Using SymSubmit

book

Article ID: 176256

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

Until October 2019, Symantec Security Response maintained several different portals through which customers could report suspected missed malware samples, suspected False Positives, phishing domains and so on.  In that month SymSubmit was launched, uniting all products and all needs under one convenient location.  

This SymSubmit site is currently in Beta. The look, feel and functionality of the finished site may be different.

Most fields and selections on SymSubmit are self-explanatory.  This document aims to provide guidance and answer FAQs about the use of this portal.

Resolution

To Submit Suspected Misses

Suspicious files and suspected phishing websites which are not currently detected by your Symantec product can be submitted to Security Response for examination.  Please be sure to complete the form on the Not Detected by Symantec tab.  If these submissions are confirmed to be malicious, protection will be added against them.

If a submission is already being detected and is submitted via the "Not Detected by Symantec" tab, the submission will automatically be closed.  

Files can be uploaded, submitted by their MD5 or SHA256 hash (if that file is publicly available from virustotal.com), or submitted by URL (if that URL leads to a directly downloadable file).

Suspected Phishing sites are webpages which imitate a legitimate site in an attempt to trick visitors into providing their credentials. Provide the URL of the suspected phishing page, including http:// or https:// or ftp://.

 

To Make a False Positive Submission

If a file is believed to be innocent but is being detected, make a submission using the tab Incorrectly Detected by Symantec. If these submissions are confirmed to be False Positives (that is, non-malicious), protection will be removed.

If a submission is not being detected and is submitted via the "Incorrectly Detected by Symantec" tab, the submission will be closed as non-reproducable. Undetected files will not be processed.

Files can be uploaded, submitted by their MD5 or SHA256 hash (if that file is publicly available from virustotal.com), or submitted by URL (if that URL leads to a directly downloadable file).  It is also possible to provide a password protected URL submission, if a password is necessary to download the detected file from a URL. For customers who experience a suspected False Positive in the Content and Malware Analysis / Web Security Service Malware Analysis Service, it is possible to provide blocked file's URL.

On the Incorrectly Detected by Symantec tab, it is important to provide full and complete Product Details about which product and component were involved.  Security Response will attempt to reproduce the submission's detection, but if they are scanning (for example) am IPS packet capture (.pcap) file with AntiVirus definitions, nothing will happen.  If they are replaying that packet capture, an IPS vent will be triggered.

When did the detection you are reporting occur?

Which product were you using when you saw this?

Which of the following types of detection are you reporting?

Name of detection given by Symantec product

It may be helpful to open a Technical Support case and provide logs showing the detection.

 

What information is needed?

In addition to the file or website submitted, there is an Additional Details input field which can accept up to 20000 characters.  If you have a case open with Technical Support, do specify the case number here.  Please provide any additional information that will assist Security Response engineers in processing the submission.  Note that Security Response will not be able to respond to any questions or concerns in the Additional Details field- please contact Technical Support for assistance.    

In the other fields, provide the following information:

  • Customer Type (select Symantec Enterprise Customer if you have a current Enterprise contract.  Otherwise choose Norton Home Customer.)
  • Contact name
  • Email address (A Tracking Number will be mailed to this address)
  • Support ID number (for Premium Enterprise Customers only)

Check "I'm not a robot" on the CAPTCHA

Where can I find my Support ID number?

Your Support ID number is written on your Symantec support certificate. Your Support ID number is a twelve digit number in the following format: XXXX-XXXX-XXXX.

Note: The submission site will ignore the hyphens.  

If you have difficulty locating your Support ID, please open a case for additional assistance.

What are SymSubmit's limits?

Uploads may be a maximum size of 100MB
Uploads may be a ZIP or RAR archive containing maximum of 9 files in itself
Uploads must not be password protected
Uploads may also be a single MSG or EML file with attachment(s)

The file associated with the hash should be available publicly and may be a maximum size of 100MB
The hash provided should be in the MD5 or SHA-256 format only
The hash provided should be of only a single file. Containers such as ZIP or RAR are not supported

The file returned from the URL may be a maximum size of 50MB.

How many files can I submit?

You can upload multiple files at once by using WinZip or WinRar. As of September 2019, a zipped file can be password-protected.

The maximum size for one submission is 100 MB. Do not submit more than 9 files in any zip file, regardless of size.

Note: Some file types, like .jar and .cab, may be containers that include files exceeding the maximum file count.

 

 

 

Additional information an FAQ can be found in the Connect article Symantec Insider Tip: Successful Submissions!