Scribd Logo
Upload

Welcome to Scribd!

  • Malware Submission Process

    Uploaded by

    ramsaher
    31 views11 pages
    World Vision Technical Architecture Personal Productivity Domain Malware Submission Process version 1 October 2010 Global ICT Enterprise Architecture 800 west chestnut avenue monrovia, California 91016. Bo Bradshaw Initial Document Bo Bradshaw Various format and grammar changes. Added additional content. Bo Bradshaw final Added Appendix A and B; Slightly modified formatting; Added URL.

    Original Description:

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    World Vision Technical Architecture Personal Productivity Domain Malware Submission Process version 1 October 2010 Global ICT Enterprise Architecture 800 west chestnut avenue monrovia, California 91016. Bo Bradshaw Initial Document Bo Bradshaw Various format and grammar changes. Added additional content. Bo Bradshaw final Added Appendix A and B; Slightly modified formatting; Added URL.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    31 views11 pages

    Malware Submission Process

    Uploaded by

    ramsaher
    World Vision Technical Architecture Personal Productivity Domain Malware Submission Process version 1 October 2010 Global ICT Enterprise Architecture 800 west chestnut avenue monrovia, California 91016. Bo Bradshaw Initial Document Bo Bradshaw Various format and grammar changes. Added additional content. Bo Bradshaw final Added Appendix A and B; Slightly modified formatting; Added URL.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 11

    World Vision Technical Architecture

    Personal Productivity Domain


    Malware Submission Process

    Version 1
    October 2010

    Global ICT
    Enterprise Architecture
    800 West Chestnut Avenue
    Monrovia, California 91016

    Revision and Signoff Sheet


    Change Record
    Date

    Author

    Version

    Change Reference

    27 Sept 2010

    Bo Bradshaw

    .1

    Initial Document

    26 Oct 2010

    Bo Bradshaw

    .2

    Various format & grammar changes.


    Added additional content.

    27 Oct 2010

    Bo Bradshaw

    .3

    Made change according to second


    review, added final form fields.

    03 Nov 2010

    Bo Bradshaw

    Final

    Added Appendix A & B; Slightly


    modified formatting; Added URL.

    Date

    Reviewer

    Organization Version Reviewed

    6 Oct 2010

    Neil Cannon

    GICT

    .1

    26 Oct 2010

    Chris Prescott

    GICT

    .2

    Reviewers

    Table of Contents
    REVISION AND SIGNOFF SHEET ........................................................................................................................................................... 2
    CHANGE RECORD ............................................................................................................................................................ 2
    REVIEWERS ......................................................................................................................................................................... 2
    TABLE OF CONTENTS .......................................................................................................................................................................... 3
    ABOUT THIS GUIDE ............................................................................................................................................................................. 4
    INTENDED AUDIENCE .......................................................................................................................................................................... 4
    DOCUMENT FEEDBACK ....................................................................................................................................................................... 4
    ASSUMPTIONS ....................................................................................................................................................................................... 4
    REQUIREMENTS ..................................................................................................................................................................................... 4
    SUBMISSION PROCESS ........................................................................................................................................................................... 5
    USING THE MALWARE SUBMISSION FORM ......................................................................................................................................... 5
    USERS INFORMATION ...................................................................................................................................................... 5
    USERNAME...................................................................................................................................................... 5
    USERS NAME ................................................................................................................................................. 6
    USERS EMAIL ADDRESS ................................................................................................................................. 6
    LOCATION ......................................................................................................................................................................... 6
    CURRENT COUNTRY LOCATION ................................................................................................................ 6
    CURRENT OFFICE TYPE LOCATION ............................................................................................................ 6
    OPERATING SYSTEM & SERVICE PACK............................................................................................................................. 7
    OPERATING SYSTEM ...................................................................................................................................... 7
    EDITION ......................................................................................................................................................... 7
    ARCHITECTURE .............................................................................................................................................. 7
    SERVICE PACK ................................................................................................................................................ 7
    MALWARE INFORMATION ................................................................................................................................................ 8
    DID A MCAFEE PRODUCT DETECT THE MALWARE? ................................................................................... 8
    DID ANOTHER ANTI-MALWARE PRODUCT DETECT THE MALWARE?....................................................... 8
    HOW WAS THIS POTENTIAL MALWARE DISCOVERED? ............................................................................... 8
    WHAT MAKES THIS POTENTIAL MALWARE SUSPICIOUS? ............................................................................ 8
    WHAT BEHAVIOR HAS THIS POTENTIAL MALWARE PRODUCED? .............................................................. 9
    HOW MANY SYSTEMS HAS THIS POTENTIAL MALWARE BEEN DISCOVERED ON? ...................................... 9
    HAS THE POTENTIAL MALWARE ACTUALLY BEEN EXECUTED?................................................................... 9
    DO YOU HAVE ANY OTHER PERTINENT INFORMATION TO INCLUDE? ..................................................... 9
    CLICK BROWSE TO UPLOAD THE POTENTIAL MALWARE. .......................................................................... 9
    SUBMITTING....................................................................................................................................................................... 9
    APPENDIX A [MALWARE SUBMISSION SCREENSHOT] ..................................................................................................................... 10
    APPENDIX B [MALWARE SUBMISSION FLOWCHART] ..................................................................................................................... 11

