Introduction
This is the sixth of an informal series on how to keep your enterprise environment secure using often-overlooked capabilities of Symantec Endpoint Protection (and the OS upon which it functions).
- The first article, Using SEPM Alerts and Reports to Combat a Malware Outbreak, demonstrated how to use reporting features of SEP 12.1's SONAR component to identify Suspicious files for which there were no AntiVirus signatures yet created.
- The second, Recovering Ransomlocked Files Using Built-In Windows Tools, deals with a few possible ways how to prevent and recover from one of today's most-destructive threats, should it infect your network and hold your data hostage.
- Third came Two Reasons why IPS is a "Must Have" for your Network, which illustrated how SEP's optional Intrusion Prevention System (IPS) component can help security admins keep their organization secure and track down infected computers on the network
- The Day After: Necessary Steps after a Virus Outbreak is for use after the attacks have ended. This fourth article intends to help admins prevent further attacks and make recovery from any future infection as painless as possible.
- Killing Conficker: How to Eradicate W32.Downadup for Good gives admins the techniques they need to eliminate one of their network's most persistent pests: W32.Downadup, also known as the Conficker worm.
This new "Symantec Insider Tip" article aims to provide advice and examples of how to get your suspicious files to the correct team, in the correct format, with all the correct information necessary for speedy processing.
Symantec's Official Article
By "submission" I mean sending questionable files to Symantec's Security Response department for analysis. Please read the following article for the official word on the submissions process.
How to Use the Web Submission Process to Submit Suspicious Files
Article URL http://www.symantec.com/docs/TECH102419
Tip!
- For files that are suspected of being malicious, your Technical Support Engineer can provide the correct submission URL based on your current contract.
- For files that are you believe to be safe but are being detected, use Symantec's False Positive Submission Site regardless of your contract.
What to Submit
Symantec adds protecion against thousands of new threats every day. Definitions are continuously updated in response to submissions received by customers, so please submit:
- Files that are given bad reputations by the SymHelp Threat Analysis Scan with a recommendation to "submit" or "remove"
- Files that are recommended for submission by Symantec Tech Support, after your SymHelp diagnostics or other logs are examined
- Files which other vendors detect but are not found by Symantec Endpoint Protection or another Symantec security product
- Files which a SEPM's SONAR or IPS reports indicate are responsible for suspicious activity
Malicious files that are engineered to attack Android, Linux, Mac and other non-Windows systems are also submitted through the same web portals. There's no special URL necessary for non-Windows threats.
What Not to Submit
In almost all cases, Security Response needs the undetected malicious executable file which is responsbile for the infection. Submitting any of the following to them will be of little use.
- Text files, .ini files, .xml files and similar
- Files that have been corrupted or locked by a threat like Trojan.Cryptolocker
- Phishing mails (these are not harmful in themselves- if there is a mail with a suspicious attachment, submit that attachment. If the mail has a link to an .exe, download the .exe and submit that)
- Files that have been digitally signed by Microsoft or another major vendor.
- Files that are already detected by SEP or another Symantec security product (.vbn for example)
- Screenshots of the malicious file or the damage it has done
- Output from the SymHelp diagnostic tool (send those .sdbz or .sdbd files to Technical Support, not directly to Security Response!)
- Any materials related to a new or existing Technical Support case
| For safety reasons, anything submitted to Security Response stays in Security Response. Those files cannot be forwarded on to other departments. |
The web portal system will not be able to process:
- Files larger than 20 MB
- Compressed (zipped) files with more than 9 files inside
- Compressed (zipped) files which contain more than 20 MB of content
- Compressed (zipped) files with a password
- Compressed into a format other that ZIP or RAR
Also:
- If you believe that a detection is a False Positive, please only submit it to https://submit.symantec.com/false_positive/. That's the way to make sure they get to the correct team.
How to Submit It
When filling out the form, you will need to provide your name, company name, email address and Support ID number. You can also enter comments into the Additional File Information field.
Tip!
- Please be sure that the email address used for submissions is a Contact Email address associated with your company's account. Otherwise the submission may not be processed as quickly as your contract entitles.
Ensuring Everything is On Track
Immediately after submitting, there will be an acknowledgement screen displayed. A short time later, an email will be dispatched containing the submission's Tracking Number.
