Jump to content


Photo

Question About Submitting Samples


  • Please log in to reply
15 replies to this topic

#1 Chiron

Chiron

    Member

  • Members
  • PipPip
  • 13 posts

Posted 07 May 2012 - 10:32 PM

Hello, I am writing an article in which I am showing users where they can submit malware and false positives.

I have found an online submission form which users can use to submit these to you, but so far I have found no email address for submitting suspicious files and false positives. Do these exist and if so what are they? Thanks.

#2 Francis

Francis

    Sourcefire Administrator

  • Administrators
  • 75 posts

Posted 08 May 2012 - 08:12 PM

Hi Chiron. Potential malware or false positive can be submitted to our support team at support@immunet.com. Include the file/program in a .zip and give us a brief description of what you are submitting and why. Thanks.

#3 Chiron

Chiron

    Member

  • Members
  • PipPip
  • 13 posts

Posted 08 May 2012 - 11:35 PM

I'm actually trying to find out if there is an email address to which I can submit samples such that they will go into the database for ClamAV.

Do immunet and ClamAV use the same database or is there somewhere else that I should be submitting the files?

Thanks.

#4 ritchie58

ritchie58

    Staff Member

  • Moderators
  • 1,937 posts
  • LocationOil City, Pa. U.S.A.

Posted 09 May 2012 - 09:03 AM

Hi Chiron, click on this FAQ topic. There's some additional info there you might find informative.

* Immunet Global Forum Moderator *


#5 Chiron

Chiron

    Member

  • Members
  • PipPip
  • 13 posts

Posted 09 May 2012 - 01:58 PM

Thank you. At this point I know how to submit malware to Immunet, but what I would like to know is whether the samples I submit to Immunet will also be added to the database for ClamAV.

The article I'm working on will ask users to submit the suspicious samples (or false positives) to both Immunet or ClamAV. Thus I need to make sure that there aren't separate reporting practices for each one.

For example for submitting suspicious files to Immunet I have found this page:
https://forms.netsui...ript_redirect=T
and for ClamAV I have found this page:
http://cgi.clamav.net/sendvirus.cgi

This leads me to believe that they feed into two different databases, but I need to know that for sure.

Thanks.

#6 Chiron

Chiron

    Member

  • Members
  • PipPip
  • 13 posts

Posted 12 May 2012 - 07:07 PM

Also, another thing that I've noticed is that twice now I've submitted samples to immunet via this email address:
submit@samples.immunet.com
and both times after a few days I get an email back saying that undelivered mail was returned to sender. This particular one says it was sent on the 7th.

Is that email address wrong or perhaps is there currently a problem with the sample submission process? What's going on?

Thanks.

#7 Millard

Millard

    Employee

  • Administrators
  • 294 posts

Posted 13 May 2012 - 05:36 PM

Chiron,
Once upon a time these were two different groups processing malware, but now it's all being processed by one. I've got some emails to the administrator asking what's going on with submit@samples.immunet.com. I'd suggest using the ClamAV link: http://www.clamav.ne...submit-malware/ as you'll get better notification of when the Clam databases are updated.
--Millard

#8 Chiron

Chiron

    Member

  • Members
  • PipPip
  • 13 posts

Posted 13 May 2012 - 07:23 PM

Chiron,
Once upon a time these were two different groups processing malware, but now it's all being processed by one. I've got some emails to the administrator asking what's going on with submit@samples.immunet.com. I'd suggest using the ClamAV link: http://www.clamav.ne...submit-malware/ as you'll get better notification of when the Clam databases are updated.
--Millard

Thank you.

#9 Millard

Millard

    Employee

  • Administrators
  • 294 posts

Posted 15 May 2012 - 01:32 PM

Chiron,
I'm sorry for not posting this yesterday. The admin looked at the mailspool, figured out what was wrong, and restarted it. You should now be able to send through submit@samples.immunet.com.
--Millard

#10 Chiron

Chiron

    Member

  • Members
  • PipPip
  • 13 posts

Posted 15 May 2012 - 04:14 PM

Chiron,
I'm sorry for not posting this yesterday. The admin looked at the mailspool, figured out what was wrong, and restarted it. You should now be able to send through submit@samples.immunet.com.
--Millard

Thank you. I'll let you know if I have any problems.

#11 Chiron

Chiron

    Member

  • Members
  • PipPip
  • 13 posts

Posted 07 June 2012 - 03:17 PM

Okay, one more question.

Is there an online form which can be used to submit false positives to Immunet?

#12 Millard

Millard

    Employee

  • Administrators
  • 294 posts

Posted 07 June 2012 - 03:47 PM

Okay, one more question.

Is there an online form which can be used to submit false positives to Immunet?


If you go to http://www.immunet.c...tact/index.html, the drop down allows you to "Submit a false positive" or you just email support@sourcefire.com. These all have to be handled by hand.

#13 Chiron

Chiron

    Member

  • Members
  • PipPip
  • 13 posts

Posted 07 June 2012 - 05:25 PM

If you go to http://www.immunet.c...tact/index.html, the drop down allows you to "Submit a false positive" or you just email support@sourcefire.com. These all have to be handled by hand.

Thank you very much.

However, I was under the impression that false positives could also be submitted by sending them to submit@samples.immunet.com?
Does this email address work as well or do I need to tell my readers to submit them to support@sourcefire.com?

If you could clear this up I'd really appreciate it.

Thanks.

#14 Millard

Millard

    Employee

  • Administrators
  • 294 posts

Posted 07 June 2012 - 06:19 PM

Thank you very much.

However, I was under the impression that false positives could also be submitted by sending them to submit@samples.immunet.com?
Does this email address work as well or do I need to tell my readers to submit them to support@sourcefire.com?

If you could clear this up I'd really appreciate it.

Thanks.

submit@samples.immunet.com is really only for files we think are malicious, but we do find FPs in there. Sending to support@sourcefire.com it's easier for us to validate.

#15 Chiron

Chiron

    Member

  • Members
  • PipPip
  • 13 posts

Posted 07 June 2012 - 06:53 PM

submit@samples.immunet.com is really only for files we think are malicious, but we do find FPs in there. Sending to support@sourcefire.com it's easier for us to validate.

Thank you.

I'll advise my readers to submit malware to submit@samples.immunet.com and false positives to support@sourcefire.com.

#16 Chiron

Chiron

    Member

  • Members
  • PipPip
  • 13 posts

Posted 12 June 2012 - 02:17 PM

submit@samples.immunet.com is really only for files we think are malicious, but we do find FPs in there. Sending to support@sourcefire.com it's easier for us to validate.

Actually, I will advise my readers to submit false positives to support@immunet.com.

I contacted support@sourcefire.com and they said the email address wasn't suitable for that. I should use support@immunet.com.

Is this okay?

Thanks.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users