    About This Guide


    This guide describes the standard process for engaging McAfee in regard to undetected or unremediated malware.

    Intended Audience
    This guide is intended for World Vision IT staff that have discovered malware which McAfee does not
    detect or is not able to remediate.

    Document Feedback
    EA welcomes your suggestions for improving documentation. If you have comments, send your
    feedback to EA@wvi.org or post on the EA Community of Interest site on wvcentral.

    Assumptions

    The system with the potential malware has the current version of McAfees VirusScan Enterprise
    (VSE) installed, the current version of McAfees AntiSpyware Enterprise (ASE) installed, and the
    current version of McAfees DAT.
    A full McAfee on-demand scan has been run on the system with the potential malware and one of
    the following scenarios are true:
    o The suspected malware was not detected by McAfee.
    o Malware undetected by McAfee was detected by another anti-malware application.
    o Malware was detected by McAfee but was unable to be cleaned or deleted.

    Requirements

    An internet connection.
    A wvcentral account.

    Submission Process
    Once all the requirements and assumptions of this document have been met, a submission can be made
    to McAfee. In order to update their definitions, McAfee needs a copy of the suspected malware which
    McAfee VSE/ASE was either unable to detect or unable to remediate. The primary method for
    submitting this malware to McAfee for review is via the Malware Submission form hosted on wvcentral.
    To view a screenshot of the form, see Appendix A.
    https://www.wvcentral.org/cop/ICT/EA/AdminLib/MalwareSubmission.aspx

    Using the Malware Submission Form


    When the Malware Submission form is used, it must be filled out sequentially [from top to bottom] and
    in its entirety. Failing to fill out the form in the correct order may result in data loss prior to submitting.
    The form is broken into four sections:

    Users Information
    Location
    Operating System & Service Pack
    Malware Information

    Each of the four subjects is specifically addressed below.

    Users Information
    This section contains three fields which are used to gather information about the user who is submitting
    the file:

    Username
    Users Name
    Users Email Address

    Username
    This field will contain the username that was used to login to wvcentral. It should be auto populated. If
    the form fails to auto populate then it will have to be manually entered.

    Users Name
    This field will contain the submitting users full name. It should be auto populated. If the form fails to
    auto populate then it will have to be manually entered.

    Users Email Address


    This field will contain the submitting users email address. It should be auto populated. If the form fails
    to auto populate then it will have to be manually entered.

    Location
    This section contains two fields which are used to gather information about the office in which the
    suspected malware was discovered:

    Current Country Location


    Current Office Type Location

    Current Country Location


    This field is used to select the country in which the suspected malware was discovered. If the correct
    country is not listed, please select not listed and enter the country in the pertinent information
    textbox below.

