How to submit false positive/negative samples for review

Summary 

This article explains how to forward a sample for review if request is blocked as potential false positive or not blocked when it should being a false negative.

Process Gateway Anti-Malware 

Submit the sample via Support Service Request and provide following details:

• SWG version
• GAM Engine version (navigate on User Interface to Dashboard - Gateway Engine)
• Gateway DAT version (navigate on User Interface to Dashboard - Gateway DATs)
• Found_viruses.log: (navigate on User Interface to Troubleshooting - Log Files - User-defined-logs - Found_viruses.log. Make sure that Body.FullFilename is being logged, and provide the found_viruses.log that encompasses the time frame of the problem)
• Sample URL that led to the detection
• The detection name of the potential false-positive from your block page
• Sample file

Process Avira 

Submit the Avira submission website.

After you submit a sample to Avira, you'll receive an automated notification email to confirm the submission status and associated Avira tracking number. You'll receive a final notification with the resolution within two days.

How to obtain a Sample

 Connect to your SWG Appliance using SSH as root.

1. From the command line, use the wget command to download the file or URL sample. You can obtain the file or URL address on the SWG virus detection block page. If a file name isn't specified on the block page, download a sample using the detected URL.
   
   Example wget command: 
   • File: wget www.domain.com/infected.aspx
   • URL: wget www.domain.com 
      
2. Use the zip command to place the sample in a compressed and encrypted ZIP file, using the word infected (lowercase, without quotes) as the encryption password. 
   
   Example zip command:
   • File: zip -e sample.zip infected.aspx
   • URL: zip -e sample.zip index.html
      
3. Transfer the file off the appliance using SCP or FTP.