Using SymSubmit for Symantec and Carbon Black Products
search cancel

Using SymSubmit for Symantec and Carbon Black Products

book

Article ID: 176256

calendar_today

Updated On:

Products

Endpoint Protection Carbon Black Cloud Container Carbon Black Cloud Endpoint Standard Carbon Black Cloud Enterprise EDR Carbon Black Cloud Workload Carbon Black EDR Protection Engine for NAS Protection Engine for Cloud Services Protection for SharePoint Servers Mail Security for Microsoft Exchange CASB Security Advanced CASB Securlet SAAS

Issue/Introduction

 

You use SymSubmit to submit suspected missed malware files and phishing websites to Broadcom.

Until October 2019, Symantec Security Response maintained several different portals through which customers could report suspected missed malware samples, suspected false positives, phishing domains, and so on. In that month SymSubmit was launched, uniting all products and all needs under one convenient location.  

Most fields and selections on SymSubmit are self-explanatory.  This document aims to provide guidance and answer FAQs about the use of this portal.

 

Resolution

Table of Contents

To submit a suspicious file or website

Suspicious files and suspected phishing websites that are not currently detected by your Symantec and Carbon Black products can be submitted to Security Response for examination.

  • If these submissions are confirmed to be malicious, protection will be added against them.
  • If a sample has already been detected and you submit it through the Malware not detected option, the submission will automatically be closed.

WARNING: Do not send any malicious, detected, or suspected files via email or upload them to cases. The submission portal is the only acceptable option for submitting files to Security Response.

  1. Go to SymSubmit.
  2. On the Submit a file to Symantec Security Response for review page, click Malware not detected.

  3. Complete the form.
    • For the file submissions, you can upload files, add a MD5 or SHA256 hash (if that file is publicly available from virustotal.com), or provide the URL for a directly downloadable file.

    • Suspected phishing websites imitate a legitimate site in an attempt to trick visitors into providing their credentials. To submit a suspicious website, click Provide Suspected Malicious / Phishing Website and provide the URL of the suspicious phishing page, including http://, https://, or ftp://. 

      For additional information about completing the form, see What information do I need to provide?.

  4. Click either Symantec or Carbon Black.

  5. Click Submit.

To submit a false positive

If you believe that a file, URL, or website is innocent or clean but Broadcom detects it as suspicious, make a submission. If these submissions are not being detected and are confirmed to be false positives (that is, non-malicious), Security Response removes the protection. Undetected files are not processed. A reference number will be sent by email upon submission. Broadcom engineers will maintain contact through email as the reported false positive is investigated.

You should provide full and complete details about which product and components were involved. Security Response will attempt to reproduce the submission's detection, but if, for example, they are scanning an IPS packet capture (PCAP) file with antivirus definitions, nothing will happen. If they are replaying that packet capture, an IPS event will be triggered.

  • When did the detection you are reporting occur?
  • Which of the following types of detection are you reporting?
  • What is the name of detection given by the Broadcom product?
  • Did you open a Technical Support case and provide logs showing the detection?
  • Which product were you using when you saw this?
  1. Go to SymSubmit.
  2. On the the Submit a file to Symantec Security Response for review page, click Clean software incorrectly detected.  
  3. Complete the form. 
    • In the Submission Type field, you can submit files, URLs, or websites. 
      • For File Submissions, you can upload files, add a MD5 or SHA256 hash (if that file is publicly available from virustotal.com), or provide the URL for a directly downloadable file or a password-protected file. 
      • For Symantec customers who experience a suspected false positive in the Content and Malware Analysis/Cloud SWG Malware Analysis Service, use the Provide blocked file URL option. 
      • Any File Submission option that you select displays the Product Details section below it. In the Which product were you using when you saw this? drop-down list, if your product is not listed, select Don’t know, am unsure, or the options provided do not apply.

         

    For additional information about completing the form, see What information do I need to provide?.

  4. Click Submit.

For more information on Symantec submissions, see: How to Submit False Positives on Content Analysis to Symantec.