    Current Office Type Location


    This field is used to select the office type in which the suspected malware was discovered. If the correct
    office type is not listed, please select not listed and enter the office type in the pertinent information
    textbox below. The current available choices are:

    Regional Office
    Support Office
    National Office
    Not Listed

    Operating System & Service Pack


    This section contains four fields which are used to gather information about the operating system that is
    believed to have been infected:

    Operating System
    Edition
    Architecture
    Service Pack

    Operating System
    This field is used to select the operating system in which the suspected malware was discovered. If the
    correct operating system is not listed, please select not listed and enter the operating system in the
    pertinent information textbox below.

    Edition
    This field is used to select the edition of the operating system in which the suspected malware was
    discovered. If the correct edition is not listed, please select not listed and enter the edition in the
    pertinent information textbox below.

    Architecture
    This field is used to select the architecture of the operating system in which the suspected malware was
    discovered. If the correct architecture is not listed, please select not listed and enter the architecture
    in the pertinent information textbox below.

    Service Pack
    This field is used to select the service pack of the operating system in which the suspected malware was
    discovered. If the correct service pack is not listed, an other option is available. If other is selected, a
    text box will be available to manually enter the correct service pack.

    Malware Information
    This section contains nine fields which are used to gather information about the suspected malware. All
    the information relating to the suspected malware will be provided, and the suspected malware itself will
    be attached. The nine fields are:

    Did a McAfee product detect the malware?


    Did another Anti-Malware product detect the malware?
    How was this potential malware discovered?
    What makes this potential malware suspicious?
    What behavior has this potential malware produced?
    How many systems has this potential malware been found on?
    Has the potential malware actually been executed?
    Do you have any other pertinent information to include?
    Click browse to upload the potential malware.

    Did a McAfee product detect the malware?


    This field presents two options, yes, but it was unable to clean or delete it and no. If the yes
    option is selected, a textbox will be presented where the name of the malware can be entered.

    Did another Anti-Malware product detect the malware?


    This field presents two options, yes and no. If the yes option is selected, two textboxes will be
    presented where the name of the malware can be entered as well as the name, version/engine, and
    definition number can be entered.

    How was this potential malware discovered?


    This field presents a textbox where a short description can be entered in regard to what lead to the
    discovery of the potential malware.

    What makes this potential malware suspicious?


    This field presents a textbox where a short description can be entered in regard to what makes this
    potential malware suspicious.

    What behavior has this potential malware produced?


    This field presents a textbox where a short description can be entered in regard to what behavior(s)
    this potential malware has produced.

    How many systems has this potential malware been discovered on?
    This field presents a textbox where a short description can be entered in regard to the number of
    systems in which the potential malware has been discovered.

    Has the potential malware actually been executed?


    This field presents two options, yes and no. If the yes option is selected, a textbox will be
    presented where the post-execution symptoms can be explained.

    Do you have any other pertinent information to include?


    This field presents a textbox where any additional information can be entered. This may include
    anything from the country the system is in [if the correct choice isnt available as part of the country
    dropdown box] to the office type, operating system, or anything else the user who is submitting deems
    necessary.

    Click browse to upload the potential malware.


    This field contains one button that when pressed, lets the user navigate their system to locate the
    potential malware to upload and submit.

    Submitting
    Once the form has been completely filled out and the potential malware attached, it can be submitted.
    Press the submit button at the bottom. If everything was filled out and submitted properly, the page will
    refresh and a message will be at the top stating, Malware information entered is saved and emailed. A
    copy has been emailed to you. At that point the machine with the potential malware should have the
    Malware Remediation process run against it and be quarantined until McAfee responds, and a further
    course of action can be determined.

    Appendix A [Malware Submission Screenshot]

    10

    Appendix B [Malware Submission Flowchart]

    11

    You might also like