I have a new piece of malware that isn't detected by current anti-virus vendors. How do I report it to them?
I want to do a good turn and help protect as many people as possible. What is the best and easiest way to get it to as many anti-virus vendors as possible, to help them detect it? Is there a list of sites where I should upload the sample, or email addresses where I should send it to?
I know about Virustotal. I could submit the sample to Virustotal. Will that be sufficient? Currently few or no antivirus engines detect this malware. Will submitting the sample be enough for antivirus engines to know that it is malicious and should have been detected, and trigger them to analyze it and develop a signature/detector for it?
(It's not obvious to me how anti-virus vendors would know that my sample is malicious, just because it was uploaded to Virustotal. I didn't see any user interface in Virustotal where I indicate "yes, this really is malicious, even though no one detected it", so I wonder if it will get lost in amongst all the other benign samples. I've heard of plenty cases of malware that had been uploaded to Virustotal for months or years before any antivirus engine started detecting it. So it makes me wonder whether uploading it to Virustotal is enough.)
I've looked, but I haven't found an answer on this site. Here's what I found:
Where to report malicious URLs, phishing, and malicious web sites? provides a list of where to report phishing web sites and other malicious web sites, but it doesn't say where to submit malware samples.
Unknown malware, how to report it and whom to report it to? asks a related question in a more specific situation. One answer mentions Virustotal, but it doesn't answer my question of whether submitting to Virustotal actually works, in terms of notifying A/V vendors to trigger analysis. Another answer gives links to forms where you can upload malware samples to two anti-virus vendors, but that's just two of the dozens of vendors out there -- if I need to submit directly to A/V vendors, I am hoping for a more comprehensive list that is easy to refer to.