Skip to main content

Handling False Positives

A false positive occurs when a legitimate file is incorrectly classified as malicious. While ReversingLabs strives for high accuracy, false positives can occasionally happen due to the complexity of malware detection across hundreds of file formats and millions of samples.

What You Can Do

If you encounter a false positive, you have several options:

1. Local Classification Override

On Spectra Analyze, you can immediately override the classification using the classification override feature:

  • Navigate to the file's Sample Details page
  • Use the classification override option to manually set the file as goodware
  • The override takes effect immediately on your appliance
  • All users on the same appliance will see the updated classification

2. Spectra Intelligence Reclassification Request

Submit a reclassification request through Spectra Intelligence:

  • The override propagates across all appliances connected to the same Spectra Intelligence account
  • Other appliances in your organization will automatically receive the updated classification
  • This is the recommended approach for organization-wide corrections

3. Goodware Overrides

Use Goodware Overrides to propagate trusted parent classifications to extracted child files:

  • If a trusted parent file (e.g., from Microsoft or another reputable vendor) contains files that trigger false positives
  • The parent's goodware classification can automatically override the child files
  • This is particularly useful for legitimate installers that may contain components flagged by heuristics

How ReversingLabs Handles False Positive Reports

If a customer reports a false positive (through Zendesk, or by contacting the Support team at support@reversinglabs.com), the first thing we do is re-scan the sample to make sure that the results are up-to-date.

If the results are still malicious, our Threat Analysis team will:

  1. Conduct our own research of the software and the vendor

  2. Contact the AV scanners and notify them of the issue

  3. Change the classification in our system (we do not wait for AVs to correct the issue)

If the file is confirmed to be a false positive, we begin by analyzing why the incorrect classification occurred.

Then we try to correct the result by making adjustments related to file relationships, certificates, AV product detection velocity (e.g. are detections being added or removed), we will re-scan and reanalyze samples, adjust/add sources and, if necessary, manually investigate the file.

If these efforts do not yield a correct result, we have the ability to manually override the classification — but we only do so after thorough analysis confirms the file is benign.