IBM Support

How do I submit for analysis files that I suspect are infected with malware or spyware using the Core Protection Module Anti-Virus product?

Technote (troubleshooting)


Problem(Abstract)

See the following for steps on managing infected systems and collecting data for additional analysis for undetected or false-positive malware and spyware.

Resolving the problem

In order to identify undetected malware or spyware please provide the following information, along with a full description of the behavior, which will help us in isolating and identifying the infection.

Before submission please ensure that the machine has the latest pattern definition and been scanned manually with that definition.

  1. To manually update an endpoint's pattern definition, see Core Protection Module > Updates > Update/Rollback Patterns. Using the Pattern Update and Rollback Wizard select the most recent pattern definition (the top most pattern identified by date/time stamp) and select the 'Deploy' button. Select 'Deploy a one time action' and Target the affected system. The 'virus pattern' version number can be verified using the following release information here see 'consumer pattern'.

  2. To manually deploy a Scan, see Core Protection Module > Common Tasks. Select and run Core Protection Module - Start Scan Now on the affected system.


Data Collection Steps
  1. Please fully describe the behavior or issue you are experiencing with a malware or spyware infection.
  2. Submit files you believe are infected with malware or spyware individually in password protected .zip archive files. Please send each these files with a password of 'virus'.


  3. NOTE: ARCHIVE DATA MUST USE A PASSWORD OF 'virus' FOR ALL MALWARE SUBMISSIONS FOR AUTOMATED PROCESSING. FILES SUBMITTED WITH ANY OTHER PASSWORD OR ANY OTHER DATA WILL DELAY THIS PROCESS.

  4. Please download and run the Trend Micro Anti-Threat Toolkit (ATTK) available from Trend https://spnsupport.trendmicro.com/ to collect logs and other critical information. You will also have the ability to directly submit suspicious files to Trend using this tool however we suggest you also send this data with your case update for tracking purposes. Please also include any ID numbers associated with your submission to Trend using the ATTK tool.


  5. NOTE: You may also run the ATTK via Fixlet however this data MUST be manually collected from the TEM Server. This process will not send any automated data to Trend.

    Please see the following for information on how to send information to Support.

    Please see your appropriate region at the following locations for information on opening a PMR.

    For after hours support including weekends please use the following guide to call via phone: World Phone Directory

    PLEASE upload files to our ECUREP WorldWide Repository site at:

    ftp.emea.ibm.com

    Please first zip or compress all files (ATTK and malware .zip samples) into a single .zip archive file with the file name using this format: ppppp.bbb.ccc (pmr number . branch office .country code) Example: #####.###.###.zip

    1. ftp ftp.ecurep.ibm.com
    2. User: anonymous
    3. Password:
    4. cd toibm/tivoli
    5. bin
    6. put #####.###.###.zip
    7. quit


    See the following for details on Data Submission:
    http://www-05.ibm.com/de/support/ecurep/index.html

Historical Number

831

Document information

More support for: IBM BigFix family

Software version: All Versions

Operating system(s): Platform Independent

Reference #: 1506161

Modified date: 04 February 2013


Translate this page: