Submit a file for malware analysis

Microsoft security researchers analyze suspicious files to determine if they are threats, unwanted applications, or normal files. Submit files you think are malware or files that you believe have been incorrectly classified as malware. For more information, read the submission guidelines.

You are signed in with a account, however you have chosen to submit as a . Choose a different option or sign in with a account

Submit file as a

Customers using Microsoft security products at home or in small organizations

Corporate account holders with licenses to run Microsoft security solutions in their businesses

Software providers wanting to validate detection of their products

Microsoft Defender Response Portal

This portal is for internal use by Microsoft employees to report detection concerns to Microsoft Defender Research

Submit a file internally

Submit files so our analysts can check them for malicious characteristics. Provide the specific files that need to be analyzed and as much background information as possible.

Escalate to WD Response

WD Response serves as the primary contact point to our malware analysts. Submit your files through regular channels before contacting WD Response for special requests or submission follow-ups.

Attack Surface Reduction

Report issues with undetected suspicious activities or activities that have been incorrectly detected (false positives).

Network Protection

Report issues with the detection and blocking of URLs and IP addresses.

View your submissions

Track the results of your submissions. You can view detailed detection information of all the files you have submitted as well as the determination provided by our analysts.

Search file hash

Enter a file hash Sha1, Sha256 or Md5 format to view the file details including scan results.

Enter a valid SHA 1/256 or MD5

File with the entered Hash was not found

Submit a file for malware analysis

Specify the file and provide information that will help us to efficiently handle your case.
Required fields are marked with an asterisk (*).

Specify valid email addresses, separating each with a semicolon

Grant other members of your organization access to submission details

Select a Microsoft security product

Specify the company name

Specify affected organization

Specify a valid customer email address

Select the number of affected devices

Specify a valid Software Assurance ID

Specify a valid admin email address for SAID

SAID validated. Make high priority submissions only when dealing with active malware or incorrect detections that require immediate attention

Invalid SAID. The specified SAID could not be validated. All submissions are given regular priority

Problems validating SAID. Could not connect to the validation service. Please try again later

Use this option only during emergencies to address active malware

Select the file to submit

The selected file is too large ( )

The selected file is empty

Select a date between 30 days and 5 years from now

Specify a detection name

Specify additional information

Review your submission

Was this file found in the Microsoft corporate network?

Customer email address

Number of affected devices

Software Assurance ID

What do you believe this file is?

Unable to upload the file

Submission details will be retained for up to 30 days. For privacy information, read the Microsoft Privacy Statement.

Sign in to track your submissions

Use your Microsoft account to track the results of your submissions. You will also be able to link submissions to existing support cases, view past submissions, and rescan files.

By clicking “Accept” below, you consent to the following terms:

Any data provided by or on behalf of you to the Microsoft Security Intelligence submission portal (“MSI”) will be treated as set forth in the OST (as defined below) and this consent. Your data will be transferred from other Microsoft services into MSI and from MSI back to applicable Microsoft services. Any data submitted to MSI will constitute Support Data (as defined in the Online Service Terms («OST»)). You acknowledge that such MSI commitments may differ from the services from which that data is transferred. Further, Microsoft will store your data in MSI within the United States only.

Windows defender false positive

Вопрос

I am a website owner, and I have clients reporting that they are unable to access my site because Windows Defender is flagging it as a security issue. There is no reason for this to be the case, and the website is not flagged by any other threat intelligence provider. I need the site to be unblocked, and for this to flow through to all devices/networks which are using Windows Defender.

I can’t find a way to report a false positive other than on the error message itself — I have tried this several times but the website is still being blocked. I have contacted all threat intelligence providers that work with Microsoft, to no avail. I have also contacted Microsoft Support direct, but played a bit of hot potato as nobody could point me towards the right person to be speaking to.

There must be a centralised/coordinated method through which Windows Defender is flagging the threat, which is then appearing on devices with Defender installed. Each of the other threat intelligence providers have a system by which they maintain and update their white/blacklist, and reporting to ensure that false positives are resolved.

How do I go through this process with Microsoft?

Troubleshoot attack surface reduction rules

Applies to:

When you use attack surface reduction rules you may run into issues, such as:

A rule blocks a file, process, or performs some other action that it shouldn’t (false positive)

A rule doesn’t work as described, or doesn’t block a file or process that it should (false negative)

There are four steps to troubleshooting these problems:

Confirm prerequisites

Attack surface reduction rules will only work on devices with the following conditions:

Endpoints are running Windows 10 Enterprise, version 1709 (also known as the Fall Creators Update).

