If Microsoft Defender or Gridinsoft flags a file you believe is clean, do not simply allow it and move on. A safe false-positive report starts with evidence: source, file path, digital signature, hash, exact detection name, and whether the file was downloaded from the official vendor.
How do you report a false positive?
- Keep the file quarantined first unless you are in a test lab.
- Collect the detection name, file path, hash, publisher, and source URL.
- Submit the file to the vendor through its official sample submission portal.
- Do not report cracks, keygens, or repacks as false positives.
| Needed evidence | Detection name, SHA-256, path, source URL, digital signature |
| Likely false positive | Trusted signed app from official source |
| Likely real detection | Crack, activator, fake update, unknown ZIP, unsigned installer |
| Safe action | Submit, wait for verdict, update signatures, rescan |
Check before submitting
- Verify the file came from the official vendor.
- Check digital signature and publisher.
- Calculate SHA-256 hash.
- Make sure the file is not a cracked or modified build.
- Submit through the official vendor portal.
- Update signatures and rescan after the vendor responds.
FAQ
Can a false positive happen?
Yes, especially with new or uncommon software, but source and signature matter.
Can I restore the file while waiting?
Only if you fully trust the source and can accept the risk. Otherwise keep it quarantined.
Should I submit a cracked file?
No. Cracks and keygens are unsafe by design and often bundled with malware.
Sources: Microsoft Security Intelligence file submission guidance and antivirus vendor false positive workflows.
Related: If a file shows only one or two VirusTotal detections but a sandbox assigns a high threat score, use our VirusTotal vs Hybrid Analysis conflict checklist before restoring or running it.
