Today if we do not have good Internet protection we are sold. To protect us, Microsoft has developed a free tool called Windows Defender. Here we are going to know what it is, how we can use it and how to proceed against false positives in Windows Defender.
What is Windows Defender and what does it offer us
Windows Defender It is Microsoft’s next-generation protection component to protect our connection and computer. In short, it is a security program whose purpose is to prevent, remove and quarantine spyware or harmful software in the Microsoft operating system. It is currently also known as Microsoft Defender.
Thus, the next-generation protection services that Windows Defender offers us are:
- Virus protection behavior-based, heuristic, and real-time.
- A protection delivered in the cloud that has detection and blocking of new and emerging threats almost immediately.
- Updates to the antivirus and the program itself.
Without a doubt, it is a good protection tool that we must keep active in Windows 10, unless we have other antivirus software.
Access Windows Defender, scan our computer and more
If we want to access Windows Defender we will follow these steps:
- We are going to Start Menu.
- Windows Settings.
Then we will get a screen like this:
The next step we have to take is to click on Update and security. Next, in the section on the left we look for Windows security.
If we want to see the starting place where the security of our equipment is administered we have to click on Open Windows Security.
Here the one that interests us in relation to false positives in Windows Defender is the section on Antivirus and threat protection. This is one of the results that it can show you:
In this case, instead of Windows Defender antivirus, it indicates that Avast Antivirus is being used. If we wanted to use it, we should deactivate the current antivirus. In RedesZone we recommend having Windows defender or other antivirus software installed. On the other hand, if we do not have an antivirus installed, a screen like this will appear:
Here, if we click on Quick test will scan our system for viruses and threats. In this case, after carrying it out, as can be seen, no problem has been found. Further down in Exam options you can choose the degree to which we want the analysis to be carried out. Also on the same screen we can manage the antivirus settings and check for updates.
How Windows Defender Notifies We Have a Problem
Threats and false positives in Windows Defender have a specific way of alerting us. In this case it is usually quite common that occasionally in the notification area we find a Windows Defender icon in various colors:
- If he icon have a exclamation mark in yellow is about torecommended actions but what should be done.
- Whereas in Red refers to necessary actions that we must fix to keep our equipment safe.
- On the other hand, the icon in green tells us that everything is in order.
Here is an example that shows a yellow icon and other green ones that indicate that everything is correct.
What are false positives and what can we do to fix it?
A false positive we could define it as a file or a process, which was detected and identified as malicious, although in reality it is not really a threat. The correct way to proceed with false positives in Windows Defender would be the following:
- Review and classify alerts.
- Review the corrective actions that we have carried out.
- Review and definition of exclusions.
- Submit that file for analysis.
- Review and adjust Windows defender settings.
Now we are going to explain a simple way to proceed when we find a yellow or red icon in the “Virus and threat protection”.
Here what we would have to do is give to Search for updates to make sure you have the latest update installed. Then we will proceed to perform a Quick test, and if all goes well, that warning icon will turn green. In case the problem is not solved in Windows in this same security center, we should also check if the Windows firewall is activated.
Notifications settings
Also the false positives in Windows Defender can be due to how we have configured the notifications. Thus, to solve it we would follow these steps:
- Let’s go to Windows start menu.
- Setting.
- Once inside we have to click on System.
- We go to the section Notifications and actions.
- There what you have to do is disable mShow notifications from these senders.
Next, we head to the Windows Defender settings. There we will check if we need lock files on the net or put quarantined files. Then we open the task manager and click on the Windows Defender notifications icon. Then with the right button we tap on Finish homework. This should solve the problem, although most likely we will have to restart the computer first.
Another option we can do is clear the notification cache using the registry editor. To start using it, just type regedit in the Windows start menu.
The route we have to follow is the following:
HKEY_CURRENT_USER> Software> Classes> Local Settings> Software> Microsoft> Windows> CurrentVersion> TrayNotify.
Then a screen like this will appear:
Here what we have to do is delete the registry keys Icon Streams and Past Icons Stream. We restart the computer and check that everything is in order.
What to do with false positive files in Windows Defender
On some occasion, after verifying that a file is a false positive with an antivirus and antimalware tools, we keep getting the message that not everything works correctly. In addition, for greater security before doing anything we could use VirusTotal. It is a tool that does not require installation with which we could verify false positives in Windows Defender. There, an analysis will be shown in which it will be verified that we are free of threats with more than 40 antivirus engines and harmful software.
Once we have verified that this file is not dangerous, we follow these steps:
- We open the Windows Defender security center.
- Click on Antivirus and threat protection.
- There we click on the option Manage settings.
- In Exclusions we click on Add or remove exclusions.
- On the button Add exclusion We can add a file, a folder, a type of file or a process.
