From time to time all anti-virus companies run into the situation where a user tells them that their product is not detecting some virus. Typically the user also wants to know why it isn’t detected when another product catches it. These inquiries rarely provide enough information to result in a meaningful answer. There can be a number of reasons why a product doesn’t detect something, but as a user you must provide more information. It is very helpful if you can send copy of the file in question. Many users know to zip up the file before they send it, but there are also a number of users who a password protect the file (good thing), but fail to provide the password. In general it is a best practice to use the password “infected” when password protecting a sample to be sent to an antivirus company Ã¢â‚¬â€œ we all know to try the password “infected”. The password, infected, should not have quote marks (“) and should be lower case. If an analyst can’t unzip the file by trying the passwords “infected” or “virus” (another common password), processing of the sample will probably be stopped until more information is gathered.
There are a few other pieces of information that are always good to include:
1) Where did the sample come from? Include any background information, such as why you think it is a virus or a false positive.
2) If you know where the file came, the name of the company, website, etc. please include that information too.
3) Did you scan it with a different product, or with a service like VirusTotal? If so then send in the log with the sample. It can help speed up the investigation.
4) The subject line of your message should be descriptive. Do you think this is brand new? Is it a false positive? Do you know the name another product detects it by? Something like “Suspect False Positive on myfile.exe from the Good Times Crew”, or “Undetected Virus Win32/Goofball (Norton)” are meaningful subject lines.
If you think you know what the malware does, do include that information in the email. If you have good reason to believe that this is something that is going to very rapidly affect lots of people go ahead and put the word “Urgent” in the subject line, but remember, if everything is urgent then nothing is. Use “Urgent” sparingly.
Sometimes you may have a sample that we don’t detect, and sometimes you may have found a false positive in a competitor’s product. It is almost impossible to tell without a sample to test. Providing all of the details will allow us to respond to everyone more quickly by eliminating a lot of back-and-forth emails.
Author ESET Research, We Live Security