This article contains a list of every respectable Windows anti-malware vendor, with a signature based product, that I am aware of. Thus this list, in addition to showing you how to easily submit malware or false positives to all of them, also serves as a reference for anti-malware products which are confirmed to be legitimate. That said, I make no statement as to whether any particular anti-malware vendor is good at detecting malware. Some of the vendors in this list are very good and others are nearly worthless. This is not the place to discuss this. By submitting malware to all of them you can help protect nearly all internet users, regardless of which product they choose to use for protection.
Also, it would really help if you could rate this article. In addition, for those of you who are knowledgeable about anti-malware vendors, if you do find something wrong, whether it be a missing vendor, incorrect information, missing information, etc..., please read the section about How You Can Help. I really need everyone's help in order to improve and maintain this article.
Recent Changelog:
11/22/2014-Added XVirus to the list
11/24/2014-Removed online submission link for submitting false positives to Digital Defender as it was no longer working
11/30/2015-Added English submission links for Qihoo
Index
1. How To Easily Prepare To Submit The Samples
A) Make Sure Email Client Is Set Up Properly
B) Put Samples In Compressed Files
2. Easily Submit Malware To All Vendors
1. How To Easily Prepare To Submit The Samples
To follow the advice in this article you will need to have an email client, such as Thunderbird or Hotmail/Live/Outlook, set up and configured. If you have not already set this up, please do so now. For instructions on how to set up Outlook please see this page and for instructions on how to set up Thunderbird please see this page.
You will also have to be using an email services which has been confirmed to work for this process. The only one which I am currently aware of is AOL.
By the way, I have confirmed that Gmail, Yahoo, Hotmail, GMX, FastMail, and Shortmail do not work.
In terms of the ones which do work, please note that sometimes they will force you to answer a puzzle, to prove that you're human, or even to change your password. This is because it seems like what you're doing constitutes unusual account activity. This is not really a problem. I'm just letting you know ahead of time so you're not surprised.

If you're planning on submitting a suspicious file, or multiple files, for analysis, the easiest way to do this is to install a program called 7-Zip. It can be downloaded from this page. Once it's installed right click on the sample you would like to submit and select "7-Zip". If you are submitting multiple samples then highlight then all and then right click on them. Then choose "7-Zip". Submitting multiple samples at once can save you a lot of time if you have a lot of samples to submit. However, I would suggest that you do not submit more than 5 at a time as some vendors will begin to reject these.
After selecting "7-Zip", in the list that appears, select the option to "Add to archive...". It will open up a window as shown in the picture to the right. Then, in the options for "Archive format" make sure it is set to zip. Then enter in 'infected' as the password. Do not include the quotes. Then select ok.
After this is done, in order to submit it to many of the remaining vendors, once again follow exactly the same steps only this time change the "Archive format" to 7z. Then put in the same password and select OK. Now you should have the samples by themselves, a password protected zip file, and a password protected 7z file.
2. Easily Submit Malware To All Vendors
One of the main purposes of this article is to make it as easy as possible for anyone who comes across malware to submit it to all security vendors in as few steps as possible. Also, don't worry about duplicate submissions. This has been taken care of for this list.
You can submit the password protected zip file by clicking on this link. (Attach zip file after email client opens and then click send)-Webmail users should right click on it and choose to save the email addresses. Then paste them in the contact line of your email.
You can submit the password protected 7z file by clicking on this link. (Attach 7z file after email client opens and then click send)-Webmail users should right click on it and choose to save the email addresses. Then paste them in the contact line of your email.
If the email is not delivered correctly please see my comments in section A1 to make sure that you are not using one of the email services which do not work with this list.
At this point you've submitted the sample to all vendors below marked with a . This does include most of them. Also, if a message failed to be delivered to one or more of the vendors, which does happen sometimes, you can manually submit it to them below if you like. Also, if you wish, you can submit the sample to the rest of the vendors who have submission information. Each of these vendors is marked with a
. However, this will be much more time consuming as you will have to manually submit the sample to each vendor individually. Note that for online forms, unless instructed otherwise, you should upload the file directly and not in a compressed file.
3. Criteria Used For The List
My only criteria for adding vendors to this list are that they have to have their own website, which must provide contact information. Also, the vendor must have a signature based anti-malware product, not have a bad reputation, and their main site cannot be rated orange or red by Web Of Trust - which is a criterion imposed by techsupportalert and is non-negotiable.
