Submit Sample of Suspicious files to Microsoft

%3CLINGO-SUB%20id%3D%22lingo-sub-1413586%22%20slang%3D%22en-US%22%3ESubmit%20Sample%20of%20Suspicious%20files%20to%20Microsoft%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1413586%22%20slang%3D%22en-US%22%3E%3CP%20class%3D%22lia-align-justify%22%3ESometimes%20we%20might%20come%20across%20samples%20of%20suspicious%20files%20which%20might%20be%20malicious.%20Sometimes%2C%20user%20will%20report%20such%20incident%20and%20you%20want%20to%20investigate%20in%20safe%20and%20proper%20way.%20In%20this%20case%20you%20don%E2%80%99t%20want%20malware%20to%20spread%20over%20network%20but%20you%20want%20to%20investigate%20it.%20In%20general%2C%20if%20you%20have%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fthreat-protection%2Fmicrosoft-defender-atp%2Fmicrosoft-defender-advanced-threat-protection%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EMicrosoft%20Defender%20ATP%3C%2FA%3E%2C%20they%20you%20could%20configure%20and%20investigate%20such%20incident%20easier.%20However%2C%20let%20say%20you%20don%E2%80%99t%20have%20MD%20ATP%20or%20for%20some%20reason%2C%20you%20could%20investigate%20it%20using%20MD%20ATP%2C%20then%20you%20have%20to%20follow%20these%20steps%3A%3C%2FP%3E%0A%3COL%20class%3D%22lia-align-justify%22%3E%0A%3CLI%3E%3CSTRONG%3EHandle%20the%20file%20correctly%3A%20%3C%2FSTRONG%3Emake%20sure%2C%20you%20won%E2%80%99t%20open%20or%20execute%20the%20malicious%20object%20(e.g.%20file%2C%20registry%E2%80%A6)%20and%20right%20click%20on%20it%20and%20all%20dependencies%20and%20make%20them%20as%20zip.%3C%2FLI%3E%0A%3CLI%3E%3CSTRONG%3EInvestigate%20the%20source%3A%20%3C%2FSTRONG%3EAsk%20user%20how%20they%20encourage%20with%20the%20malware%2C%20behaviors%20which%20they%20believed%20it%20is%20malicious%20file%20and%20take%20a%20note%20of%20how%20it%20gets%20into%20PC%20(email%2C%20external%20device%2C%20%E2%80%A6)%20and%20close%20the%20source%20(e.g.%20blacklist%20email%2C%20device%20ID%2C%20etc.).%3C%2FLI%3E%0A%3CLI%3E%3CSTRONG%3EReport%20to%20Microsoft%3A%20%3C%2FSTRONG%3EOnce%20you%20are%20concern%20there%20is%20malicious%20object%20which%20won%E2%80%99t%20be%20detected%20with%20Windows%20Defender%2C%20submit%20sample%20of%20it%20to-ERR%3AREF-NOT-FOUND-%20Microsoft%20Anti-Malware%20team%20and%20make%20sure%20add%20as%20much%20as%20details%20as%20possible%20under%20comment.%20In%20case%2C%20incident%20occurs%20in%20a%20system%20where%20is%20not%20in%20your%20access%2C%20ask%20user%20to%20submit%20sample%20and%20take%20note%20of%20submission%20URL%2C%20so%20you%20could%20trace%20status%20of%20analyze.%3C%2FLI%3E%0A%3CLI%3E%3CSTRONG%3EUpdate%20signature%20and%20enable%20cloud%20protection%3A%20%3C%2FSTRONG%3EIn%20case%20of%20malware%2C%20in%20the%20analyze%20page%2C%20it%20will%20show%20which%20definition%20signature%20is%20able%20to%20remove%20it%2C%20make%20sure%20deploy%20the%20latest%20update%20on%20clients%20and%20meanwhile%20make%20sure%20cloud%20protection%20is%20on%2C%20so%20it%20will%20detect%20malwares%20while%20definition%20update%20is%20being%20deployed.%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%20class%3D%22lia-align-justify%22%3E%3CSTRONG%3E%26nbsp%3B%3C%2FSTRONG%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Valued Contributor

Sometimes we might come across samples of suspicious files which might be malicious. Sometimes, user will report such incident and you want to investigate in safe and proper way. In this case you don’t want malware to spread over network but you want to investigate it. In general, if you have Microsoft Defender ATP, they you could configure and investigate such incident easier. However, let say you don’t have MD ATP or for some reason, you could investigate it using MD ATP, then you have to follow these steps:

  1. Handle the file correctly: make sure, you won’t open or execute the malicious object (e.g. file, registry…) and right click on it and all dependencies and make them as zip.
  2. Investigate the source: Ask user how they encourage with the malware, behaviors which they believed it is malicious file and take a note of how it gets into PC (email, external device, …) and close the source (e.g. blacklist email, device ID, etc.).
  3. Report to Microsoft: Once you are concern there is malicious object which won’t be detected with Windows Defender, submit sample of it to Microsoft Anti-Malware team and make sure add as much as details as possible under comment. In case, incident occurs in a system where is not in your access, ask user to submit sample and take note of submission URL, so you could trace status of analyze.
  4. Update signature and enable cloud protection: In case of malware, in the analyze page, it will show which definition signature is able to remove it, make sure deploy the latest update on clients and meanwhile make sure cloud protection is on, so it will detect malwares while definition update is being deployed.

 

0 Replies