Finally, with all these options we have learned to avoid false positives in Windows Defender. Remember also that you always have to have an active antivirus, be it Windows Defender or another.
Provide feedback
Saved searches
Use saved searches to filter your results more quickly
Sign up
Appearance settings
SmartScreen is a Windows Defender component found in Microsoft Edge and Internet Explorer as well as in all universal apps from the Windows Store. It’s used to block phishing and fraudulent websites from loading, and to block malicious apps from running.
What do you do when your program is incorrectly matched to a malicious signature in Microsoft SmartScreen? What recourse do developers have to get their programs allow-listed? What should you do as a user when something is blocked by SmartScreen?
Completely unrelated (not) to the newly released update to my free EdgeDeflector utility, I needed to find out how to report a false-positive in Microsoft SmartScreen. Users of Internet Explorer and Edge were being blocked from downloading the update because the installer for the update was falsely identified as malicious by SmartScreen (“Windows Defender”.) Users of other browsers were told the executable couldn’t be run when they tried to execute it.
So, what recourse does a developer have when their software is being blocked by Microsoft? What do you do when a verified-good download from a known and trusted source is incorrectly flagged as malware?
It was surprisingly hard to find any documentation for reporting false-positives in Windows Defender to Microsoft. I even asked the Windows digital assistant, Cortana, and it responded by telling me about the local weather. This was obviously not useful. In any case, the actual process is as follows:
- Download the program through a publicly accessible link using Microsoft Edge or Internet Explorer.
- Wait for a notification telling you that “Windows Defender SmartScreen reported [file] as unsafe.”
- Click the View Downloads button on the notification.
- Right-click on the downloaded file, and choose Report that this download is safe.
- Fill in the online form.
You’ll end up on an online form, but you can’t get to this form without using the links provided by Microsoft. The special reporting link contains the file hash, as well as other information about the file such as the name and where it was downloaded from.
You could theoretically construct this URL manually, but it’s much easier from Microsoft Edge. I haven’t found any way to get the parameters for this form if you use another browser than Microsoft Edge or Internet Explorer.
There’s no other way to say this so I’ll be very blunt: unless you know for sure and have verified and double-checked your findings: you shouldn’t be reporting anything as a safe download unless you know that the exact file you’ve is safe. Assume your malware protection software is right unless you actually know better.
If Windows Defender begins recognizing a specific named threat or recognize your program as malicious after it has been installed, you can use the Windows Defender Security Intelligence File Submission form instead. Note that this form shouldn’t be used for reporting any executable that just haven’t yet established an application reputation (new or unpopular programs.)
My program was probably not flagged as malicious, but rather it doesn’t have what Microsoft calls an “application reputation.” SmartScreen looks at the history and number of downloads of executable files.
An uncommon and unusual download is assumed to be riskier than a frequently downloaded file. When a file has been downloaded enough times, it will be added to SmartScreen as a safe download.
You can help boost your application reputation by digitally signing your executables. Code signing isn’t a very complicated process, but the signing certificates have to be renewed yearly and they cost a couple of hundred dollars every year. I’m not interested in covering that cost considering that I’m developing a small utility program that I make available for free.
Disclaimer: The views expressed in my posts on this site are mine & mine alone & don’t necessarily reflect the views of Microsoft. All posts are provided “AS IS” with no warranties & confers no rights. If I post any code, scripts or demos, they are provided for the purpose of illustration & are not intended to be used in a production environment. They are provided ‘as is’ without warranty of any kind, expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose. I grant you a nonexclusive, royalty-free right to use & modify my sample code & to reproduce & distribute the object code form of the sample code, provided that you agree: (i) to not use my name, my companies name, logo, or trademarks to market your software product in which the sample code is embedded; (ii) to include a valid copyright notice on your software product in which the sample code is embedded; and (iii) to indemnify, hold harmless, and defend me, Microsoft & our suppliers from & against any claims or lawsuits, including attorneys’ fees, that arise or result from the use or distribution of the sample code.