If, in the list, I say that I have confirmed something, that means that I have either been provided that information directly from the vendor or from some other official source with connections to the vendor. I've already run across some occasions where, for example, the website indicates there is not a particular submission option, but their support tells me that there is. Thus, you can rest assured that if I say that something is confirmed to not exist, that information is trustworthy. The only way it can be incorrect is if the vendor now provides a particular submission option which they previously did not.
4. List Of All Vendors
Unless otherwise noted, when submitting a sample via an online form you should upload the file directly and not in a compressed file. Also, unless otherwise noted, submissions by email should be put in a password protected zip file. Just click on the link for the vendor you wish to submit it to and it will automatically fill the necessary details into your default email client. Then all you need to do is attach the zip file and click send. For any cases where the vendors require different steps they are clearly noted.
The symbol denotes vendors who are included in the mailing lists in the previous section. You've already submitted the samples to them.
The symbol denotes vendors who do not have an email address for submission but do have some alternate options for submitting samples.
The symbol denotes vendors who use the signatures of other vendors. Thus you don't need to submit samples to them directly.
If a vendor is unmarked this indicates that I currently have no information about how to submit malware to them.
An "*" means that there is incomplete information. If you have any information your assistance would be greatly appreciated.
To jump to the relevant section of the list please click on the letter that the vendor you're interested in begins with. The vendors are arranged alphabetically.
A, B, C, D, E, F, G, H, I, K, L, M, N, P, Q, R, S, T, U, V, W, X, Z
Please note that some products are known by multiple names. Thus, if you are having trouble finding a particular vendor, or product, it will likely be very helpful to search for them using ctrl-f.
Vendor | Submit Malware | Submit False Positives | |
|
or |
I have confirmed that there is no online false positive submission form |
|
unofficial Forum |
or |
Online False Positive Submission I have confirmed that there is no email address for submitting false positives |
|
|
Registered users can report malware via the options on this page or anyone can Report Malware via Email |
Registered users can report false positives via the options on this page or anyone can Report False Positive via Email |
|
|
The online malware submission form linked to on their site does not currently work. Report Malware via Email (attach password protected 7z file) |
I have found no online false positive submission form |
|
HomePage (Polish) |
Report Malware via Email (attach password protected 7z file) |
I have confirmed that there is no online false positive submission form Report False Positive via Email (attach password protected 7z file) |
|
|
Submit malware to Emsisoft and Bitdefender as Ashampoo uses the same signatures |
Submit false positives to Emsisoft and Bitdefender as Ashampoo uses the same signatures |
|
|
Submit malware to BitDefender as Auslogics uses the same signatures |
Submit false positives to BitDefender as Auslogics uses the same signatures |
|
*Avanquest |
I have found no online malware submission form I have found no working email address for submitting malware |
I have found no online false positive submission form I have found no working email address for submitting false positives |
|
|
or |
Online False Positive Submission or |
|
Website Down On 9/15/14 |
Submit malware to Agnitum as Avertive uses the same signatures |
Submit false positives to Agnitum as Avertive uses the same signatures |
|
|
I have found no working email address for submitting malware |
||
HomePage (Russian) |
Submit malware to Kaspersky as AVZ uses the same signatures |
Submit false positives to Kaspersky as AVZ uses the same signatures |
|
|
or |
Online False Positive Submission I have confirmed that there is no email address for submitting false positives |
|
|
or |
Online False Positive Submission or |
|
|
Online Malware Submission (Select "False Negative" and check the box for file) or anyone can Report Malware via Email |
Online False Positive Submission (Select "False Positive" and check the box for file) or anyone can Report False Positive via Email |
|
Forum (Vietnamese) |
Online malware submission is available to registered users through this page (translate page from Vietnamese) or anyone can Report Malware via Email |
You can join their forum and post false positive here (forum is in Vietnamese) or Report False Positive via Email (attach password protected 7z file) |
|
|
I have confirmed that there is no online malware submission form |
I have found no online false positive submission form |
|
|
Submit malware to BitDefender as BullGuard uses the same signatures |
Submit malware to BitDefender as BullGuard uses the same signatures |
|
|
Online Malware Submission (Select 'Freemium Products' and then select "Celframe Free AntiVirus" and submit malware on next page) I have confirmed that there is no email address for submitting malware |
Online False Positive Submission (Select 'Freemium Products' and then select "Celframe Free AntiVirus" and submit false positive on next page) I have confirmed that there is no email address for submitting false positives |
