1 2 3 Previous Next 41 Replies Latest reply on Nov 9, 2015 8:45 AM by exbrit

    malware submission fails sometimes

    chipitsine

      Hello,

       

      sometimes malware submission fails with

       

      McAfee Labs - Beaverton                                                               
        Current Scan Engine Version:5700.7163                                                 
        Current DAT Version:7946.0000                                                         
        Thank you for your submission.                                                        
       
        Analysis ID: 9591037
       
        File Name            Findings                       Detection                    Type         Extra
        --------------------|------------------------------|--------------------------- -|------------|-----
        1eba.zip            |extraction failure            |                            |            |no  
       
        extraction failure [1eba.zip]                                                                            
      ------------------------------------------------------------------


      can you have a deeper look at it ?


      I attached both python script and failing malware sample to this message 

        • 1. Re: malware submission fails sometimes
          Peacekeeper

          First I have removed all samples forum rules ask that possible infected files are not posted here.

           

          when you zipped the file did you password protect it with password infected?

           

          I would retry the submission maybe use getsusp that is mentioned in the faq as long as you add your email details to its preferences that will submit the file as well.

          What To Do When McAfee Detects Software As An Infection - How to Submit To McAfee Labs & Appeal

          • 2. Re: malware submission fails sometimes
            chipitsine

            I attached send.py script in order to describe how we send samples.

            it is not malware

             

            ok, I uploaded both python script and malware sample to Yandex.Disk, Yandex.Disk (password "test)

            have a look at send.py, is it ok ?

             

            be careful about included zip, it is malware.

             

            as we send sample from Cuckoo Sandbox, we need some automated way.

            what is appropriate ? however, we are not McAfee users, we are malware researchers, so we do not have access to McAfee web interface (and it is not good for python scripting)

            can you provide REST api for malware submission ?

            • 3. Re: malware submission fails sometimes
              chipitsine

              here's send.py, is it ok ?

               

              #!/usr/bin/env python

              # coding=utf-8

              from pyminizip import compress

              from email.header import Header

              from email.mime.application import MIMEApplication

              from email.mime.multipart import MIMEMultipart

              from email.mime.text import MIMEText

              from email.utils import formatdate

              import smtplib

              from os.path import basename

              from sys import argv

               

               

              def sendMcAfee(filename, help_text, email):

                  try:

                      name = basename(filename)

                      compress(filename, filename + ".zip", "infected", 5)

                      filename += ".zip"

                      name += ".zip"

               

                      msg = MIMEMultipart(

                          From=email,

                          To="virus_research@mcafee.com",

                          Subject="Potential virus",

                          Date=formatdate(localtime=True)

                      )

                      msg.attach(MIMEText(help_text))

                      with open(filename, 'rb') as archive:

                          msg_attach = MIMEApplication(

                              archive.read(),

                              Name=name,

                          )

                          msg_attach.add_header('Content-Disposition', 'attachment',

                                                filename=(Header(name, 'utf-8').encode()))

                          msg.attach(msg_attach)

               

                      smtp = smtplib.SMTP("smtp")

                      smtp.sendmail(email, "virus_research@mcafee.com", msg.as_string())

                      smtp.close()                                                                                                                                                    

                      return 0, "Success! %s" % name                                                                                                                                  

                  except Exception as e:                                                                                                                                              

                      print "MacAfee error: %s" % e                                                                                                                                   

                      return 1, "Something went wrong: %s" % e                                                                                                                        

                                                                                                                                                                                       

               

              if __name__ == "__main__":

                  if len(argv) < 2:

                      print "Usage: %s <email> <file>" % argv[0]

                      exit(1)

                  print sendMcAfee(argv[2], "Wrong archive", argv[1])

              • 4. Re: malware submission fails sometimes
                Peacekeeper

                Sorry I am only a volunteer helper here cannot program. You can submit it to www.virustotal.com and link to the analysis results I can then point a lab tech to the analysis.

                 

                Try resubmitting the file if if fails both zipping and using getsusp I have another way to do it but will have to talk via email. Best we try the other two options first

                 

                All that said rereading you say the file is infected correct?

                • 5. Re: malware submission fails sometimes
                  chipitsine

                  for instance, we got "Analysis ID: 9591037" for the failing malware sample.

                  can you have a look at McAfee side ? I guess you can find answers regarding "was the archive protected with password infected" there, there's sample, right ?

                  anything else ?

                  • 6. Re: malware submission fails sometimes
                    Peacekeeper

                    Well as I said I am a volunteer just a user of the software and note I have no Mcafee permissions. That said I can ask immediately will post back when I get an answer

                    • 7. Re: malware submission fails sometimes
                      chipitsine

                      I'm looking for an answer from McAfee, I'm not sure volunteer can help here.

                      • 8. Re: malware submission fails sometimes
                        Peacekeeper

                        Well I have emailed two McAfee lab techs who actually are the guys analyzing the false +ves so I will get an answer as soon as 1 arrives at work.

                        • 9. Re: malware submission fails sometimes
                          dmeier

                          The issue is likely caused by our side. We've had sporadic submission issues, that are being worked on.  I don't think you need to adjust your submission process any. We do not have any REST API for you to submit through.

                           

                          - David

                          1 of 1 people found this helpful
                          1 2 3 Previous Next