If Microsoft Defender or Gridinsoft flags a file you believe is clean, do not simply allow it and move on. A safe false-positive report starts with evidence: source, file path, digital signature, hash, exact detection name, and whether the file was downloaded from the official vendor.
If you already clicked Allow in Microsoft Defender, reverse that decision first with our allowed-threat rollback checklist, then collect evidence for a false-positive report.
How do you report a false positive?
- Keep the file quarantined first unless you are in a test lab.
- Collect the detection name, file path, hash, publisher, and source URL.
- Submit the file to the vendor through its official sample submission portal.
- Do not report cracks, keygens, or repacks as false positives.
| Needed evidence | Detection name, SHA-256, path, source URL, digital signature |
| Likely false positive | Trusted signed app from official source |
| Likely real detection | Crack, activator, fake update, unknown ZIP, unsigned installer |
| Safe action | Submit, wait for verdict, update signatures, rescan |
Check before submitting
- Verify the file came from the official vendor.
- Check digital signature and publisher.
- Calculate SHA-256 hash.
- Make sure the file is not a cracked or modified build.
- Submit through the official vendor portal.
- Update signatures and rescan after the vendor responds.
If your report is about Trojan.Malware.300983.susgen on VirusTotal, first follow this exact-label SUSGEN triage guide so you know whether the evidence looks like a false positive or a risky download.
FAQ
Can a false positive happen?
Yes, especially with new or uncommon software, but source and signature matter.
Can I restore the file while waiting?
Only if you fully trust the source and can accept the risk. Otherwise keep it quarantined.
Should I submit a cracked file?
No. Cracks and keygens are unsafe by design and often bundled with malware.
Sources: Microsoft Security Intelligence file submission guidance and antivirus vendor false positive workflows.
Related: If a file shows only one or two VirusTotal detections but a sandbox assigns a high threat score, use our VirusTotal vs Hybrid Analysis conflict checklist before restoring or running it.
