Support - Workflow for Malware Sample Submission
Support (Internal Workflow)
Threat Intelligence in SSE(SWG) is provided by several different vendors. The detection name shown in the product's block page can be used to determine the right escalation path as follows.
Trellix AV block
Trellix AV detection name sample are "RDN/Generic", "Downloader-FOB" and similar.
- Submit those vial mail to malware_research_gateway@trellixsecurity.com
Process KB available here
FAQ on the migration from McAfee to Trellix for the submission process and backend environment.
Please do not put several samples into one big archive if for example all are from the same resource. This will fail as the system is not supporting to look into a protected archive where others archives are nested and protected as well.
For each sample an own submission is needed!
There is also the subset where a block could be seen with name "Artemis" - these are caused by Trellix File Reputation(GTI).
In this case the sample can be send to Trellix Labs team - see KB or escalate to Trustedsource team and raise a Jira against URLSR
GAM block:
GAM detection names usually all start with "BehavesLike.xxx".
- Submit the sample or URL for white listing using below portal - Login Information was shared to Support group via difference channel(work with your respective manager if information need to be shared again)
https://gam.corp.entsec.
- Raise a Jira if the white list approach was not successful and block is still seen
Avira:
- submit via Avira portal