How can I report false positives or Virus/Trojan/Malware samples to the Gateway AntiVirus team?
08/03/2020 1585 27133
There are times when a virus, Trojan or malware is not blocked by the SonicWall. This might either be a new signature that has not been added to our database or a variant of an existing signature. In both cases the traffic will make it through the firewall without being scanned for signature matches. In other cases the block caused by the GAV service might be a false positive where the firewall thinks the traffic closely resembles an existing signature and blocks it as a preventive measure.
SonicWall is committed to providing reasonably prompt responses to your submissions based on the complexity of the submission. In most cases, the GAV research team will endeavor to provide a response to your submission within one business day, where it is reasonably to do so. However, in more complex cases, additional time may be needed by the GAV research team, and exact response times may vary on a case-by-case basis based on a number of factors.
This article describes how to submit Virus/Trojan/Malware samples to the Gateway AntiVirus team for analysis. This also applies to false positives with IPS.
In order to investigate this issue our engineering team will require a sample of the Virus/Trojan/Malware or a unique identifier like an MD5 file checksum. Here's how to provide a sample for a Virus/Trojan/Malware or false positive:
Create a ticket including the issue and other relevant details and attach the firewall logs.
To download the firewall logs navigate to INVESTIGATE | Event Logs and click the export icon (). Exporting in CSV is preferred.
Be careful in handling the Virus/Trojan/Malware samples.
CAUTION: DO NOT DOWNLOAD THE SAMPLES TO YOUR WORK COMPUTER. Please use a computer in the lab/test network which is not connected to the office network for uploading these samples. DO NOT attach the samples to the SFDC case.
Collect the Virus/Trojan/Malware sample and upload using below form, mention the Case number / Tracking ID # in the SFDC # during upload.
By default the submission type will be set as Gateway Antivirus and the sample will get uploaded to the Virus Database and our Gateway Antivirus team will be notified about your submission.
Mention the case # /Tracking ID, so that the sample can be correlated with the case number.
Update the case with the virus sample Submission ID number that is provided after submission of the sample.
Also update the case with the email address that was used to submit the sample.
If possible, attach the Technical Support Report (TSR) and settings (EXP) file from the SonicWall appliance.
To download a TSR navigate to INVESTIGATE | System Diagnostics | Download Report.
To download a settings file navigate to MANAGE | Firmware & Backups | Import/Export Configuration.