Until October 2019, Symantec Security Response maintained several different portals through which customers could report suspected missed malware samples, suspected False Positives, phishing domains and so on.  In that month SymSubmit was launched, uniting all products and all needs under one convenient location.  

Most fields and selections on SymSubmit are self-explanatory.  This document aims to provide guidance and answer FAQs about the use of this portal.

To Submit Suspected Misses

Suspicious files and suspected phishing websites which are not currently detected by your Symantec product can be submitted to Security Response for examination. Click on Malware Not Detected tile and be sure to complete the form. 

• If these submissions are confirmed to be malicious, protection will be added against them.
• If a sample is already being detected and is submitted via the "Malware Not Detected" tab, the submission will automatically be closed.  

Files can be uploaded, submitted by their MD5 or SHA256 hash (if that file is publicly available from virustotal.com), or submitted by URL (if that URL leads to a directly downloadable file).

Suspected Phishing sites are webpages which imitate a legitimate site in an attempt to trick visitors into providing their credentials. Provide the URL of the suspected phishing page, including http:// or https:// or ftp://.

To Make a False Positive Submission

If a file is believed to be innocent/clean file but is being detected, make a submission by choosing the tile: "Clean Software Incorrectly Detected".

• If these submissions are confirmed to be False Positives (that is, non-malicious), protection will be removed.
• If a submission is not being detected and is submitted via the "Clean Software Incorrectly Detected" tab, the submission will be closed as non-reproducible. Undetected files will not be processed.

Files can be uploaded, submitted by their MD5 or SHA256 hash (if that file is publicly available from virustotal.com), or submitted by URL (if that URL leads to a directly downloadable file).  It is also possible to provide a password protected URL submission, if a password is necessary to download the detected file from a URL. For customers who experience a suspected False Positive in the Content and Malware Analysis / Web Security Service Malware Analysis Service, it is possible to provide blocked file's URL.

Through the Clean Software Incorrectly Detected tile, it is important to provide full and complete Product Details about which product and component were involved.  Security Response will attempt to reproduce the submission's detection, but if they are scanning (for example) am IPS packet capture (.pcap) file with AntiVirus definitions, nothing will happen.  If they are replaying that packet capture, an IPS vent will be triggered.

• When did the detection you are reporting occur?
• Which product were you using when you saw this?
• Which of the following types of detection are you reporting?
• Name of detection given by the Broadcom product
• It may be helpful to open a Technical Support case and provide logs showing the detection.

What information is needed?

In addition to the file or website submitted, there is an Additional Details input field that can accept up to 20000 characters.  If you have a case open with Technical Support, do specify the case number here.  Provide any additional information that will assist Security Response engineers in processing the submission.  Note that Security Response will not be able to respond to any questions or concerns in the Additional Details field- please contact Technical Support for assistance.    

In the other fields, provide the following information:

• Submission Type (select the method of submission: File/URL/Hash)
• Contact name
• Email address (A Tracking Number will be mailed to this address)
• Site ID number*

Where can I find my Site ID number?

Your Site ID number is written on your entitlement records/can be located through the Support portal.  

If you have difficulty locating your Site ID, please open a case with customer care for additional assistance.

What are SymSubmit's limits?

• Uploads may be a maximum size of 750 MB.
• Uploads may be a ZIP or RAR archive containing a maximum of 9 files in itself.
• Uploads must not be password protected.
• Uploads may also be a single MSG or EML file with attachment(s).
• The file associated with the hash should be available publicly and may be a maximum size of 500 MB.
• The hash provided should be in the MD5 or SHA-256 format only.
• The hash provided should be of only a single file. Containers such as ZIP or RAR are not supported.
• The file returned from the URL may be a maximum size of 500 MB for False Negative Submissions, and 1 GB for False Positive Submissions.

How many files can I submit?

You can upload multiple files at once by using WinZip or WinRar. As of September 2019, a zipped file can be password-protected.

The maximum size for one submission is 750 MB. Do not submit more than 9 files in any zip file, regardless of size.

Note: Some file types, like .jar and .cab, may be containers that include files exceeding the maximum file count.

Additional information and FAQ can be found in the Connect article Symantec Insider Tip: Successful Submissions!