Support - Workflow for Malware Sample Submission
Support (Internal Workflow)
Threat Intelligence in SSE(SWG) is provided by several different vendors. The detection name shown in the product's block page can be used to determine the right escalation path as follows.
Trellix AV block
Trellix AV detection name sample are "RDN/Generic", "Downloader-FOB" and similar.
- Submit those vial mail to malware_research_gateway@trellixsecurity.com
Process KB available here
FAQ on the migration from McAfee to Trellix for the submission process and backend environment.
Please do not put several samples into one big archive if for example all are from the same resource. This will fail as the system is not supporting to look into a protected archive where others archives are nested and protected as well.
For each sample an own submission is needed!
There is also the subset where a block could be seen with name "Artemis" - these are caused by Trellix File Reputation(GTI).
In this case the sample can be send to Trellix Labs team - see KB or escalate to Trustedsource team and raise a Jira against URLSR
GAM block:
GAM detection names usually all start with "BehavesLike.xxx".
Please create a TSWS Jira where you select GAM as component and add "GAM-FP" as label to separate those clearly from any other GAM related issues or questions.
When you submit a false positive, key information required is:
- Full URL which is blocked
- found virus log line for the detection
- confirmation if resource is public available or not
Optional data:
- sample
- Feedback file
Sample is optional - if the resource/destination is public, GAM team will review and pull their own sample for deeper analysis.
Feedback file to get the policy can be helpful but not required.
We created a dashboard to give transparency - if you all follow the process accordingly - on the amount of requests and its status.
https://jira.trellix.com/
Avira:
- submit via Avira portal