|
|
I have confirmed that there is no online malware submission form Report Malware via Email (attach password protected 7z file) |
I have confirmed that there is no online false positive submission form Report False Positive via Email (attach password protected 7z file) |
|
|
Submit malware to Immunet Protect as ClamAV uses the same signatures |
Submit false positives to Immunet Protect as ClamAV uses the same signatures | |
HomePage (Vietnamese) Forum (Vietnamese) |
Report Malware via Email (attach password protected 7z file) |
Report False Positive via Email (attach password protected 7z file) |
|
|
or |
Online False Positive Submission or |
|
|
Submit malware to Symantec as Constant Guard uses the same signatures | Submit false positives to Symantec as Constant Guard uses the same signatures | |
Crystal Security |
I have confirmed that there is no online malware submission form I have confirmed that there is no email address for submitting malware |
I have confirmed that there is no online false positive submission form I have confirmed that there is no email address for submitting false positives |
|
|
Submit malware to Avira as Cyberoam uses the same signatures |
Submit false positives to Avira as Cyberoam uses the same signatures | |
|
I have confirmed that there is no online malware submission form I have found no working email address for submitting malware |
I have found no online false positive submission form I have found no working email address for submitting malware |
|
|
or Report Malware via Email (attach password protected 7z file) |
I have found no online false positive submission form Report False Positive via Email (attach password protected 7z file) |
|
|
or |
Online False Positive Submission or |
|
|
I have confirmed that there is no online malware submission form |
I have confirmed that there is no online false positive submission form |
|
|
or |
You can join their forum and post false positives here or |
|
|
Registered users can log in through this site, request support, and attach the suspicious file I have found no working email address for submitting malware |
Registered users can log in through this site, request support, and attach the false positive or anyone can Report False Positive via Email |
|
|
Online Malware Submission (Select "Submit a Ticket" and then Samples) or |
Online False Positive Submission (Select "Submit a Ticket" and then "False Positive") or |
|
|
Submit malware to Vipre as Faronics uses the same signatures |
I have confirmed that there is no online false positive submission form Report False Positive via Email (attach password protected 7z file) |
|
|
Online Malware Submission (can only upload up to 1 MB) or |
I have confirmed that there is no online false positive submission form |
|
|
Online Malware Submission (near the bottom) or |
Online Malware Submission (near the bottom and make sure to put false positive in the comments) or |
|
|
or |
Online False Positive Submission or |
|
Forum site down on 9/15/14 |
I have confirmed that there is no online malware submission form |
I have confirmed that there is no online false positive submission form |
|
|
or |
Online False Positive Submission or |
|
I have confirmed that there is no email address for submitting false positives |
Online False Positive Submission I have confirmed that there is no email address for submitting false positives |
||
|
I have confirmed that there is no online malware submission form Report Malware via Email (attach password protected 7z file) |
I have confirmed that there is no online false positive submission form Report False Positive via Email (attach password protected 7z file) |
|
Submit malware to BitDefender, Kaspersky, and Emsisoft as Hitman Pro uses the same signatures | Submit false positives to BitDefender, Kaspersky, and Emsisoft as Hitman Pro uses the same signatures | ||
|
I have confirmed that there is no online malware submission form |
I have confirmed that there is no online false positive submission form |
|
|
Online Malware Submission (Select "Submit a virus from the drop-down menu) or |
Online False Positive Submission (Select "Submit a false positive" from the drop-down menu) or |
|
*Iolo |
I have found no online malware submission form I have found no working email address for submitting malware |
I have found no online false positive submission form I have found no working email address for submitting false positives |
|
|
I have confirmed that there is no online malware submission form I have found no working email address for submitting malware as that stated in website does not work |
I have confirmed that there is no online false positive submission form |
|
|
Online Malware Submission (requires free account) or |
Online False Positive Submission (requires free account) or |
|
|
You can join their forum and post malware sample here or |
You can join their forum and post false positives here |
|
HomePage (Chinese) |
I have found no online malware submission form |
I have found no online false positive submission form |
|
|
or |
Online False Positive Submission or |
|
|
Submit malware to Norman as Lumension uses the same signatures |
Submit false positives to Norman as Lumension uses the same signatures |
|
|
You have to join their forum and post malware samples here I have confirmed that there is no email address for submitting malware |
You have to join their forum and post false positives here I have confirmed that there is no email address for submitting false positives |
|
|
