How to Submit a Virus
So, you've found a virus that your current virus scanning program does not detect? Submit it! Here are the following steps you can do to submit said virus to the various vendors out there. Be careful, though. It is recommended that you rename the viral file to a helpless extension (i.e. .txt) to avoid accidentally executing it.
Computer Associates (eTrust/InoculateIT)
Email: virus@ca.com- Format Required: .zip
- ZIP Password: virusOnline Submission: YesFull Instructions: YesOther Instructions: Boot sector viruses
Computer Associates (eTrust EZ Antivirus)
Email: n/a
- Format Required: n/a
- ZIP Password: n/a
Online Submission: Yes
Full Instructions: YesOther Instructions: Boot sector viruses
Computer Associates (Vet)
Email: support@vet.com.au- Format Required: .zip
- ZIP Password: virusOnline Submission: YesFull Instructions: YesOther Instructions: Boot sector viruses
DialogueScience (Dr. Web)
Email: n/a
- Format Required: n/a
- ZIP Password: n/a
Online Submission: YesFull Instructions: No
Other Instructions: n/a
Eset (NOD32)
Email: samples@nod32.com- Format Required: n/a
- ZIP Password: n/a
Online Submission: No
Full Instructions: No
Other Instructions: n/a
F-Secure
Email: samples@f-secure.com- Format Required: .zip
- ZIP Password: F-Secure asks for users to password their files, but does not specify which password to use. Include the used password in the submission email.Online Submission: No
Full Instructions: YesOther Instructions: n/a
Network Associates (McAfee)
Email: virus_research@avertlabs.com- Format Required: .zip
- ZIP Password: infectedOnline Submission: YesFull Instructions: YesOther Instructions: n/a
Norman
Email: analysis@norman.no- Format Required: .zip
- ZIP Password: Norman asks for users to password their files, but does not specify which password to use. Include the used password in the submission email.Online Submission:No
Full Instructions: YesOther Instructions: n/a
Sophos
Email: support@sophos.com- Format Required: n/a
- ZIP Password: n/a
Online Submission: No
Full Instructions: YesOther Instructions: n/a
Symantec (Norton)
Email: n/a
- Format Required: n/a
- ZIP Password: n/a
Online Submission: No
Full Instructions: No
Other Instructions: n/a
Note: Symantec recommends users submit viruses by entering them using "Scan and Deliver," built in to NAV.
Trend Micro
Email: n/a
- Format Required: n/a
- ZIP Password: n/a
Online Submission: YesFull Instructions: No
Other Instructions: n/a
Note: Trend Micro has been known to ignore submissions from users not running their products. However, in informal tests, selecting
HouseCall (their online, free scanner) got a detection added, although in most cases no notification of the detection was received, and in some cases the submission was simply ignored.
Glossary
Email
This field indicates the email that you should use to submit files. Please note that not all of these emails have been verified as working; they are whatever email is indicated on the vendors site for submissions.
Format Required
Many antivirus companies will only accept certain types of files during the submission process. The most common policy is to only allow .ZIP files through. .ZIP files are compressed, and also do not trigger gateway mail servers which disallow potentially dangerous files such as .EXE's, which viruses often come as. Although under recent versions of Windows, there is a built-in .zip reader with many abilities, it is recommended that the common program WinZip is used. You can download a 30-day trial of the program here.
ZIP Password
In order to avoid corruption during the send, most antivirus companies that require .zip files also require that they be passworded. The following instructions require WinZip:
- Open WinZip
- If there is a splash screen, click "use evaluation version"
- Click NEW
- Under "save in," go to DESKTOP
- In "file name," type INFECTED.ZIP
- The ADD dialog should come up; navigate to the folder containing the infected file(s) and add them
- Go to the ACTIONS menu
- Go to ENCRYPT
- A message box may be displayed telling you of the disadvantages of encryption; click OK
- Enter whatever password the company you are submitting to requires
- Re-enter it for verification
- Assure MASK PASSWORD and ZIP 2.0 COMPATIBLE ENCRYPTION are selected if the options are there
- Click OK
- An asterisk (*) should appear at the end of the name of the viral file(s) you are submitting; if it does not, redo steps 7-13
- Close WinZip and submit your file
Online Submission
Some companies allow you to submit files via an online interface, while others use it as the only method of submission. This is probably the most convenient way of submitting files, although not all users may feel comfortable using these methods. Additionally, this method of submission allows for the user to remain virtually anonymous. However, response times may be somewhat slower (although typically it will be faster) and the user may have to visit a web site to get the outcome of the process if they do not enter an email address. Whether or not this is the best method depends on the situation and the user's wishes.
Full Instructions
Many antivirus vendors will post detailed instructions on how to use their individual submission venues, while others hardly provide any information whatsoever. This link indicates whether the vendor in question has such a detailed write-up available online, and allows access to it.
Other Instructions
Occasionally, antivirus vendors have some type of virus that they want to have submitted in an alternative manner. This is especially common with boot sector viruses of MSDOS days, which do not manifest themselves using a file.
Note
This section indicates any other miscellaneous things of note about the indicated vendor's submission process.
This document (c) 2004 Benjamin "Trafton" Johnstone-Anderson, and is sole property of Security Manifest. The text of this document is not to be edited or abridged, although portions may be quoted, unedited, from the original, as long as a link is given back to this content or the home page of Security Manifest. Modification of this document is a violation of U.S. copyright law. Reproductions of this document are to be distributed for educational purposes only, and under no circumstances will this document be sold. All copies of this document must contain this copyright in its entirety.
Posted
Sun, Apr 11 2004 10:52
by
trafton