Actions Required After Verifying False Positives in Windows Defender

Question

A customer support inquiry was received regarding our game executable (.exe) being detected as Trojan/Wacatac.B!ml. Several posts on our game site’s community have reported similar issues.

The file in question is a program built and distributed by our company and is installed via the launcher that we also distribute. This software has been in service for 19 years and includes a digitally signed official certification, leading us to believe the detection is a false positive. We submitted the file for verification through https://www.microsoft.com/en-us/wdsi. We requested a review for both Trojan/Wacatac.B!ml and PUA/Puwaders.C!ml detections. However, only the detection for Trojan/Wacatac.B!ml was removed.

We have the following questions:

• Since our game executable is updated with each new version, will continuous file verification requests be necessary?
• For users affected by this issue, does Windows Defender require an additional patch? If so, could guidance on the patching process be provided? Our users tend to be older, so a simple and straightforward solution is requested.
• If the executable has already been quarantined due to the false positive, will it be restored?

Thank you.

Answer 1

Please find below the answers to your queries,

• Since our game executable is updated with each new version, will continuous file verification requests be necessary?

Yes. It recommended to submit for verification if there is any new update on the exe.

Submit files for analysis by Microsoft - Microsoft Defender XDR | Microsoft Learn

Also please refer to Software developer FAQ - Microsoft Defender XDR | Microsoft Learn and How Microsoft identifies malware and potentially unwanted applications - Microsoft Defender XDR | Microsoft Learn while developing your application. Keeping these criteria in mind while developing applications could help avoid false positives. 

 

• For users affected by this issue, does Windows Defender require an additional patch? If so, could guidance on the patching process be provided? Our users tend to be older, so a simple and straightforward solution is requested.

Windows Defender doesn't require any additional patching. The definition updates that happen regularly will be sufficient.  It also depends on how the automatic patching is configured for your org. If no software update management is in place, just ensure your device and defender are up to date.

Update Windows - Microsoft Support 

Virus & threat protection in Windows Security - Microsoft Support -

On the Virus & threat protection page, under Virus & threat protection updates, select Check for updates to scan for the latest security intelligence.

 

 Please note system updates require reboot, but defender definitions don't require reboot.

 

•  If the executable has already been quarantined due to the false positive, will it be restored?

You can manually restore it. If the file is determined to be safe after Microsoft's investigation, it won't detect further unless the file changes (this is the reason to submit for verification when there is an updated version). Alternatively, if you are sure, it is a false positive, you can add an exclusion in place to avoid this detection in future.

Restore quarantined files in Microsoft Defender Antivirus - Microsoft Defender for Endpoint | Microsoft Learn

Add an exclusion to Windows Security - Microsoft Support

 

If you found the information above helpful, please Accept the answer. This will assist others in the community who encounter a similar issue, enabling them to quickly find the solution and benefit from the guidance provided.