ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Submit false negative threats missed by Symantec.cloud email services

book

Article ID: 162792

calendar_today

Updated On:

Products

Email Security.cloud Email Threat Detection and Response

Issue/Introduction

Learn how to submit false negatives for the following Symantec.cloud email services:

  • Symantec Email Security.cloud
  • Symantec Advanced Threat Protection (ATP): Email

Resolution

What is a false negative?

A false negative occurs when an email containing malware has been incorrectly identified as being clean of security threats.  (See What is malware? below for an important distinction.)

Submit false negative malware samples automatically

You can now use the following submission method, available in the Symantec.cloud portal under Services > Email Services > Email Submission Settings.

Submit false negative malware samples manually

Before submitting a false negative malware sample, perform an Email Track and Trace to verify that the logs for the email exist on the Symantec.cloud infrastructure. If you cannot locate the email using Email Track and Trace, review the headers of the email to verify that it came through Symantec.cloud before proceeding with the submission.

Follow these guidelines when submitting a false negative malware sample:

  • Provide the full sample email in .MSG or .EML format.
  • Upload only a single email sample per submission. Do not upload multiple email samples at once.
  • Do not upload only the suspected malware; a full sample is required for verification that the sample came through Symantec.cloud.

For more helpful guidelines, see Symantec Insider Tip: Successful Submissions!

To submit a false negative

  1. Log in to the Symantec.cloud console.
  2. Click Support > Antivirus False Negative Submission.
  3. Submit the following information:
    • First name
    • Last name
    • Company
    • Email
    • Support ID (as shown in the portal)
    • The email message in .EML or .MSG format. Symantec recommends one email message per submission.

      Note: Do not submit compressed files that are password-protected.
       
  4. Click Submit. You will receive notice on-screen that the submission was successful.

What's next?

You will receive a tracking number through email within 30 minutes of submitting the sample and results typically within 12 to 18 hours. If you need to escalate this submission, contact support and provide the submission tracking number.

Symantec monitors submissions and implements detection if we determine that the message is malicious.

Once your submission has been handled by Symantec, you will receive details on whether detection was added or not. If detection was not added, this could be due either to the sample not being malicious, or the sample was improperly submitted.

I have provided a sample but have not heard back from Symantec

If you have provided a legitimate sample and have not received a response from Symantec within 24 hours, contact support with your submission tracking number.


WARNING: Do not attach suspicious files directly to your case.


Request for more information

For more information regarding blocked malware that is not available in Advanced Threat Incidents section in the Symantec.cloud portal, contact support and provide the submission tracking number.

What is malware?

Malware is software that is intended to damage or disable computers and computer systems. Symantec will add detection for malware email attachments.

If an email contains a phishing or malicious link in nature, submissions will not result in a malware detection. For example, documents that contain no code but an attempt to social engineer the recipient into visiting a phishing page are classified as threat artifacts rather than malware.

To report these, please follow our Anti-Spam False Negative process described in Submit false negative spam emails missed by Symantec.cloud.