[TRACKING]: Symantec Security Response Automation (Tracking #XXXXXXXX)
Use that reference should you need to make contact with any questions. If hours pass without receiving a Tracking Number, please check your junk mail folder or the email processing rules within your company. If there still is no sign of the mail, contact Technical Support to ensure that the submission has in fact been successfully recived and is being queued up for processing. (They can identify the submission using the unique MD5 hash of one of the submitted files or the email address that was specified.)
Submissions may be processed quickly or it may require several days. This all depends on the current amount of activity in the worldwide threat landscape- something beyond Symantec's control.
When analysis is complete, another email will be dispatched which contains an overview of the findings.
[CLOSED]: Symantec Security Response Automation (Tracking #XXXXXXXX)
If that suspicious file has been confirmed to be malicious, this mail will contain information on how to download new Rapid Release definitions so you can apply protection throughout your organization.
The final mail sent will supply details, when available, on what file changes, network activity and other nastiness this particular malicious file does.
Symantec Security Response Scribe Automation (Tracking #XXXXXXXX) [BETA]
What to do while Submissions are being Processed
If you have submitted a file that you believe is malicious, don't just wait for Security Response to produce definitions against it! There are important actions that must be taken in order to prevent that infection from spreading its damage throughout your network. See Step 3. Quarantine the Infected Computers in the following article:
Best Practices for Troubleshooting Viruses on a Network
Article URL http://www.symantec.com/docs/TECH122466
If you can't just pull the network cable on the infected computer, there are many ways SEP's components can lock down the system and the network and help slow the spread of the threat.
It's also a good idea to submit the file to threatexpert.com for a quick, automated analysis of the file. That may alert you to (for example) Internet IP addresses or domains that you should be blocking at the corporate firewall, severing communications to the threat's remote Command & Control servers.
How to submit files to ThreatExpert
Article URL http://www.symantec.com/docs/TECH96745
FAQ for Y-O-U
Q. Can't I just email the malicious file to Symantec?
A. No, the only method of getting suspicious content to Security Response is via the web portal. Sales, Tech Support and other departments within Symantec cannot receive potentially malicious content.
Q. I thought SEP was automatically making a lot of submissions of files in the background- why don't I get Tracking Numbers for those?
A. When configured to do so, SEP will send anonymous data to Security Response. Symantec Response and the Global Intelligence Network use this submitted information to quickly formulate responses to new and developing security threats. The data that you submit improves Symantec's ability to respond to threats and customize protection. (So, please do always allow submissions!)
As the information submitted is done so anonymously, there is no way to trace it back and send out a tracking number. The article below has details:
Enabling or disabling client submissions to Symantec Security Response
Article URL http://www.symantec.com/docs/HOWTO81000
Q. We have found a mountain of malicious files! We've put them all in one giant 500 MB .zip. I can submit that, right?
A. Sorry, no. Think of all the freight deliveries coming into a city. Rather than building a supersized railroad with tracks 100 feet apart and a car big as a cruise ship, all the incoming goods are divided up into a long train of standard-sized freight cars. That's the way the delivery system is designed. The same goes for submissions to Security Response. Each .zip needs to have no more than 9 files within and a decompressed size of 20 MB or else it will go off the tracks.
Q. What if the file I need to submit is larger than 20 MB?
A. Malicious files are generally (but not always!) smaller than that. For large files, check with Tech Support. They can supply instructions on how to proceed.
Q. In my spare time I am building a comprehensive collection of every executable that has ever existed. Wow, there's a heaping cartload, and I'm only up to 1996! Just in case one of them may have been malicious, I'll submit these beauties all at once to Security Response to see if there has ever been a variant of virus, worm, or whatsit that your engineers have never seen.
A. Thanks, but no. Please only submit files that are suspected of being malware involved in a current outbreak on your own network. Our resources are committed to helping combat today's real-world security threats.
Q. I write code for a software company. Is there any way to submit my latest build to Symantec, ahead of its public release, to make sure my customers won't experience False Positives on this new (and initially unknown) version?
A. Yes! This article has all the details:
Software developer would like to add his/her software to the Symantec White-List.
Article URL http://www.symantec.com/docs/TECH132220
Conclusion
If in doubt about whether or not to submit a particular file, please do ask! Tech Support has trained experts who can examine a diagnostic and swiftly spot the suspicious materials within. They can also provide best practice and recommendations that can help keep your network, data and users safe.
Many thanks for reading! Please do leave comments and feedback below.