Report false positive for ArcSight Threat Intelligence

I have a customer with the IP of 67.219.197.94 that ArcSight has been listing as Malicious on VirusTotal for over a week.  I've tried reaching out through the OpenText contact form, any email address I thought might reach a sympathetic person at ArcSight/OpenText, but the only response I've gotten is "not our job, contact us through VirusTotal".  I attempted to do that (it sent?) but I've still not received a response.  It appears that by posting on this Discussion board, it might get picked up and addressed, so here's my plea:

Please reclassify 67.219.197.94 as a Business-use source, and reanalyze it for any malicious activity.  The only clue as to why it might be listed now is from a malware incident that happened about a year ago, and that was over a port that's not even open on that IP normally. 

We've rescanned all the machines on the network (all clean), we've reached out to other vendors on VirusTotal and they've already already done the reclassification (not sure why 7 other vendors suddenly all had the same false positives) - ArcSight is the lone holdout, and it appears to be because they are impossible to report an issue to.  Not sure why that is so difficult, but it does appear to be either an oversight, or intentional.

Hopefully this gets someone's attention.

thank you.

  • 0

  • 0 in reply to 

    Wondering if there are any other avenues for reaching ArcSight to report this issue?  Getting pretty frustrated with the lack of contact possibilities and transparency regarding this false positive.

  • 0  

    Hello, I will contact Support about this on your behalf but, in the meantime, please email arcsight-virustotal@microfocus.com 



    Raquel Winkler
    OpenText Community Manager
    If you found this post useful, give it a “Like” or click on "Verify Answer" under the "More" button

  • 0 in reply to   

    thank you for the email address - i was given 2 other email addresses by other sources, but that one is a new one.  I've sent  my previous email to that new address as well.

    Would be really handy if there were an actual "report a false positive" link with this email address on the website somewhere.

    Thank you.

  • 0 in reply to 

    just reporting there's been no change, and no feedback - not even an acknowledgement that the submission was received or being worked on.  Not really all that impressed that a company can make a claim that can directly impact the ability of another entity to access services on the internet effectively, and have no recourse for dealing with mistakes in a timely and approachable manner.

  • 0   in reply to 

    apologies for this,  I have contacted the team again and they just replied with the following:

    We have submitted the request to remove the IP as malicious after analysing it and it should be removed once the request has been processed. I’ll update here once it has been removed. Typically it takes 1 to 2 working days to execute these type of requests.

    So as soon as I hear back, I will let you know.



    Raquel Winkler
    OpenText Community Manager
    If you found this post useful, give it a “Like” or click on "Verify Answer" under the "More" button

  • 0 in reply to   

    thanks for the update - please know I appreciate your efforts.

  • 0 in reply to   

    I just checked VirusTotal again today, and ArcSight is now reporting it as Clean.  Thank you for generously reporting this internally for me, but it's disappointing this is the length I had to go to get this done - only took 10 days from start to finish :(

  • 0 in reply to 

    One last follow-up post.

    Took 10 days and the help of someone internally to get it resolved - was not able to go through any posted or official channels to get this resolved in a timely manner.

    using support.opentext.com did not work because I'm not a customer.  same with phone support (i called a couple times).

    using security@opentext.com did not work because (multiple times) they told me "not our job" and "use the VirusTotal reporting mechanism".  They wouldn't forward it to the people that COULD address the issue, and there was never a response to the VirusTotal support request.

    using supportline@opentext.com did not work (I got that email from when I tried to go through the phone support the second time - had to call an international number to get that reference)

    using mfi-supportline@opentext.com or arcsight-virustotal@microfocus.com did not appear to work either, as there was no response to my submission that way, nor were there any update or resolution notifications from them either.

    This forum was the only way I got any response or communication from OpenText/ArcSight, and that was only due to someone internally being willing to take action on it, and that was 5 days after I posted originally.

    Thank you Raquel Winkler for your help - without it, not sure how this would've been resolved.