How To: Submit a suspected malware file or false-positive to support

Version 5

    Purpose

     

    This document outlines the process to submit undetected malware and false positives for Ivanti EMSS Antivirus

     

    Overview

     

    1.    Preparing the Sample Files

     

    Be sure to treat potential false positive files as if they are infectious malware.  The same precautions must still be taken.

     

    a.     For Undetected Malware or False Positives:

                                                                   i.      Update the scanning engine to the latest definitions and scan the files to ensure they are truly undetected

    1.       Open the EMSS Web console and navigate to Tools > Subscription Updates

    2.       Click “Update Now” and make sure the “AntiVirus Engine & Definition Update” checkbox is selected. Then click “OK”

    3.       This will take some time, depending on your environment, you can watch the “Subscription Service History” box to watch for “AntiVirus / Content” to complete

    4.       Once the AntiVirus Content has completed, you can manually start a scan on endpoint(s) immediately by going to Manage > Endpoints and then clicking on the “AntiVirus” Tab

    5.       Select one or a few endpoints and then click “Scan Now…”

                                                                 ii.      Find the undetected/false positive file

    1.       For Undetected Files: These will be located wherever you found them in the windows directory

    1.       For False Positive Files: Depending on how you have your AntiVirus policy configured you can find the files in their detected location or on the Agent’s “Ivanti Endpoint Security Agent Control Panel” in Antivirus > Quarantine

     

                                                               iii.      Zip these file(s) into a single .zip archive and password protect the archive with the password “infected”.  The name of the archive should follow this standard format:  company name_undetected malware or company name_false positive for False Positives.

    1.       This naming convention is to identify the files in question as well as identify them as undetected malware (as opposed to a false positive)

    2.       In my example below, I am using 7zip

    It is vital to password protect the archive so the files can be handled safely without spreading infection

    2.    Submitting the Sample

    a.       Navigate in a browser to avsubmit.ivanti.com and upload the password protected zip archive containing your false positive or undetected malware sample

    b.       Open a case with Ivanti Support via support.ivanti.com (login required)

    c.        Select Web Case as opposed to Phone

    d.       In the case description please mention that you have uploaded sample files to avsubmit.ivanti.com and mention the name of your zip archive

    e.       Support will ensure your sample is evaluated and contact you with the results

    Additional Information

    Affected Products

     

    EMSS