Endpoints are using Microsoft Defender Antivirus as the sole antivirus protection app. Using any other antivirus app will cause Microsoft Defender AV to disable itself.

Audit mode isn’t enabled. Use Group Policy to set the rule to Disabled (value: 0) as described in Enable attack surface reduction rules.

If these prerequisites have all been met, proceed to the next step to test the rule in audit mode.

Use audit mode to test the rule

You can visit the Windows Defender Test ground website at demo.wd.microsoft.com to confirm attack surface reduction rules are generally working for pre-configured scenarios and processes on a device, or you can use audit mode, which enables rules for reporting only.

Follow these instructions in Use the demo tool to see how attack surface reduction rules work to test the specific rule you’re encountering problems with.

Enable audit mode for the specific rule you want to test. Use Group Policy to set the rule to Audit mode (value: 2) as described in Enable attack surface reduction rules. Audit mode allows the rule to report the file or process, but will still allow it to run.

Perform the activity that is causing an issue (for example, open or execute the file or process that should be blocked but is being allowed).

Review the attack surface reduction rule event logs to see if the rule would have blocked the file or process if the rule had been set to Enabled.

If a rule isn’t blocking a file or process that you’re expecting it should block, first check if audit mode is enabled.

Audit mode may have been enabled for testing another feature, or by an automated PowerShell script, and may not have been disabled after the tests were completed.

If you’ve tested the rule with the demo tool and with audit mode, and attack surface reduction rules are working on pre-configured scenarios, but the rule isn’t working as expected, proceed to either of the following sections based on your situation:

If the attack surface reduction rule is blocking something that it shouldn’t block (also known as a false positive), you can first add an attack surface reduction rule exclusion.

If the attack surface reduction rule isn’t blocking something that it should block (also known as a false negative), you can proceed immediately to the last step, collecting diagnostic data and submitting the issue to us.

Add exclusions for a false positive

If the attack surface reduction rule is blocking something that it shouldn’t block (also known as a false positive), you can add exclusions to prevent attack surface reduction rules from evaluating the excluded files or folders.

You can specify individual files and folders to be excluded, but you cannot specify individual rules. This means any files or folders that are excluded will be excluded from all ASR rules.

Report a false positive or false negative

Use the Windows Defender Security Intelligence web-based submission form to report a false negative or false positive for network protection. With a Windows E5 subscription, you can also provide a link to any associated alert.

Collect diagnostic data for file submissions

When you report a problem with attack surface reduction rules, you’re asked to collect and submit diagnostic data that can be used by Microsoft support and engineering teams to help troubleshoot issues.

Open an elevated command prompt and change to the Windows Defender directory:

Run this command to generate the diagnostic logs:

Detect and block potentially unwanted applications

Applies to:

Potentially unwanted applications (PUA) are a category of software that can cause your machine to run slowly, display unexpected ads, or at worst, install other software which might be unexpected or unwanted. By default in Windows 10 (version 2004 and later), Microsoft Defender Antivirus blocks apps that are considered PUA, for Enterprise (E5) devices.

Potentially unwanted applications (PUA) are not considered viruses, malware, or other types of threats, but they might perform actions on endpoints which adversely affect endpoint performance or use. PUA can also refer to an application that has a poor reputation, as assessed by Microsoft Defender for Endpoint, due to certain kinds of undesirable behavior.

Here are some examples:

• Advertising software that displays advertisements or promotions, including software that inserts advertisements to webpages.
• Bundling software that offers to install other software that is not digitally signed by the same entity. Also, software that offers to install other software that qualify as PUA.
• Evasion software that actively tries to evade detection by security products, including software that behaves differently in the presence of security products.

For more examples and a discussion of the criteria we use to label applications for special attention from security features, see How Microsoft identifies malware and potentially unwanted applications.

Potentially unwanted applications can increase the risk of your network being infected with actual malware, make malware infections harder to identify, or waste IT resources in cleaning them up. PUA protection is supported on Windows 10, Windows Server 2019, and Windows Server 2016.

Microsoft Edge

The new Microsoft Edge, which is Chromium-based, blocks potentially unwanted application downloads and associated resource URLs. This feature is provided via Microsoft Defender SmartScreen.

