Currently we are using GetSusp submissions for tracking prevalence. Only prevalent files get whitelisted or blacklisted.
Excepting rootkits - GetSusp has a high success rate in isolating malicious files. On a corporate network - once we whitelist most of the common files - the reports are fairly easy to spot the odd files out.
For now - please escalate the workitem id via the portal or email for a speedy response and extra.dat. The tool is still in beta - we don't have dedicated personnel looking at every incoming submission.
The backend automation systems auto tag incoming submissions as platinum or gold by looking up the entitlement status of the email domain. All you would had to do is specify your corporate email address in GetSusp preferences.
Another month has passed. Is there any update on backend processing?
When will Getsusp not be Beta and start production processing of reported files?
Also if I escalate the Work Item ID number via the portal, I assume I do not need to also submit the archive file. Is that correct? If I just escalate the Work Item ID number, how will extra.dat files be handled? Normally sample files submited via the portal provide a download link when an extra.dat file is available for the sample.
In next month's sprint cycle - the backend automation for GetSusp is being enhanced to respond with exta.dats. Whenever a sample is submitted via GetSusp:
- if its already detected in Daily DATs. an email requesting to update to latest dats is sent.
- if its already detected in Beta DATs, an extra.dat will be sent.
- if detection is add by a researcher or automation post submission - the system will automatically respond with an extra.dat.
For now - you would have to manually post the archive or pick only the suspicious files and submit them to the Portal to receive an extra.dat.