Select the product you need help with
- Internet Explorer
- Windows Phone
- More products
How to send malware to Microsoft for analysis
Article ID: 939288 - View products that this article applies to.
When you suspect that a file or a program is malicious, you can send the file to the Microsoft Research and Response team for analysis. Malicious files or programs (malware) may include viruses, spyware, worms, and adware. Additionally, if you are using Microsoft Forefront Client Security, you can indicate how this program determined that the file is malicious.
This article describes the methods that you can use to send malware files to Microsoft for analysis. The article also describes how to prepare files for submission.
This article describes the methods that you can use to send malware files to Microsoft for analysis.
You can use one of the following methods to send malware files to Microsoft for analysis:
Web-based submissionTo send files to Microsoft for analysis by using the Web, visit the following Microsoft website:
Malware protection centerFollow the steps in the "Submit a sample" section of the Malware protection center to prepare an archive file that contains suspected malware files that you want to send.
The response messageMicrosoft will send a response message that includes a list of the files in the archive file. If Microsoft has already analyzed the files that you sent, the first response message will include the determination that was made for each file. If Microsoft has not analyzed the files, or if you indicate that the files were incorrectly determined to be malicious software, Microsoft will analyze the files.
To correctly understand the response message, you must understand the difference between a determination and the scan results.
The differences between a determination and the scan results
Note The determination may appear as "No determination" even if the Microsoft scan results show that the file is infected. This situation occurs when the detection is made by using a generic algorithm that applies to a family of malware. This situation may occur when a .gen file name extension is appended to the name of the malicious software, as in the "TrojanDownloader:Win32/Emerleox.gen" file name. In this situation, the determination does not fully represent whether Forefront Client Security determines that a file is malware.
Analysis resultsAfter analysis is finished, another message is sent to the e-mail addresses that you provided. This message includes a final determination of the files. If the Microsoft anti-malicious software definitions were updated in response to this submission, the message also includes the following information:
Submission by Microsoft Customer Support ServicesMicrosoft Customer Support Services can send files on your behalf to the Microsoft Research and Response team. If you have an urgent malware situation that Forefront Client Security does not address, we recommend that you contact Customer Support Services for help. To do this, use the support information that was provided to you when you purchased Forefront Client Security. Or, visit the following Microsoft website:
Microsoft Consumer Security Support Center
Prompted submissionThe Microsoft Research and Response team may indicate files from which the team can derive more information. If you join the Microsoft SpyNet community, and if Forefront Client Security detects software on the computer that has not yet been classified for risks, you might be asked to send a sample of the software to Microsoft SpyNet for analysis. When you are prompted, Forefront Client Security displays a list of files that can help analysts determine whether the software is malicious. You can decide to send some or all the files in the list.
Forefront Client Security lets administrators control whether they are joined to the Microsoft SpyNet community by using Group Policy settings. For more information about how to do this, see the Forefront Client Security Administration guide.
How to prepare files for submissionUse care when you handle files that may be classified as malware. Add suspected malware files to a compressed archive file that uses a password. By doing this, you avoid infecting other computers when the files are in transit or when you send the files. To add the files to an archive file that uses a password, follow these steps.
Note If WinZip or a similar compression utility is installed, you can use it to create the archive. However, you must use the same file name and the same password that are included in these steps.
Beta definitionsThe Microsoft Research and Response team updates malicious software definitions with new threat information. Then, the team extensively tests the new definitions. Although this testing protects you as a Forefront Client Security user, the time that is required to perform this testing may be critical during a malicious software crisis in your environment.
Therefore, Microsoft makes available a partially tested beta definition that you can download before the fully tested release version becomes available. You can quickly deploy this beta definition to infected computers. The beta definition may also help protect uninfected computers that are at immediate risk of infection. Beta definitions are not intended for wide deployment. We recommend that Forefront Client Security customers do not deploy them unless the customers are experiencing the malicious software threat for which the beta definitions were explicitly created.
For more information please refer to this Microsoft Knowledge base article:
(http://support.microsoft.com/kb/939757/ )How to download the latest beta malicious software definition update for Forefront Client Security
The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, about the performance or reliability of these products.