Updated: Jan 19, 2021 // Added info on how to submit AV behavioral false positives
Published: Jul 29th, 2020
Applies to:
Microsoft Defender Advanced Threat Protection (MDATP formerly known as Windows Defender Advanced Threat Protection)
Microsoft Defender Antivirus (MDAV formerly known as Windows Defender Antivirus (WDAV)) (AV, EPP) for these OS’es:
- Windows 10, version 2009 (20H2)
- Windows 10, version 2004 (20H1)
- Windows 10, version 1909 (19H2, build 18363)
- Windows 10, version 1903 (19H1, build 18362)
- Windows Server 2019
- Windows 10, version 1809 (Redstone 5, RS5, build 17763)
- Windows 10, version 1803 (Redstone 4, RS4, build 17134)
- Windows 10, version 1709 (Redstone 3, RS3, Fall Creators update, build 16299)
- Windows 10, version 1703 (Redstone 2, RS2, Creators update, build 15063)
- Windows 10, version 1607 (Redstone 1, RS1, Anniversary update, build 14393)
- Windows Server 2016
- Windows 10, 2016 LTSB
- Windows 10, version 1511
- Windows 10, 2015 LTSB
- Windows 10, version 1507
System Center Endpoint Protection (SCEP) (AV, EPP) for these OS’es:
- Windows Server 2012 R2
- Windows 8.1
- Windows Server 2012
- Windows 8
- Windows Server 2008 R2 SP1
- Windows 7 SP1
- Windows Server 2008 SP2
- Windows Vista
Audience:
- Security architect
- Security administrator
- Security analyst
- IT architect
- IT administrator
- IT help desk
- IT field support
[Update as of 2/11/2021] It’s now officially available here:
Address false positives/negatives in Microsoft Defender for Endpoint
https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives#part-4-submit-a-file-for-analysis
Hi all,
Here is my opinion of how you should go about taking care of False Positives in MDATP/MDAV/SCEP…
Start here:
What to do with false positives/negatives in Microsoft Defender Antivirus
https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-antivirus/antivirus-false-positives-negatives
[Urgent?]
Give Microsoft Customer Service and Support (CSS) – Security team a call.
https://support.microsoft.com/en-us/hub/4343728/support-for-business
If you have a Microsoft Premier account, an alternative is to use the 800 number below:
https://mbs.microsoft.com/customersource/UK/GP/support/support-news/Accessing_Microsoft_Services_Premier_Support_Benefits
[Work-around]
Before proceeding with the work-around, make sure that you haven’t enabled the MDAV settings too aggressively which can lead to more FP’s.
There are 4 Cloud Protection levels:
| Cloud-delivered protection setting: | Items to know: |
| Default (Normal) | |
| Moderate (new in Windows 10, version 2004 and newer) | |
| High | greater chance of false positives |
| High+ | may impact client performance and increase risk of false positives |
| Zero tolerance |
Source:
Specify the cloud-delivered protection level (Select cloud protection level)
https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-antivirus/specify-cloud-protection-level-microsoft-defender-antivirus
Also, are there Potentially Unwanted Apps (PUA’s) that your organization runs?
Do you want to start PUA in Audit Mode?
How to set PUA in Audit Mode?
Detect and block potentially unwanted applications
https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus
[If the detection source is Microsoft Defender Antivirus (MDAV) or System Center Endpoint Protection (SCEP)]
Via whatever management product that you have, MEMCI or MEMCM or GPO or other…
Add exclusions to allow the process and/or path
Configure exclusions for files opened by processes
https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus
Configure and validate exclusions based on file extension and folder location
https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus
Stop hurting yourself: Adding antivirus exclusions? Are you opening too many holes in your defense? [Part 1 of 2]
Now available officially here:
Common mistakes to avoid when defining exclusions
https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-antivirus/common-exclusion-mistakes-microsoft-defender-antivirus
Stop hurting yourself: Adding antivirus exclusions? Are you opening too many holes in your defense? Using the correct system env variables[Part 2 of 2]
Now available officially here:
System environment variables
https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus#system-environment-variables
[If the detection source is Microsoft Defender Advanced Threat Protection (MDATP, EDR)]
In the MDATP portal, Create an “Allow” indicator
Create indicators
https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/manage-indicators
If you have a PUA app that your org uses:
In the MDATP portal, you could suppress the alerts:
Suppress alerts
https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/manage-alerts#suppress-alerts
If you are forwarding the alerts to a SIEM, you need to suppress the alert there too.
Remember, this is a work-around for FP’s. Now, if you want to make sure that it’s fixed appropriately, please continue with the solution portion that follows next.
[Solution]
Step 1) In the MDATP portal (securitycenter.microsoft.com or aka.ms/MDATPPortal) and set the “Classification” to “False Alert”.
Manage Microsoft Defender Advanced Threat Protection alerts
https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/manage-alerts
Or you could use the MDATP Alert API:
List alerts API
https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/get-alerts
How are folks accomplishing this?
By using the Alert API to update from tools:
- Automation tool:
Microsoft Power Automate (formerly called Microsoft Flow)
- SOAR:
Demisto, Phantom or others
- Your ticketing system such:
ServiceNow, Clarify, and others.
- Your SIEM such:
Azure Sentinel and others.