Online malware submission is available to registered users through this page or anyone can Report Malware via Email |
Online false positive submission is available to registered users through this page or send an email to anyone to this email address or if is marked as marked as "McAfee-GW-Edition" submit it to this email address |
|
|
I have found no online malware submission form |
I have found no online false positive submission form I have found no working email address for submitting false positives |
|
|
or |
Online False Positive Submission or |
|
HomePage (Polish) |
Online Malware Submission (Polish) or |
I have found no online false positive submission form I have found no working email address for submitting false positives |
|
|
Submit malware to Immunet Protect as Moon Secure uses the same signatures | Submit false positives to Immunet Protect as Moon Secure uses the same signatures | |
|
Submit malware to Ikarus as MSecure uses the same signatures |
Submit false positives to Ikarus as MSecure uses the same signatures |
|
|
Submit malware to Avira, Emsisoft, Kaspersky, Sophos, and Trend Micro as Multi-AV uses the same signatures | Submit false positives to Avira, Emsisoft, Kaspersky, Sophos, and Trend Micro as Multi-AV uses the same signatures | |
|
or |
Online False Positive Submission or |
|
*Naver Antivirus HomePage (Korean) |
I have found no online malware submission form I have found no working email address for submitting malware |
I have found no online false positive submission form I have found no working email address for submitting false positives |
|
|
Report false positives through the program itself or |
||
|
or |
Online False Positive Submission or |
|
|
or |
Online False Positive Submission or |
|
|
I have confirmed that there is no online malware submission form |
I have confirmed that there is no online false positive submission form |
|
|
or |
Online False Positive Submission or |
|
|
I have found no online malware submission form Report Malware via Email (attach password protected 7z file) |
I have found no online false positive submission form Report False Positive via Email (attach password protected 7z file) |
|
|
The online malware submission provided on their site doesn't work correctly. The email address provided on their site doesn't work correctly. |
I have found no online false positive submission form I have found no working email address for submitting false positives |
|
HomePage (Portuguese) |
I have confirmed that there is no online malware submission form |
I have confirmed that there is no online false positive submission form |
|
HomePage (Chinese) Forum (Chinese) |
Online Malware Submission (Make sure option for Suspicious Files is selected) or |
Online False Positive Submission (Make sure option for False Positives is selected) or |
|
|
Online Malware Submission (Fill in necessary information and select "Sample File Submission") or |
Online False Positive Submission (Fill in necessary information and select "Submit False Positive") I have confirmed that there is no email address for submitting false positives |
|
*RemoveIt/incodesolutions |
I have found no online malware submission form I have found no working email address for submitting malware |
I have found no online false positive submission form I have found no working email address for submitting false positives |
|
|
I have confirmed that there is no online malware submission form Report Malware via Email (attach password protected 7z file) |
I have confirmed that there is no online false positive submission form Report False Positive via Email (attach password protected 7z file) |
|
*Rising HomePage (Chinese) |
There is no suitable online form for submitting malware as theirs is rated red by WOT I have confirmed that there is no email address for submitting malware |
There is no suitable online form for submitting false positives as theirs is rated red by WOT I have confirmed that there is no email address for submitting false positives |
|
|
Report malware through tool downloaded from this page I have found no working email address for submitting malware |
I have found no online false positive submission form I have found no working email address for submitting false positives |
|
|
I have confirmed that there is no online malware submission form |
I have confirmed that there is no online false positive submission form |
|
|
Submit malware to McAfee as Shaw Secure uses the same signatures | Submit false positives to McAfee as Shaw Secure uses the same signatures | |
|
I have confirmed that there is no online malware submission form |
I have found no online false positive submission form |
|
|
or |
Online False Positive Submission or |
|
|
or |
Online False Positive Submission (Make sure to let them know it's a false positive) or |
|
*SpyCop |
I have found no online malware submission form I have found no working email address for submitting malware |
I have found no online false positive submission form I have found no working email address for submitting false positives |
|
|
I have found no online malware submission form |
I have found no online false positive submission form |
|
|
Report malware through tool on this page I have confirmed that there is no email address for submitting malware |
Report false positives through SuperAntiSpyware program interface I have confirmed that there is no email address for submitting false positives |
|
|
or |
Online False Positive Submission I have confirmed that there is no email address for submitting false positives |
|
HomePage (Spanish) |
