Submit false negative threats missed by email services
search cancel

Submit false negative threats missed by email services


Article ID: 162792


Updated On:


Email Email Threat Detection and Response


Learn how to submit false negatives for the following email services:

  • Symantec Email
  • Symantec Advanced Threat Protection (ATP): Email


What is a false negative?

A false negative occurs when an email containing malware that has been incorrectly identified as being clean of security threats.  (See What is malware? below for an important distinction.)

Submit false negative malware samples via Symantec outlook add-in button

You can use this submission method available in the portal under Services > Email Services > Email Submission Service Settings.

For further details regarding the outlook add-in submission button, please check Symantec Email Submission Add-in for Email 

Submit false negative malware samples via ClientNet Portal

Before submitting a false negative malware sample, perform an Email Track and Trace to verify that the logs for the email exist on the infrastructure. If you cannot locate the email using Email Track and Trace, review the headers of the email to verify that it came through before proceeding with the submission.

Follow these guidelines when submitting a false negative malware sample:

  • Provide the full sample email in .MSG or .EML format.
  • Upload only a single email sample per submission. Do not upload multiple email samples at once.
  • Do not upload only the suspected malware; a full sample is required for verification that the sample came through

For more helpful guidelines, see Symantec Insider Tip: Successful Submissions!

To submit a false negative

  1. Log in to the console.
  2. Click Support > Symantec Intelligence
  3. Select Submit Evidence from the Symantec Security Center page
  4. Submit the following information:
    • Contact name
    • Email address
    • Site ID number
    • The email message in .EML or .MSG format. Symantec recommends one email message per submission.

      Note: Do not submit compressed files that are password-protected.
  5. Click Submit. You will receive notice on-screen that the submission was successful.

What's next?

You will receive a tracking number through email within 30 minutes of submitting the sample and results typically within 12 to 18 hours. If you need to escalate this submission, contact support and provide the submission tracking number.

Symantec monitors submissions and implements detection if we determine that the message is malicious.

Once your submission has been handled by Symantec, you will receive details on whether detection was added or not. If detection was not added, this could be due either to the sample not being malicious, or the sample was improperly submitted.

I have provided a sample but have not heard back from Symantec

If you have provided a legitimate sample and have not received a response from Symantec within 24 hours, contact support with your submission tracking number.

WARNING: Do not attach suspicious files directly to your case.

Request for more information

For more information regarding blocked malware that is not available in Advanced Threat Incidents section in the portal, contact support and provide the submission tracking number.

What is malware?

Malware is software that is intended to damage or disable computers and computer systems. Symantec will add detection for malware email attachments.

If an email contains a phishing or malicious link in nature, submissions will not result in a malware detection. For example, documents that contain no code but an attempt to social engineer the recipient into visiting a phishing page are classified as threat artifacts rather than malware.

To report these, please follow our Anti-Spam False Negative process described in Submit false negative spam emails missed by