How to send malware to Microsoft for analysis

When you suspect that a file or a program is malicious, you can send the file to the Microsoft Research and Response team for analysis. Malicious files or programs (malware) may include viruses, spyware, worms, and adware. Additionally, if you are using Microsoft Forefront Client Security, you can indicate how this program determined that the file is malicious.

This article describes the methods that you can use to send malware files to Microsoft for analysis. The article also describes how to prepare files for submission. 

This article describes the methods that you can use to send malware files to Microsoft for analysis.

You can use one of the following methods to send malware files to Microsoft for analysis:  

• Web-based submission
• Submission by Microsoft Customer Support Services
• Prompted Submission

You can use these methods if you suspect that a file or a program may be malicious (for example, you suspect that the file or program is a virus, a worm, spyware, or adware). For more information on how to send malware files to Microsoft for analysis, see the "Web-based submission" section, the "Submission by Microsoft Customer Support Services" section, or the "Prompted submission" section.

Web-based submission

To send files to Microsoft for analysis by using the Web, visit the following Microsoft website:Follow the steps in the "Submit a sample" section of the Malware protection center to prepare an archive file that contains suspected malware files that you want to send. 

The response message

Microsoft will send a response message that includes a list of the files in the archive file. If Microsoft has already analyzed the files that you sent, the first response message will include the determination that was made for each file. If Microsoft has not analyzed the files, or if you indicate that the files were incorrectly determined to be malicious software, Microsoft will analyze the files.

To correctly understand the response message, you must understand the difference between a determination and the scan results.

The differences between a determination and the scan results

• Determination
  A determination is associated with a particular file. Microsoft analyzed the determination and entered it into the Research and Response team's database.
• Scan results
  Scan results are the results of the scans that are run on the individual files by the anti-malicious software definitions.

The determination and the scan result are only the same after a file is sent to Microsoft and is reviewed by an analyst.

Note The determination may appear as "No determination" even if the Microsoft scan results show that the file is infected. This situation occurs when the detection is made by using a generic algorithm that applies to a family of malware. This situation may occur when a .gen file name extension is appended to the name of the malicious software, as in the "TrojanDownloader:Win32/Emerleox.gen" file name. In this situation, the determination does not fully represent whether Forefront Client Security determines that a file is malware. 

Analysis results

After analysis is finished, another message is sent to the e-mail addresses that you provided. This message includes a final determination of the files. If the Microsoft anti-malicious software definitions were updated in response to this submission, the message also includes the following information:

• The name and the category of the malware.
• An Internet link to an online encyclopedia entry about this malware threat.
  
  Note It may take a short time after the response message is sent for an encyclopedia entry to appear on the Internet.
• The version of the definition that includes the information about this threat.
• An Internet link to a location that includes the beta definition file.
  
  Note See the "Beta definitions" section for more information.

Submission by Microsoft Customer Support Services

Microsoft Customer Support Services can send files on your behalf to the Microsoft Research and Response team. If you have an urgent malware situation that Forefront Client Security does not address, we recommend that you contact Customer Support Services for help. To do this, use the support information that was provided to you when you purchased Forefront Client Security. Or, visit the following Microsoft website:

Prompted submission

The Microsoft Research and Response team may indicate files from which the team can derive more information. If you join the Microsoft SpyNet community, and if Forefront Client Security detects software on the computer that has not yet been classified for risks, you might be asked to send a sample of the software to Microsoft SpyNet for analysis. When you are prompted, Forefront Client Security displays a list of files that can help analysts determine whether the software is malicious. You can decide to send some or all the files in the list.

Forefront Client Security lets administrators control whether they are joined to the Microsoft SpyNet community by using Group Policy settings. For more information about how to do this, see the Forefront Client Security Administration guide.

How to prepare files for submission

Use care when you handle files that may be classified as malware. Add suspected malware files to a compressed archive file that uses a password. By doing this, you avoid infecting other computers when the files are in transit or when you send the files. To add the files to an archive file that uses a password, follow these steps.

Note If WinZip or a similar compression utility is installed, you can use it to create the archive. However, you must use the same file name and the same password that are included in these steps.

1. In Windows Explorer, open the folder that contains the suspected malware files.
2. Right-click a blank area in the window, point to New, and then click Compressed (zipped) Folder.
3. Type malware.zip to name the new archive file, and then press ENTER.
4. Drop the suspected malicious software files into the archive file as you would drop them into a typical Windows folder.
5. Double-click the archive file.
6. On the File menu, click Add a Password.
7. In the Password box, type infected.
8. In the Confirm Password box, retype infected, and then click OK.

Beta definitions

The Microsoft Research and Response team updates malicious software definitions with new threat information. Then, the team extensively tests the new definitions. Although this testing protects you as a Forefront Client Security user, the time that is required to perform this testing may be critical during a malicious software crisis in your environment.

Therefore, Microsoft makes available a partially tested beta definition that you can download before the fully tested release version becomes available. You can quickly deploy this beta definition to infected computers. The beta definition may also help protect uninfected computers that are at immediate risk of infection. Beta definitions are not intended for wide deployment. We recommend that Forefront Client Security customers do not deploy them unless the customers are experiencing the malicious software threat for which the beta definitions were explicitly created.

For more information please refer to this Microsoft Knowledge base article:


The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, about the performance or reliability of these products.