I have confirmed that there is no online malware submission form |
I have confirmed that there is no online false positive submission form |
|
|
I have confirmed that there is no online malware submission form |
I have confirmed that there is no online false positive submission form |
|
|
I have found no online malware submission form |
I have found no online false positive submission form |
|
|
Report Malware via Email (Note that the password must be virus) |
Online False Positive Submission (Attach the password protected zip file and tell them the password in the comments section) I have confirmed that there is no official email address suitable for submitting false positives |
|
|
I have confirmed that there is no online malware submission form |
I have found no online false positive submission form |
|
|
I have confirmed that there is no online malware submission form |
I have confirmed that there is no online false positive submission form |
|
|
Submit malware to AVG, BitDefender, Dr. Web, Vipre, and VirusBlokAda as TrustPort uses the same signatures |
I have confirmed that there is no online false positive submission form |
|
|
I have confirmed that there is no online malware submission form |
I have confirmed that there is no online false positive submission form |
|
Submit malware to Immunet Protect as Untangle uses the same signatures | Submit false positives to Immunet Protect as Untangle uses the same signatures | ||
|
Submit malware to Vipre as UnThreat uses the same signatures |
Submit false positives to Vipre as UnThreat uses the same signatures |
|
Submit malware to McAfee as Verizon Internet Security uses the same signatures | Submit malware to McAfee as Verizon Internet Security uses the same signatures | ||
or |
Online False Positive Submission or |
||
|
I have confirmed that there is no email address for submitting malware |
Online False Positive Submission (Select "Analysis Required" and write "Possible False Positive" in the Description box) I have confirmed that there is no email address for submitting false positives |
|
|
or |
Online False Positive Submission or |
|
|
Online Malware Submission (Translate page from Russian) or |
I have confirmed that there is no online false positive submission form |
|
HomePage (Thai) |
Submit malware to Dr. Web as Virus Chaser uses the same signatures |
Submit false positives to Dr. Web as Virus Chaser uses the same signatures |
|
|
Submit malware to Sophos as VIRUSfighter uses the same signatures |
Submit false positives to Sophos as VIRUSfighter uses the same signatures |
|
*VirusKeeper |
I have found no online malware submission form I have found no working email address for submitting malware |
I have found no online false positive submission form I have found no working email address for submitting false positives |
|
|
I have confirmed that there is no email address for submitting malware
|
False positive submission is available to through this page or |
|
|
You can post malware samples here or |
You can post false positives here
|
|
*Xyvos |
I have found no online malware submission form I have found no working email address for submitting malware |
I have found no online false positive submission form I have found no working email address for submitting false positives |
|
|
Submit malware to Emsisoft, G Data, Ikarus, and Dr. Web as Zemana uses the same signatures |
Submit false positives to Emsisoft, G Data, Ikarus, or Dr. Web as Zemana uses the same signatures |
|
HomePage (Ukrainian) |
I have found no online malware submission form |
I have found no online false positive submission form |
|
|
Submit malware to Kaspersky as ZoneAlarm uses the same signatures |
Submit false positives to Kaspersky as ZoneAlarm uses the same signatures | |
Zoner |
I have confirmed that there is no email address for submitting malware |
I have confirmed that there is no online false positive submission form I have confirmed that there is no email address for submitting false positives |
5. How You Can Help
If you find that there is a vendor which I have left out of the list please leave a comment about this so I can investigate. Also, if you find that any of the information I provide is incorrect please let me know immediately so that I can fix this. This includes circumstances in which I say I have confirmed that an option does not exist (when it now does), information that does not work as promised, vendors that no longer support their product, etc... I will personally look into all information provided before adding it to the article. Starred products are those that I currently realize are in need of information. I could really use your help with those vendors as well.
That said, because of the strict requirements I have imposed for stating that I have confirmed that something does not exist, I will not be able to say that I have confirmed that submission options do not exist just because someone states it in the comments. I hope you understand that I am not insulting anyone but just being very cautious before adding information to the article. However, things like submission links or email addresses I can investigate myself and add. I only need an official response for confirming that something does not currently exist.
I really do need your help to maintain this article as this is way too much information for me to investigate on my own. Keeping this list up to date would require an astronomical amount of work, and I'm already very busy with many other projects. I thank you for whatever time you can contribute to make this best malware submission article on the internet.
