Microsoft KB Archive/939288

= How to submit malicious software files to Microsoft for analysis =

Article ID: 939288

Article Last Modified on 6/29/2007

-

APPLIES TO


 * Microsoft Forefront Client Security

-



SUMMARY
''When you suspect that a file or a program is malicious, you can submit the file to the Microsoft Research and Response team for analysis. Additionally, if you are using Microsoft Forefront Client Security, you can indicate how this program determined that the file is malicious.

This article describes the methods that you can use to submit the file to Microsoft for analysis. The article also describes how to prepare files for submission.''



INTRODUCTION
This article describes the methods that you can use to submit malicious software (malware) files to Microsoft for analysis.



MORE INFORMATION
You can use one of the following methods to submit malicious software files to Microsoft for analysis:
 * Web-based submission
 * E-Mail submission
 * Submission by Microsoft Customer Support Services
 * Prompted submission

You can use the first three methods if you suspect that a file or a program may be malicious. The last method lets Microsoft ask you to submit a file for analysis.

Web-based submission
To submit files to Microsoft for analysis by using the Web, visit the following Microsoft Malware Protection Center Web site:

http://go.microsoft.com/fwlink/?LinkId=86097

Follow the steps in the &quot;Preparing files for submission&quot; section to prepare an archive file that contains the files that you want to submit. When you submit the archive file, you will be asked to provide the following data:
 * Sample type

Is this malicious software that Forefront Client Security did not determine to be malicious, or do you believe that files were incorrectly determined to be malicious software?
 * Support case number (optional)

A support case is not required to submit files for analysis. However, if a support case is already open for this submission, you can provide this case number.
 * Your e-mail address

Microsoft needs your e-mail address so that we can send you the results of the analysis.
 * Additional e-mail addresses to notify

Sometimes, you may want to specify another e-mail recipient to notify with the findings of the analysis. The Web submission page lets you add more addresses to receive response messages. When you submit the archive file, the Web site processes the file and sends a determination of the files that is based on the current Microsoft malicious software definitions.

The response message
Microsoft will send a response message that includes a list of the files in the archive file. If Microsoft has already analyzed the files that you submitted, the first response message will include the determination that was made for each file. If Microsoft has not analyzed the files, or if you indicate that the files were incorrectly determined to be malicious software, Microsoft will analyze the files.

To correctly understand the response message, you must understand the difference between a determination and the scan results.

The differences between determination and scan results

 * Determination

A determination is associated with a particular file. Microsoft analyzed the determination and entered it into the Research and Response team's database.
 * Scan results

Scan results are the results of the scans that are run on the individual files by the anti-malicious software definitions.

The determination and the scan result are only the same after a file is submitted to Microsoft and is reviewed by an analyst.

Note The determination may appear as &quot;No determination&quot; even if the Microsoft scan results show that the file is infected. This situation occurs when the detection is made by using a generic algorithm that applies to a family of malicious software. This situation may occur when a .gen file name extension is appended to the name of the malicious software, as in the &quot;TrojanDownloader:Win32/Emerleox.gen&quot; file name. In this situation, the determination does not fully represent whether Forefront Client Security determines that a file is malicious software.

Analysis results
After analysis is finished, another message is sent to the e-mail addresses that you provided. This message includes a final determination of the files. If the Microsoft anti-malicious software definitions were updated in response to this submission, the message also includes the following information:
 * The name and the category of the malicious software
 * An Internet link to an online encyclopedia entry about this malicious software threat

Note It may take a short time after the response message is sent for an encyclopedia entry to appear on the Internet.
 * The version of the definition that includes the information about this threat
 * An Internet link to a location that includes the beta definition file

Note See the &quot;Beta definitions&quot; section for more information.