Enable PUA protection in Chromium-based Microsoft Edge

Although potentially unwanted application protection in Microsoft Edge (Chromium-based, version 80.0.361.50) is turned off by default, it can easily be turned on from within the browser.

1. Select the ellipses, and then choose Settings.
2. Select Privacy, search, and services.
3. Under the Security section, turn on Block potentially unwanted apps.

If you are running Microsoft Edge (Chromium-based), you can safely explore the URL-blocking feature of PUA protection by testing it out on one of our Microsoft Defender SmartScreen demo pages.

Blocking URLs with Microsoft Defender SmartScreen

In Chromium-based Edge with PUA protection turned on, Microsoft Defender SmartScreen protects you from PUA-associated URLs.

Security admins can configure how Microsoft Edge and Microsoft Defender SmartScreen work together to protect groups of users from PUA-associated URLs. There are several group policy settings explicitly for Microsoft Defender SmartScreen available, including one for blocking PUA. In addition, admins can configure Microsoft Defender SmartScreen as a whole, using group policy settings to turn Microsoft Defender SmartScreen on or off.

Although Microsoft Defender for Endpoint has its own block list based upon a data set managed by Microsoft, you can customize this list based on your own threat intelligence. If you create and manage indicators in the Microsoft Defender for Endpoint portal, Microsoft Defender SmartScreen respects the new settings.

Microsoft Defender Antivirus

The potentially unwanted application (PUA) protection feature in Microsoft Defender Antivirus can detect and block PUAs on endpoints in your network.

This feature is available in Windows 10, Windows Server 2019, and Windows Server 2016.

Microsoft Defender Antivirus blocks detected PUA files and any attempts to download, move, run, or install them. Blocked PUA files are then moved to quarantine. When a PUA file is detected on an endpoint, Microsoft Defender Antivirus sends a notification to the user (unless notifications have been disabled) in the same format as other threat detections. The notification is prefaced with PUA: to indicate its content.

Configure PUA protection in Microsoft Defender Antivirus

You can also use PUA protection in audit mode to detect potentially unwanted applications without blocking them. The detections are captured in the Windows event log.

Visit the Microsoft Defender for Endpoint demo website at demo.wd.microsoft.com to confirm that the feature is working, and see it in action.

PUA protection in audit mode is useful if your company is conducting an internal software security compliance check and you’d like to avoid any false positives.

Use Intune to configure PUA protection

Use Configuration Manager to configure PUA protection

PUA protection is enabled by default in the Microsoft Endpoint Manager (Current Branch).

See How to create and deploy antimalware policies: Scheduled scans settings for details on configuring Microsoft Endpoint Manager (Current Branch).

PUA events blocked by Microsoft Defender Antivirus are reported in the Windows Event Viewer and not in Microsoft Endpoint Configuration Manager.

Use Group Policy to configure PUA protection

On your Group Policy management computer, open the Group Policy Management Console.

Select the Group Policy Object you want to configure, and then choose Edit.

In the Group Policy Management Editor, go to Computer configuration and select Administrative templates.

Expand the tree to Windows Components > Microsoft Defender Antivirus.

Double-click Configure detection for potentially unwanted applications.

Select Enabled to enable PUA protection.

In Options, select Block to block potentially unwanted applications, or select Audit Mode to test how the setting works in your environment. Select OK.

Deploy your Group Policy object as you usually do.

Use PowerShell cmdlets to configure PUA protection

To enable PUA protection

Setting the value for this cmdlet to Enabled turns the feature on if it has been disabled.

To set PUA protection to audit mode

Setting AuditMode detects PUAs without blocking them.

To disable PUA protection

We recommend keeping PUA protection turned on. However, you can turn it off by using the following cmdlet:

Setting the value for this cmdlet to Disabled turns the feature off if it has been enabled.

See Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus and Defender cmdlets for more information on how to use PowerShell with Microsoft Defender Antivirus.

View PUA events

PUA events are reported in the Windows Event Viewer, but not in Microsoft Endpoint Manager or in Intune. You can also use the Get-MpThreat cmdlet to view threats that Microsoft Defender Antivirus handled. Here’s an example:

You can turn on email notifications to receive mail about PUA detections.

See Troubleshoot event IDs for details on viewing Microsoft Defender Antivirus events. PUA events are recorded under event ID 1160.

Excluding files

Sometimes a file is erroneously blocked by PUA protection, or a feature of a PUA is required to complete a task. In these cases, a file can be added to an exclusion list.