Please help by rating this article. Also, if you believe this article deserves anything less than 5 stars, please leave a comment below explaining how you think it can be improved or where you find fault. This article is written by me but fueled by the community. Thus your opinions and advice are not only much appreciated, but actually necessary in order for this article to grow and improve.
If you found this article useful then perhaps you'd like to check out some of my others.
How to Clean An Infected Computer
How to Fix a Malware Infected Computer
How to Harden Your Browser Against Malware and Privacy Concerns
How to Install Comodo Firewall
How to Know If Your Computer Is Infected
How to Protect Your Online Privacy
How to Report Dangerous Websites
How to Tell if a File is Malicious
How to Tell If A Website Is Dangerous
This software category is in need of an editor. If you would like to give something back to the freeware community by taking it over, check out this page for more details. You can then contact us from that page or by clicking here
Comments
Mails to Emco were failing yesterday. Not sure if this is a temporary thing.
Undelivered Mail Returned to Sender
This is the mail system at host zim-mta-01.simnet.is.
I'm sorry to have to inform you that your message could not
be delivered to one or more recipients. It's attached below.
For further assistance, please send mail to postmaster.
If you do so, please include this problem report. You can
delete your own text from the attached returned message.
The mail system : host zim-mbox-05.simnet.is[194.105.232.108] said:
552 5.2.2 Over quota (in reply to end of DATA command)
I do not believe Webroot is accepting submissions for virus samples via email. I received this email from them:
Hello,
Thank you for contacting Webroot Support.
All files being scanned by Webroot SecureAnywhere are broken down into hash
signatures and behavioral data. These data points are sent to the Webroot Intelligence Network to determine if the original file is good, bad, or undetermined. The file itself is not sent to Webroot, so no personal data is leaving your computer.
If you wish to submit a file to our Threat Research team for analysis, please visit
"http://snup.webrootcloudav.com/SkyStoreFileUploader/upload.aspx"Webroot File Submission and follow the instructions. Please note this is currently limited to 10mb per file
If you are concerned about the safety of a specific file on your computer, you
can right-click on a file to Scan with Webroot. This scan should typically complete within seconds.
However, if the scan results are inconclusive, you can submit a file to our
Threat Research team for further analysis. The Submit a File option only supports files or .zip folders up to 10MB. Please follow the steps below.
1. Open SecureAnywhere on your computer.
2. Click the gear icon next to Utilities.
3. Click the Reports tab, and then select Submit a File.
4. In the window that opens, click Browse to find the file you wish to submit.
5. Once the file is selected, click Open.
6. Select a reason for submission from the list provided.
7. Insert the CAPTCHA and click Submit a File.
Our Threat Research team will investigate the file submitted and update our determinations if
necessary.
Regards,
The Webroot Support Team
any updates?
analysis@norman.no
The email address you specified couldn't be found or is invalid. It may be due to a bad entry in your Outlook or Outlook Web App recipient AutoComplete cache. Use the steps below to clear the entry from the cache:
: host zim-mbox-05.simnet.is[194.105.232.108] said:
552 5.2.2 Over quota (in reply to end of DATA command)
:
Remote host said: 550 signature_incorrect [BODY]
When I tried it the last time (22nd of July) I still had these 3 problems.
It can not be caused by me.
email address couldn't be found or is invalid: email address does not exist on the server of the receiver, this is an Exchange error. I do not use any Outlook, I use a completely different email client and I send all mails with SMTP. No Exchange server between me and any receiver if the receiver does not use one.
Over quota: postbox of receiver is full (errorcode 522 5.2.2 http://www.inmotionhosting.com/support/email/bounceback-errors/email-err... / 552 5.2.2 Over quota (in reply to end of DATA command) )
550 error: http://dkim.org/specs/draft-allman-dkim-base-01.html problem with PGP key (my email was not signed at all, so this was very weird)
My email headers just have at least a x-enigmail-version field with the Enigmail version, but are not signed. This just tells the receiver which Enigmail version I use, if the email is signed or encrypted but it was not.
All other email providers and receivers ignored the field and did not misinterpret, that the email is not signed (even if it is) and accepted the email without any problems. So their MTA has a bug or does/did something wrong.
And if it would be signed, it would work because my key is valid.
Which failures exactly did you get?
Received the error yesterday for Norman:
Delivery has failed to these recipients or groups:
analysis@norman.no
The email address you specified couldn't be found or is invalid. It may be due to a bad entry in your Outlook or Outlook Web App recipient AutoComplete cache. Use the steps below to delete the entry from the cache:
Click New mail.