Suspected IPS false positives are also reported through that same SymSubmit website. To learn more, see Responding to suspected IPS false positives in Endpoint Protection.

What information do I need to provide?    

In the other fields, provide the following information.

  • Submission Type (File/URL/Website).
    In the Additional Details field, provide any more information that will assist Security Response engineers in processing the submission. If you have a case open with Technical Support, specify the case number here. Security Response will not be able to respond to any questions or concerns in the Additional Details field. Instead, contact Technical Support for assistance. This text field accepts up to 20,000 characters.
  • Contact name.
  • Email address. Symantec Response sends a tracking number to this address.
  • Site ID number. See Where can I find my Site ID number?

Note: You no longer need to use your Contact ID number to submit files to Security Response.

Where can I find my Site ID number?

Your Site ID number is written on your entitlement records and can be located through the Support portal. If you cannot locate your Site ID, see Find your Broadcom Support Site ID or open a case with Broadcom Customer Care.

The submission site ignores the hyphens.

Note: For some Symantec Enterprise customers, the Site ID is also called the Support ID. Your Site ID number is written on your Symantec support certificate or was provided by your Designated Support Engineer (DSE)/Customer Success Manager (CSM).

What are SymSubmit's limits?

  • Uploads may be a maximum size of 750 MB.
  • Uploads may be a ZIP or RAR archive containing a maximum of 9 files in itself, regardless of the size.
  • Uploads must not be password-protected.
  • Uploads may also be a single MSG or EML file with attachment(s).
  • The file associated with the hash should be available publicly and may be a maximum size of 500 MB.
  • The hash provided should be in the MD5 or SHA-256 format only.
  • The hash provided should be of only a single file. Containers such as ZIP or RAR are not supported.
  • The file returned from the URL may be a maximum size of 500 MB for false negative submissions, and 1 GB for false positive submissions.
  • Some file types, like JAR and CAB, may be containers that include files exceeding the maximum file count.

For more information and FAQs, see Symantec Insider Tip: Successful Submissions!

Can I provide information or ask questions at this site?

The web submission form includes the Additional Details field to add symptoms you believe are associated with this file. Symantec Security Response does not provide answers to questions posed in this form. If you need more information, contact Technical Support.

How do I proceed when an email prompts to download a file from a suspicious URL?

WARNING: Do not download the file under any circumstances!

SymSubmit can also accept malicious URLs that serve a malware file. Security Response attempts to download the file from the link and process it like a standard submission.

Note: For emails that occur when emails prompt for credentials rather than download a file, see Spam email not detected by Symantec Email Security.Cloud. The suspected missed malware portal is not for phishing mails, phishing attachments, or missed spam, though it is possible to paste in the URL of undetected phishing websites.

What happens next?

  1. You will receive an automated email reply that contains the tracking number for this submission. Retain this number. The sender's address will be [email protected].
  2. Your submission will be immediately scanned by our automated system using current certified and current rapid release definitions. If this file has been previously submitted, you will receive an automated closing email. The email will include the known determination and, if the submission is malicious or a security risk, instructions on how to retrieve definitions that will detect the file.
  3. The Security Response engineer who reviews the file will make a determination on the status of the file. If the file is clean, they will close the submission process and an automated email message will be sent identifying the file as clean.
  4. If Security Response determines that the file is malicious or is a security risk, the engineer will create a signature that will trigger a detection on this file. They will then pass the submission on to a Quality Assurance (QA) engineer.
  5. Once the QA engineer has verified that the signature correctly identifies the file, that engineer will close the submission process and an automated email message will be sent. This message will indicate the determination on the file and include instructions on how to download definitions that contain the detection.
  6. If you need more information about a submission after you receive the automated emails, open a Broadcom support case.

Is this a secure submission site?

Yes, the website uses HTTPS. It also takes advantage of Secure Sockets Layer (SSL) and 128-bit encryption, providing a secure method of transporting the files to Security Response team.

Additional Information

Powered by Wolken Software