There are several reasons why a sample should be submitted to Sophos. Use instructions on this page in the following situations:
- A strange behavior on the computer was experienced and a suspicious file that may be malware was found
- Another anti-virus product was used that reports the file was infected and you'd like to double-check the results or report the failure to Sophos
- A Sophos product has given a warning that a suspicious file was found on the computer but it does not tell for sure if it is safe
- Sophos has asked you to submit a file, either during malware investigations or on the security descriptions page
- You believe the detection of a certain file/website is incorrect and needs to be reassessed.
Submit samples directly to Sophos website
The quickest and most efficient method of submitting samples for analysis is to use the online submission form from the Submit a sample page
- Click Submit a Sample followed by Sample File
(To report a website choose Web Address (URL) - Choose either Endpoint protection option for product/service)
- Provide the required details and sample files / website url
- Click the Submit button.
This form enables you to give Sophos all relevant information on your sample. This will help us to analyze it with maximum speed and efficiency.
Note for URL submissions: Submitted URL categorization requests will be reviewed and re-classified as quickly as possible, though it may take up to five business days once a site has been re-classified, for it to be available on your Sophos product.
- Explain why you have sent the file and who sent it. Please tell us about any odd behavior that prompted you to send the sample. Describe it as best as you can, using everyday language. We don't expect you to know the technical language used by our specialists.
- There is a 25 MB file size limit on files submitted directly to our website. If the file is too big, please include a message asking for additional upload options AND/OR send a download link from the official vendor's website.
Submit samples via email
If possible, construct the email as outlined below using the English language.
- Between your system and ours are there many forms of malware protection. The files you send must be able to pass between the systems without being detected as malware. Therefore, before sending us a suspicious file, create a password-protected zip file containing the suspicious files. We can process email messages and submitted files in other formats, but this will probably take longer.
- If you can, include a summary of the problem in English. Email messages written completely in other languages will be dealt with as rapidly as possible, but translation may delay the process.
|Subject||Sample submitted for analysis
|Attachments||Make a password-protected zip file containing your suspicious file(s) and include it in the email. If Windows (for example, for Macintosh, Linux or UNIX) was not used then use the standard compression format for that platform like Stuffit, gzip, etc.|
|Why have you sent this sample?||What was it that made the file suspicious? Give full details of any symptoms. For example:
|Operating system||What operating system, for example, the version of Windows, is the affected computer running?|
|Your details||Please provide the following details:
|Password||Password to decrypt the attached password-protected zip file.|
Understanding the context of a detection
It is important to treat every detection as malicious and not authorize anything in your environment unless you are confident it is safe to do so.
For Potentially Unwanted Application (PUA) detections these are not malicious but might not be what you want running on a corporate network. PUA detections may have names such as:
- Generic ML PUA
- Generic Reputation PUA
- Generic PUA*
For malicious detections that you may wish to investigate further, some example detection names are:
Further understanding detections
The table below displays a list of malicious and clean indicators. It is important to use these purely as an indicator and not confirmation of a file being malicious or clean. Even if a file exhibits all of the clean indicators it could still be malicious and likewise a clean file may show many suspicious indicators.
|Malicious indicator||Clean indicator|
|Detection of an unknown file, possibly with a random name, for example:
||Detection of known files that belong to a legitimate application*.|
|An executable file in a
||Executable files that have a name relevant to the location or application they have been detected in. For example:
|Detection of a file that was created at the time of the detection or shortly before.||Detection of a file which has been on the device for a longer period of time i.e. weeks/months|
|Other recent detections on the same device.||During the installation of new software to your environment (including new antivirus software).|
|If the file is detected by other antivirus vendors (instructions on how to check this below).||If no other antivirus vendors are detecting it (instructions on how to check this below).|
Note: legitimate applications are routinely abused by malicious attackers who for example use exploits or inject code into these applications in order to make them take malicious actions.
How to check if other antivirus vendors detect a file
Sometimes it may help you to get an idea if a file is malicious or not by comparing the Sophos detection to that of other antivirus vendors.
Websites like VirusTotal.com provide a very useful resource for helping you test this.
VirusTotal is a service that is free to use (owned by Google).
VirusTotal inspects items with over 70 antivirus scanners and URL/domain blacklisting services, in addition to a myriad of tools to extract signals from the studied content. Any user can select a file from their computer using their browser and send it to VirusTotal.
While VirusTotal is a very powerful and easy-to-use resource, and it is only an indicator of what other antivirus vendors think about a file or URL and it shouldn't be used as confirmation that a file is malicious or clean. Even if every other vendor is also detecting the same file, it could be that they are wrong. Likewise, if nobody is detecting it, that might be because this is a new zero-day attack that nobody has detection for and not that it is a clean file.
Using and understanding Virus Total results
The easiest method of using VirusTotal for file analysis is to upload the file directly on VirusTotal.com (drag and drop also works)
After submitting a file Virus Total you will most likely be presented with one of four scenarios
A large number (30+) of antivirus vendors detect the file
This is a very strong indicator that the file is malicious and should be removed from your environment. A false-positive is possible but unlikely and it wouldn't be advisable to authorize this file without further confirming with Sophos Labs vis Submit a sample page
A small number (5-) of antivirus vendors detect the file
In this situation, it is difficult to make a decision as the antivirus vendors detecting the file might have just released protection and the rest are going to follow shortly, or often it can mean that the majority of vendors have looked at the file and decided they don't want to detect it. It may also mean that the file is clean and a few vendors have incorrectly detected it as malicious.
In this scenario, it is best to look out for the vendor names you recognize and believe to be reputable, for example, detections from companies that have their own research labs are a better indicator, e.g. Sophos, Kaspersky, Microsoft, Symantec, etc. - If you are still unsure, Submit a sample to Sophos Labs for further investigation/advise
No anti-virus vendors are detecting the file
This is a strong indicator that the file is clean (not malicious) if you have no reason to think this file is suspicious, it is most likely safe to keep it in your environment. However, if you believe this file is suspicious Submit a sample to Sophos Labs for further investigation/advise
What if Virus Total does not have the file you are searching for
This is a potential indicator the file is malicious as many families of malware regularly change and update to avoid detection, or they may also be unique to every victim. However, this could also mean you have uploaded a clean but unique file, for example, an application you have developed , or a word document that you have written and uploaded. It helps to understand the context of the file.
Additional threat resources
Scroll to the bottom section to find threat categories to choose from, or feel free to search for any specific threat.
- Setting scan exceptions
- Excluding a file or application from Machine Learning detection
- Removing an application from the Privacy Guard exceptions
- Adding local exclusions/Allowing Installations and/or applications to run