next?

  1. You will receive an automated email reply that contains the tracking number for this submission. Please retain this number. The sender's address will be [email protected]
  2. Your submission will be immediately scanned by our automated system using current certified and current rapid release definitions. If this file has been previously submitted, you will receive an automated closing email. The email will include the known determination and, if malicious or a security risk, instructions on how to retrieve definitions that will detect the file.
  3. The Symantec Security Response engineer who reviews the file will make a determination on the status of the file. If clean, they will close the submission process and an automated email message will be sent identifying the file as clean.
  4. If Symantec Security Response determines that the file is malicious or is a security risk, the engineer will create a signature that will trigger a detection on this file. They will then pass the submission on to a Quality Assurance (QA) engineer.
  5. Once the QA engineer has verified that the signature correctly identifies the file, that engineer will close the submission process and an automated email message will be sent. This message will indicate the determination on the file and include instructions on how to download definitions that contain the detection.

What if I want to submit a file that I believe is being falsely detected?

Submit files you believe are being falsely detected using SymSubmit's Incorrectly Detected by Symantec tab. A reference number will be sent via email upon submission.  Symantec engineers will maintain contact through email as the reported false positive is investigated. To learn more, see Submit false positives detected by Endpoint Protection.

Suspected IPS false positives are also reported through that same SymSubmit website. To learn more, see Responding to suspected IPS false positives in Endpoint Protection.

Is this a secure submission site?

Yes, the website uses HTTPS. It also takes advantage of Secure Sockets Layer (SSL) and 128-bit encryption, providing a secure method of transporting the files to Symantec.


For additional recommendations on using the web submission forms, see Symantec Insider Tip: Successful Submissions.