Learn how to submit false negatives for the following Symantec.cloud email services:
- Symantec Email Security.cloud
- Symantec Advanced Threat Protection (ATP): Email
What is a false negative?
A false negative occurs when an email containing malware has been incorrectly identified as being clean of security threats. (See What is malware? below for an important distinction.)
Submit false negative malware samples automatically
You can now use the following submission method, available in the Symantec.cloud portal under Services > Email Services > Email Submission Settings.
Submit false negative malware samples manually
Before submitting a false negative malware sample, perform an Email Track and Trace to verify that the logs for the email exist on the Symantec.cloud infrastructure. If you cannot locate the email using Email Track and Trace, review the headers of the email to verify that it came through Symantec.cloud before proceeding with the submission.
Follow these guidelines when submitting a false negative malware sample:
- Provide the full sample email in .MSG or .EML format.
- Upload only a single email sample per submission. Do not upload multiple email samples at once.
- Do not upload only the suspected malware; a full sample is required for verification that the sample came through Symantec.cloud.
For more helpful guidelines, see Symantec Insider Tip: Successful Submissions!
To submit a false negative
- Log in to the Symantec.cloud console.
- Click Support > Antivirus False Negative Submission.
- Submit the following information:
- First name
- Last name
- Support ID (as shown in the portal)
- The email message in .EML or .MSG format. Symantec recommends one email message per submission.
Note: Do not submit compressed files that are password-protected.
- Click Submit. You will receive notice on-screen that the submission was successful.
You will receive a tracking number through email within 30 minutes of submitting the sample and results typically within 12 to 18 hours. If you need to escalate this submission, contact support and provide the submission tracking number.
Symantec monitors submissions and implements detection if we determine that the message is malicious.
Once your submission has been handled by Symantec, you will receive details on whether detection was added or not. If detection was not added, this could be due either to the sample not being malicious, or the sample was improperly submitted.
I have provided a sample but have not heard back from Symantec
If you have provided a legitimate sample and have not received a response from Symantec within 24 hours, contact support with your submission tracking number.
WARNING: Do not attach suspicious files directly to your case.
Request for more information
For more information regarding blocked malware that is not available in Advanced Threat Incidents section in the Symantec.cloud portal, contact support and provide the submission tracking number.
Malware is software that is intended to damage or disable computers and computer systems. Symantec will add detection for malware email attachments.
If an email contains a phishing or malicious link in nature, submissions will not result in a malware detection. For example, documents that contain no code but an attempt to social engineer the recipient into visiting a phishing page are classified as threat artifacts rather than malware.
To report these, please follow our Anti-Spam False Negative process described in Submit false negative spam emails missed by Symantec.cloud.