Understand What You’re Reporting
Understanding what you are reporting is important to ensure you provide the necessary information and context, which helps analysts evaluate each case more effectively.
Submission types are classified as either false positives or false negatives. For more information, see the definition of a False Detection.
For a false negative request, there is nothing special to consider — simply complete the submission form following the instructions provided in the form, and an analyst will review the file to create the appropriate detection logic.
For a false positive request, multiple underlying sources may be involved. Within OPSWAT solutions, false positives typically originate from three components: multi scanning (MetaScan), file reputation, or sandbox. Understanding these sources is not necessary, but it helps users provide more accurate submission information, enabling analysts to process cases more efficiently.
- MetaScan: OPSWAT Multiscanning analyzes files with 30+ anti-malware engines to maximize detection rates. Learn more about this technology here.
- False positive example: AV vendor incorrectly flags a benign file as malicious.
- False positive example: AV vendor incorrectly flags a benign file as malicious.
File Reputation: The reputation engine classifies files as known good, known bad, or unknown by comparing hashes against a database of trusted and malicious files.
- False positive example: the reputation engine incorrectly flags a benign file as known bad.
- False positive example: the reputation engine incorrectly flags a benign file as known bad.
Sandbox: MetaDefender Sandbox detonates and analyzes files in a controlled environment, extracting IOCs and performing dynamic analysis to identify threats. Learn more about this technology here.
- False positive example: the sandbox incorrectly classifies a benign file as likely malicious or malicious.
- False positive example: the sandbox incorrectly classifies a benign file as likely malicious or malicious.
These three components are the primary sources of false positives. For each source, the submission form may request slightly different inputs to ensure analysts receive the right context. If users misidentify the source of the false detection, it is not a problem — analysts can determine the actual source from the exported scan results. To learn how to export results, check How to Export Scan Results for Submission.
A false positive may sometimes be caused by more than one source (for example, both multiscanning and sandbox). If this happens, do not worry — simply select one option in the submission form. The analyst will identify all contributing sources from the scan results and ensure the false positive is addressed across them
