Q&A How do you submit False Positive samples to McAfee effectively?

Anthony Qian

Level 3
Apr 17, 2021
149
757
Hi,

I’ve been using McAfee recently and I encountered some False Positive issues. Actually, I am not surprised that McAfee has a relatively high FP rate, but what surprises me most is how hard it is to let McAfee to rectify these FP problems.

I followed their False Positive submission procedure published on their website. After sending the email to virus_research@avertlabs.com, what I only got was an automatic analysis report saying the submitted sample can be detected with current DAT files. (Idk the purpose of this report. An FP sample, by definition, is definitely incorrectly detected by your engine!)

After several days, I did a rescan and found the FP problem still existed. According to the procedure, I then re-sent my samples and added NOAUTO to the subject line. Again, I got an automatic analysis report as same as the previous one.

I tried to contact their customer support, but I cannot access the chat function. I tried to get help from their official forum, but the moderator replied me with the above FP submission procedure.

Anyone who has similar experiences or has better way to submit FP samples to McAfee?
 

Farhad24

Level 1
Mar 24, 2021
26
159
Norton and McAfee are both the same, they don't care that much about user submissions.
this is probably the main reason they got high FP in tests as well. they do not get any help from the outsiders and mainly rely on their own Lab
If i've submitted 30 samples to Norton since 3 years ago ( last one was like 4-5 months ago )
i only got about 3 of them replied or reclassified.
same thing goes with McAfee too.

I would say this is the way American companies works? since sending samples to TrendMicro is a cancer too. it's just so hard to find a way to submit it to them i remember a year ago that i was on Chat with their agent, even they didn't know how should you do that. one of them gave me their own upload centre to upload my samples! one of them told me to open a support case which i did and well they will ask like 1000 questions from you to see where did you find the sample and why you want to submit it etc.. its just a pain in the A. but Webroot is not the same they actually care about users submissions.

SOPHOS Dr.Web F-Secure GDATA Avast are the good ones in this era.
 

Anthony Qian

Level 3
Apr 17, 2021
149
757
Norton and McAfee are both the same, they don't care that much about user submissions.
this is probably the main reason they got high FP in tests as well. they do not get any help from the outsiders and mainly rely on their own Lab
If i've submitted 30 samples to Norton since 3 years ago ( last one was like 4-5 months ago )
i only got about 3 of them replied or reclassified.
same thing goes with McAfee too.

I would say this is the way American companies works? since sending samples to TrendMicro is a cancer too. it's just so hard to find a way to submit it to them i remember a year ago that i was on Chat with their agent, even they didn't know how should you do that. one of them gave me their own upload centre to upload my samples! one of them told me to open a support case which i did and well they will ask like 1000 questions from you to see where did you find the sample and why you want to submit it etc.. its just a pain in the A. but Webroot is not the same they actually care about users submissions.

SOPHOS Dr.Web F-Secure GDATA Avast are the good ones in this era.
My FP submission experience with Norton is good. I use Symantec submission system to submit FP. They usually process my submission within 2 days. :)
 

plat1098

Level 25
Verified
Sep 13, 2018
1,495
13,003
My FP submission experience with Norton is good. I use Symantec submission system to submit FP.
Your submissions are "triaged" most of the time. My experience with Norton/Symantec was also very good, very professional. In general, I found that false positive related to a Microsoft app, especially a freshly updated one, will receive priority. For example: I ran Norton Power Eraser right after Edge browser updated. Three new exe/s were then uploaded. Within just a couple of hours, Symantec responded, and within four hours, each false positive was removed.
 

harlan4096

Moderator
Verified
Staff member
Malware Hunter
Apr 28, 2015
7,451
68,778
I would say this is the way American companies works? since sending samples to TrendMicro is a cancer too. it's just so hard to find a way to submit it to them i remember a year ago that i was on Chat with their agent, even they didn't know how should you do that. one of them gave me their own upload centre to upload my samples! one of them told me to open a support case which i did and well they will ask like 1000 questions from you to see where did you find the sample and why you want to submit it etc.. its just a pain in the A.
I can confirm this question with TM (currently testing it in Malware Hub), and I could not find any working/proper site where to submit undetected samples 🤢🙄 so it seems They don't mind... 🤷‍♂️
 

Anthony Qian

Level 3
Apr 17, 2021
149
757
Norton and McAfee are both the same, they don't care that much about user submissions.
this is probably the main reason they got high FP in tests as well. they do not get any help from the outsiders and mainly rely on their own Lab
If i've submitted 30 samples to Norton since 3 years ago ( last one was like 4-5 months ago )
i only got about 3 of them replied or reclassified.
same thing goes with McAfee too.

I would say this is the way American companies works? since sending samples to TrendMicro is a cancer too. it's just so hard to find a way to submit it to them i remember a year ago that i was on Chat with their agent, even they didn't know how should you do that. one of them gave me their own upload centre to upload my samples! one of them told me to open a support case which i did and well they will ask like 1000 questions from you to see where did you find the sample and why you want to submit it etc.. its just a pain in the A. but Webroot is not the same they actually care about users submissions.

SOPHOS Dr.Web F-Secure GDATA Avast are the good ones in this era.
I eventually got in touch with McAfee's customer support and discussed the problem with them. Much to my surprise, the representative believes the problem is resolved if McAfee does not detect the sample after I manually exclude it from scanning, without asking me to provide the sample for analysis.

After some thinking, I believe the key difference between McAfee and Kaspersky (Dr. Web) in terms of their attitudes to FP is that McAfee views the analysis of client-submitted samples as a service, while Kaspersky views it as a contribution to their technology/engine.
 
Top