cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
chipitsine
Level 7

malware submission fails sometimes

Hello,

sometimes malware submission fails with

McAfee Labs - Beaverton                                                               
  Current Scan Engine Version:5700.7163                                                 
  Current DAT Version:7946.0000                                                         
  Thank you for your submission.                                                        
 
  Analysis ID: 9591037
 
  File Name            Findings                       Detection                    Type         Extra
  --------------------|------------------------------|----------------------------|------------|-----
  1eba.zip            |extraction failure            |                            |            |no  
 
  extraction failure [1eba.zip]                                                                           
------------------------------------------------------------------


can you have a deeper look at it ?


I attached both python script and failing malware sample to this message 

0 Kudos
41 Replies
Peacekeeper
Level 20

Re: malware submission fails sometimes

First I have removed all samples forum rules ask that possible infected files are not posted here.

when you zipped the file did you password protect it with password infected?

I would retry the submission maybe use getsusp that is mentioned in the faq as long as you add your email details to its preferences that will submit the file as well.

0 Kudos
chipitsine
Level 7

Re: malware submission fails sometimes

I attached send.py script in order to describe how we send samples.

it is not malware

ok, I uploaded both python script and malware sample to Yandex.Disk, Yandex.Disk (password "test)

have a look at send.py, is it ok ?

be careful about included zip, it is malware.

as we send sample from Cuckoo Sandbox, we need some automated way.

what is appropriate ? however, we are not McAfee users, we are malware researchers, so we do not have access to McAfee web interface (and it is not good for python scripting)

can you provide REST api for malware submission ?

0 Kudos
chipitsine
Level 7

Re: malware submission fails sometimes

here's send.py, is it ok ?

#!/usr/bin/env python

# coding=utf-8

from pyminizip import compress

from email.header import Header

from email.mime.application import MIMEApplication

from email.mime.multipart import MIMEMultipart

from email.mime.text import MIMEText

from email.utils import formatdate

import smtplib

from os.path import basename

from sys import argv

def sendMcAfee(filename, help_text, email):

    try:

        name = basename(filename)

        compress(filename, filename + ".zip", "infected", 5)

        filename += ".zip"

        name += ".zip"

        msg = MIMEMultipart(

            From=email,

            To="virus_research@mcafee.com",

            Subject="Potential virus",

            Date=formatdate(localtime=True)

        )

        msg.attach(MIMEText(help_text))

        with open(filename, 'rb') as archive:

            msg_attach = MIMEApplication(

                archive.read(),

                Name=name,

            )

            msg_attach.add_header('Content-Disposition', 'attachment',

                                  filename=(Header(name, 'utf-8').encode()))

            msg.attach(msg_attach)

        smtp = smtplib.SMTP("smtp")

        smtp.sendmail(email, "virus_research@mcafee.com", msg.as_string())

        smtp.close()                                                                                                                                                   

        return 0, "Success! %s" % name                                                                                                                                 

    except Exception as e:                                                                                                                                             

        print "MacAfee error: %s" % e                                                                                                                                  

        return 1, "Something went wrong: %s" % e                                                                                                                       

                                                                                                                                                                       

if __name__ == "__main__":

    if len(argv) < 2:

        print "Usage: %s <email> <file>" % argv[0]

        exit(1)

    print sendMcAfee(argv[2], "Wrong archive", argv[1])

0 Kudos
Peacekeeper
Level 20

Re: malware submission fails sometimes

Sorry I am only a volunteer helper here cannot program. You can submit it to www.virustotal.com and link to the analysis results I can then point a lab tech to the analysis.

Try resubmitting the file if if fails both zipping and using getsusp I have another way to do it but will have to talk via email. Best we try the other two options first

All that said rereading you say the file is infected correct?

0 Kudos
chipitsine
Level 7

Re: malware submission fails sometimes

for instance, we got "Analysis ID: 9591037" for the failing malware sample.

can you have a look at McAfee side ? I guess you can find answers regarding "was the archive protected with password infected" there, there's sample, right ?

anything else ?

0 Kudos
Peacekeeper
Level 20

Re: malware submission fails sometimes

Well as I said I am a volunteer just a user of the software and note I have no Mcafee permissions. That said I can ask immediately will post back when I get an answer

0 Kudos
chipitsine
Level 7

Re: malware submission fails sometimes

I'm looking for an answer from McAfee, I'm not sure volunteer can help here.

0 Kudos
Peacekeeper
Level 20

Re: malware submission fails sometimes

Well I have emailed two McAfee lab techs who actually are the guys analyzing the false +ves so I will get an answer as soon as 1 arrives at work.

0 Kudos
catdaddy
Level 20

Re: malware submission fails sometimes

Not certain if this thread should be moved to either 'Home User Assistance' or 'Artemis!'  Discussion  ?

Or just leave it be?

Cliff
McAfee Volunteer
0 Kudos