In the To field start typing the recipient's name or email address until the recipient appears in the drop-down list.
Use the DOWN ARROW and UP ARROW keys to select the recipient, and then press the DELETE key.
Then resend your message – delete and retype the recipient’s name or e-mail address before sending it.
For more tips on how to resolve this issue see DSN code 5.1.1 in Exchange Online.
Diagnostic information for administrators:
Generating server: DB4PR03MB507.eurprd03.prod.outlook.com
analysis@norman.no
Remote Server returned '550 5.1.1 RESOLVER.ADR.RecipNotFound; not found'
not so nice: : host mail.bluepointsecurity.com[50.78.105.217]
said: 550 5.7.1 Message rejected as spam by Content Filtering. (in reply to
end of DATA command)
just used your link and sent the zipped and password protected sample
Do you have any ideas on dealing with vendors who don't reply or who don't want to remove false positives?
I've got a false positive on a 9 year old WinRar SFX archive, containing a DLL and some other bits.
I've succeeded in getting most of the major vendors to remove, but I'm having issues with these:
* Most of the Chinese/ Vitenamese vendors haven't replied full-stop. BKAV claimed to have passed to support, but squit since.
* McAffee- Tracking number but nothing else.....
* Panda- Autoreply
The major issue however is ThreatTrack- They've replied saying it's malicious, which it isn't (Perfectly happy to supply full source to the DLL if they want it)
I've linked them to all the public removals I've got, and the older/ newer VirusTotal scans, and am waiting to see what they come back with.
Nice list of instructions for reporting false positives found by Metascan-Online.com was posted by Taeil Goh on March 21, 2014, in the Metascan Online blog (provided by OPSWAT). List includes ~40 vendors.
https://www.metascan-online.com/en/blog/what-do-i-do-if-an-engine-detect...
I see several vendors on the Metascan Online list that are not present in table above but I know that you skip over some vendors that use signatures from another vendor.
Thanks for the new changelog feature, Chiron. I noticed the recent update date; wondered what changed; knew the answer almost immediately.
I wish all authors/editors would follow suit and use a changelog.
These two email addresses are down: submit(at)trojanhunter.com and virus(at)esafe.com
submit(at)trojanhunter.com:
qmail-local crashed.
I'm not going to try again; this message has been in the queue too long.
This is an automatically generated Delivery Status Notification.
Unable to deliver message to the following recipients, due to being unable to connect successfully to the destination mail server.
virus(at)esafe.com
-- "Updated 1. February 2014 - 22:04 by Chiron"
Ummm, GREAT!? (And definitely "Thanks for maintaining the article.")
The update notice is useful but please consider adding CHANGE HISTORY to your excellent series of articles. Each entry should be very brief and the list truncated periodically. The list could be chronological, reverse chronological, or subdivided to separate out vendor contact changes or other updates. (Whatever would be easy for you.) As is, we have no idea what changed, especially with such a long and involved topic.
Perhaps:
(date) - Added Change History
(date) - Updated contact info for X and Y.
(date) - Clarified vendor list legend.
(date) - Added vendor Z.
(date) - Added detailed instructions for using 7-Zip.
-----
Minor grammar, spelling, wording, layout, or typo changes
(recent date), (date-date), (date)
More generally, all articles should include change history.
I'm glad that you are keeping the article current but I think you are missing the (or rather "a") _user_ perspective and are also making an unwarranted assumption about how the article and embedded links are used. Four related points are followed by a few asides.
First, if you change something in the article, I have no way of knowing whether I need to reread the article (e.g., directions changed) or should just continue doing what I'm doing (e.g., address added) -- even ASSUMING I can use the procedure as you apparently expect! Without a (very brief) change log, I'm clueless. The change log does not matter to a first time reader but is useful to those who revisit the page as well as those who might be interested when the article appears in the site update list.
Second, I can't directly use your directions anyway. Clicking on your otherwise very helpful email links do not directly open my new webmail account. Aside: I opened an AOL account (thanks for mentioning that it works) just for this purpose so all related email is segregated. Rather than copying and pasting the list each time, I chose to create three mailing lists (malware-submit-zip, malware-submit-7z, and malware-FP-submit. As I'm not a malware researcher, I don't really care if a few addresses are not current (changed, new, no longer applicable) but I will have to periodically update my mailing lists. The first two lists will be easy to update thanks to your well maintained email links.