Here is an example of Powershell (PoSh) scripts that would help get you started using the Alert API to set the “Classification” appropriately:
Ticketing system integration – Alert update API
https://techcommunity.microsoft.com/t5/microsoft-defender-atp/ticketing-system-integration-alert-update-api/ba-p/352191
Before you are able to use the sample above, you need to go thru this pre-requisite:
WDATP API “Hello World” (or using a simple PowerShell script to pull alerts via WDATP APIs)
https://techcommunity.microsoft.com/t5/microsoft-defender-atp/wdatp-api-hello-world-or-using-a-simple-powershell-script-to/ba-p/326813#M50
Step 2a) If it’s MDAV/SCEP related FP:
First read thru:
Submit files for analysis to Windows Defender Security Intelligence (WDSI) team.
https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/submission-guide
To submit the FP information, browse to the Microsoft Security Intelligence (MSI) Portal (formerly known as Windows Defender Security Intelligence (WDSI) portal):
https://www.microsoft.com/en-us/wdsi/filesubmission
Shortcut: https://aka.ms/MDAVSampleSubmission
Note: The same link works for reporting MDATP and SCEP FP’s.
If you have multiple accounts such as an A- account, use the account where you receive e-mails. And add the e-mail for your SOC, so that during a change shift, they receive the e-mail too.
TIP: Submit two set of data.
Item 1)
A copy of the binary where you believe it’s good and it’s being flagged as a FP.
Zip it up and password protect it: infected
Jot down the submission id.
Item 2)
If it’s MDAV/SCEP related FP, grab diagnostic data (aka support cab):
MDAV:
Start, CMD (Run as admin)
“C:\program files\Windows Defender\mpcmdrun.exe” -getfiles
TIP: On Windows 10, you can use the collect “Investigation Package” which will collect the diagnostic data automatically.
SCEP:
Start, CMD (Run as admin)
“C:\Program Files\Microsoft Security Client\mpcmdrun.exe” -getfiles
Provide the previous submission id, so that they are aware that this is related to it.
Jot down the 2nd submission id.
For more info:
Collect Update Compliance diagnostic data for Microsoft Defender AV Assessment
https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data-update-compliance
TIP, the binary with the same name might have multiple versions due to updates, hotfixes, service packs, etc…
If you have MDE (formerly MDATP), you can use the search button: “File – name of the binary”:
In this example, we are using notepad.exe
Click on Search.
You will get a result similar to:
You want to submit each of the one of them, so we are able to verify that they are all legit.
If it is a false positive for a behavioral AV detection and there is no file to submit, submit the mssupport.cab file obtained by running mpcmdrun –getfiles and provide as much information as you can on the behavioral detection under Additional Information.
Step 2b) If it’s MDATP related FP:
Information to include if the Detection Source: EDR.
To submit the FP information, browse to the Microsoft Security Intelligence (MSI) Portal (formerly known as Windows Defender Security Intelligence (WDSI) portal) webpage:
https://www.microsoft.com/en-us/wdsi/filesubmission
Shortcut: https://aka.ms/MDATPSampleSubmission
Note: The same link works for reporting MDAV and SCEP FP’s.
Alert ID (in the browser URL):
Alert title:
Hash:
Timestamp:
Note: it won’t hurt to grab a mpcmdrun.exe -getfiles from Step2a-Item2 above.
Working with your Independent Software Vendor (ISV):
Partnering with the industry to minimize false positives
https://www.microsoft.com/security/blog/2018/08/16/partnering-with-the-industry-to-minimize-false-positives/#:~:text=Partnering%20with%20the%20industry%20to%20minimize%20false%20positives,Defender%20ATP%29%20protect%20millions%20of%20customers%20from%20threats.
Have internal developed apps? Sign it with your internal PKI and share with your developer the link above.
Thanks,
Yong
Twitter: @YongRheeMSFT
P.S. Some documents that might come in handy:
Windows Defender Advanced Threat Protection – Ransomware response playbook
https://www.microsoft.com/en-us/download/details.aspx?id=55090
Implement a breach response plan to reduce harm from advanced attacks
https://info.microsoft.com/Dealingwithadvancedthreats.html
P.P.S. When trying to login to the Microsoft Security Intelligence (MSI) Portal (formerly known as Windows Defender Security Intelligence (WDSI) portal) and if you get this error:
/*
Approval required
Windows Defender Security Intelligence
This app requires your admin’s approval to:
View user’s basic profile
Allows the app to see your users’ basic profile (name, picture, user name)
This is a permission requested to access your data in
Maintain access to data you have given it access to
Allows the app to see and update the data you gave it access to even when users are not currently using the app. This does not give the app any additional permissions.
This is a permission requested to access your data in.
Enter justification for requesting this app.
Sign in with another account.
*/
Cause:
Because your enterprise hardened Azure AD
Solution:
Troubleshooting malware submission errors caused by administrator block
https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/portal-submission-troubleshooting