E-mail submission
To send files to Microsoft for analysis by using e-mail, use the following e-mail address:

[mailto:mfcs@submit.microsoft.com mfcs@submit.microsoft.com]

Follow the steps in the &quot;Preparing files for submission&quot; section to prepare an archive file that contains the files that you want to submit. Attach the archive file to the e-mail message. When you submit the file, you must provide the following data:
 * Sample type

If the submission includes files that you believe that were incorrectly determined to be malicious software, you must add the words &quot;False Positive&quot; to the e-mail subject. Otherwise, the files will be assumed to be malicious software.
 * Support case number (optional)

A support case is not required to submit files for analysis. However, if a support case is already open for this submission, you can include this case number in the message subject.
 * Your e-mail address

Microsoft will use the e-mail address that you use to submit the files to send response e-mail messages. When you submit the archive file, Microsoft processes the file and sends a determination of the files that is based on the current Microsoft malicious software definitions. If you have to, adjust your incoming mail filters so that you can receive this e-mail message.

The response message
Microsoft will send a response message that includes a list of the files in the archive file. If Microsoft has already analyzed the files that you submitted, the first response message will include the determination that was made for each file. If Microsoft has not analyzed the files, or if you indicated that the files were incorrectly determined to be malicious software, Microsoft will analyze the files.

Analysis results
After analysis is finished, another message is sent to the e-mail addresses that you provided. This message includes a final determination of the files. If the Microsoft anti-malicious software definitions were updated in response to this submission, the message also includes the following information:
 * The name and category of the malicious software
 * An Internet link to an online encyclopedia entry about this malicious software threat

Note It may take a short time for an encyclopedia entry to appear on the Internet after the response message is sent.
 * The version of the definition that includes the information about this threat
 * An Internet link to a location that includes the beta definition file

Note See the &quot;Beta definitions&quot; section for more information.

Submission by Microsoft Customer Support Services
Microsoft Customer Support Services can submit files on your behalf to the Microsoft Research and Response team. If you have an urgent malicious software situation that Forefront Client Security does not address, we recommend that you contact Customer Support Services for help. To do this, use the support information that was provided to you when you purchased Forefront Client Security. Or, visit the following Microsoft Web site:

http://support.microsoft.com/gp/assistsupport

Prompted submission
The Microsoft Research and Response team may indicate files from which the team can derive more information. If you join the Microsoft SpyNet community, and if Forefront Client Security detects software on the computer that has not yet been classified for risks, you might be asked to send a sample of the software to Microsoft SpyNet for analysis. When you are prompted, Forefront Client Security displays a list of files that can help analysts determine whether the software is malicious. You can decide to send some or all the files in the list.

Forefront Client Security lets administrators control whether they are joined to the Microsoft SpyNet community by using Group Policy settings. For more information about how to do this, see the Forefront Client Security Administration guide.

How to prepare files for submission
Use care when you handle files that may be classified as malicious software. Add suspected malicious software files to a compressed archive file that uses a password. By doing this, you avoid infecting other computers when the files are in transit or when you submit the files. To add the files to an archive file that uses a password, follow these steps.

Note If WinZip or a similar compression utility is installed, you can use it to create the archive. However, you must use the same file name and the same password that are included in these steps.
 * 1) In Windows Explorer, open the folder that contains the suspect malicious software files.
 * 2) Right-click a blank area in the window, point to New, and then click Compressed (zipped) Folder.
 * 3) Type malware.zip to name the new archive file, and then press ENTER.
 * 4) Drop the suspected malicious software files into the archive file as you would drop them into a typical Windows folder.
 * 5) Double-click the archive file.
 * 6) On the File menu, click Add a Password.
 * 7) In the Password box, type infected.
 * 8) In the Confirm Password box, retype infected, and then click OK.

Beta definitions
The Microsoft Research and Response team updates malicious software definitions with new threat information. Then, the team extensively tests the new definitions. Although this testing protects you as a Forefront Client Security user, the time that is required to perform this testing may be critical during a malicious software crisis in your environment.

Therefore, Microsoft makes available a partially tested beta definition that you can download before the fully tested release version becomes available. You can quickly deploy this beta definition to infected computers. The beta definition may also help protect uninfected computers that are at immediate risk of infection. Beta definitions are not intended for wide deployment. We recommend that Forefront Client Security customers do not deploy them unless the customers are experiencing the malicious software threat for which the beta definitions were explicitly created.

The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, about the performance or reliability of these products.

Additional query words: virus antivirus

Keywords: kbhowto KB939288

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.