Third, I'm not sure I would want to revisit this article every time I want to submit a file. I'm probably satisfied to submit malware to a meta-scanner or two and leave it at that as long as a couple of major vendors correctly identify it unless I encounter the malware in or via email addressed to/from friends and family (thus motivating me to do more). Two such accounts were hacked recently so I'm getting a lot more nasty and targeted spam than usual (still more motivation). You've also said elsewhere that just submitting malware to a metascanner is insufficient in general (and always if a major vendor does not identify it). Your point about the current list being maintained here by you is quite good, however.
Fourth, a large portion of my submissions relate to false positives, anyway, as I enjoy exploring lesser known freeware, etc. I value such software, recommend it to others, and would like to see it more widely used, so I am motivated to be more active even when my installed security software is not directly affected. This article does provide useful detail but (as you note in another comment) FPs are not your primary focus. Again, though, this is yet another, albeit small, reason to have a change history.
Three asides peripheral to the change history comment:
Although I'm slightly uncomfortable submitting malware to vendors that already detect it I assume (hope) most vendors automate receipt sufficiently that already detected submissions are never seen by a human. I'm guessing you make the same assumption given the comprehensive and monolithic nature of your email lists.
I'm not sure who your target audience is for this article but I would think that I am vaguely near the site median technically as a once upon a time professional programmer/analyst who still has some "core" around somewhere (though I did miss the charged plates and vacuum tubes). This site is certainly moderately technical but is not focused on even hobbyist security much less professional malware research.
Finally, I would note in passing that the 7-zip malware list only contains eight(?) names. I've decided for myself that using the extensive zip email list suffices for me as I'm not personally aware of anyone who uses a vendor on the lesser list (but then most of the time I also am satisfied with just using two of the extensive metascanners).
Whatever you decide, I hope you will interpret my comments as both my small attempt to improve a very useful article and appreciation of your efforts in developing and maintaining it. Even when I'm critical or just disagree!
Wow, you are replying faster than I can finish the next comment! If only some vendors were as responsive!
Thanks for the additional detail. I didn't quite follow the GMail comment. Do mean that the vendor uses GMail as their email system and also that GMail recognizes executables inside password=infected .zip but not .7z files? I did already know that GMail and Hotmail/Live/Outlook and some other webmail vendors had some restrictions on including executables even when compressed but I am not aware of the details beyond that.
For change history I think a very brief comment along the lines you mentioned would suffice. THANKS.
"As for the email links not opening up with your webmail account, can you suggest an alternative which would work well for you? Is there a more convenient way for you to get the list of emails?"
What I'm doing recently works: one copy link and one paste into appropriate email mailing list using AOL. What you have built would have worked well until about four years ago when I switched from Outlook (app) to webmail.
I have wondered if someone would chime in with a simple solution to have email links open in webmail as the default mail handler. That would be handy for other purposes but I wouldn't want my new malware specific AOL account (or any AOL account) to be the default. Hotmail/Outlook or GMail would be handy, though.
Thanks for your consideration of my sometimes off-base comments.
Regarding webmail users: I think a comment is a good idea and will encourage some additional reporting. It is actually quite easy to zip a file and send it provided the installed AV doesn't interfere. I'm glad you included the 7-zip list but it only adds a few vendors.
You might also reassure hesitant users that duplicative reporting is handled automatically for the most part.
Four small suggestions:
1. Expand problematic webmail list: "Hotmail/Live/Outlook".
2. Refer webmail users back to earlier discussion of which services work and why (just as a parenthetical remark like "(see A.1. for restrictions)"). I know it is only a couple of paragraphs above but many of us skip to just what we think we are looking for.
3. Offer a GMail (and Outlook.com(?) and others(?)) webmail only expanded 7-zip list since such users can't submit a .zip executable. I would completely understand if you did not want this additional maintenance task, nor is opening a single purpose AOL account difficult. I'm not sure how many people would avail themselves of this but it would make reporting easier for that group assuming _many_ companies on the zip list would also process a 7-zip file even if it is not officially listed. (I may have talked even myself out of this idea.)
4. Explain star/asterisk in the legend section (above table) even through it is also appropriately explained in the text below the table. Even when I remembered that I'd seen an explanation I couldn't find it because I searched on "asterisk" and "*" but forgot "star". Something quite simple would do:
* Incomplete information; assistance needed (see discussion following table)
Big thanks for both the original article and all the on-going tweaking.
Pages