False Detection Report

The False Detection Report feature allows users to report files they feel have been wrongly flagged as malicious by an OPSWAT Product. OPSWAT's expert analyst team will review these submissions for false positives/negatives and update our Reputation Engine database as needed.

Definition of a False Detection

A false detection occurs when the verdict of a detection system does not match the actual nature of a file.

The first case is a false positive, where a benign file is incorrectly flagged as malicious. The risk here is mostly operational, since users may lose trust in the system and critical business tasks may be delayed. Within OPSWAT solutions, a false positive is considered any clean file detected as LIKELY_MALICIOUS or MALICIOUS.

The second case is a false negative, which occurs when a malicious sample goes undetected. These cases pose a higher security risk because they allow compromise to remain unnoticed and potentially cause significant impact. Any malware not detected as LIKELY_MALICIOUS or MALICIOUS is considered a false negative. Newly requested detection logic or file type support also falls into this category, as it highlights a missed threat under current capabilities.

HOW User can submit an False Detection report by access to Support > False Detection Report item

How to Report False Detection

You can report false positive or false negative by submitting a report here and have the file analyzed by OPSWAT's expert analyst team. Follow these steps to submit the report of the file that you think has been misidentified:

• Upload File: Submit a single file (max size: 2 GB). For multiple files, compress them into a ZIP file.

• Submission Type: Indicate whether the file is a:

  • False Positive: A clean file incorrectly flagged as malicious.
  • False Negative: A malicious file not detected.

• Product Details: Specify the product where the false detection occurred.

• Antivirus Engine: Select or input the antivirus engine involved (e.g., ClamAV, AhnLab, Avira).

• AV detection/ Threat Name: Enter the AV detection or threat name (e.g., Trojan/Win32.Downloader).

• Detection Screenshot: Upload a detection or report alert screenshot (max size: 10 MB) for better analysis.

• File Origin: Indicate the source of the file.

• File Purpose: Describe the file's intended use (e.g., design program, image viewer, document editor).

• False Detection Reason: Provide any additional details supporting why the detection is false.

• AV Vendor Sharing: Agree to share the file with antivirus vendors for further analysis.

Submission History

You can view full history of submissions with detailed information.

• Category
• Case No.: After reporting a false detection, a support case is automatically created. The Case No. displays the support case number as a hyperlink. Clicking it opens a new tab and directs you to the Support service for further details.
• File Name or Hash
• Hash values: MD5, SHA1, SHA256
• Status
• Submitted Time
• Last Updated

Submission History Search and Filter

You can search and filter by

• Type: File name or hash value
• Category
• Status

False Detection cases

Users can also view all support cases submitted for False Detection and get real-time updates on case status.

This tab is visible to all users, displaying all false detection cases that the user has submitted. In this tab, users can

• Search by Case number and Subject
• Filter cases by Product or Status (New/Open/Closed/Waiting on me/Waiting on OPSWAT/On-hold)
• View details of False Detection - "View Detection"
• Export case details to CSV for offline use.
• Access the full list of cases by clicking the View All button, which opens the comprehensive summary on another page.