How to report a false-positive in Microsoft SmartScreen

SmartScreen is a Windows Defender component found in Microsoft Edge and Internet Explorer as well as in all universal apps from the Windows Store. It’s used to block phishing and fraudulent websites from loading, and to block malicious apps from running.

What do you do when your program is incorrectly matched to a malicious signature in Microsoft SmartScreen? What recourse do developers have to get their programs allow-listed? What should you do as a user when something is blocked by SmartScreen?

Completely unrelated (not) to the newly released update to my free EdgeDeflector utility, I needed to find out how to report a false-positive in Microsoft SmartScreen. Users of Internet Explorer and Edge were being blocked from downloading the update because the installer for the update was falsely identified as malicious by SmartScreen (“Windows Defender”.) Users of other browsers were told the executable couldn’t be run when they tried to execute it.

So, what recourse does a developer have when their software is being blocked by Microsoft? What do you do when a verified-good download from a known and trusted source is incorrectly flagged as malware?

It was surprisingly hard to find any documentation for reporting false-positives in Windows Defender to Microsoft. I even asked the Windows digital assistant, Cortana, and it responded by telling me about the local weather. This was obviously not useful. In any case, the actual process is as follows:

  1. Download the program through a publicly accessible link using Microsoft Edge or Internet Explorer.
  2. Wait for a notification telling you that “Windows Defender SmartScreen reported [file] as unsafe.”
  3. Click the View Downloads button on the notification.
  4. Right-click on the downloaded file, and choose Report that this download is safe.
  5. Fill in the online form.

You’ll end up on an online form, but you can’t get to this form without using the links provided by Microsoft. The special reporting link contains the file hash, as well as other information about the file such as the name and where it was downloaded from.

You could theoretically construct this URL manually, but it’s much easier from Microsoft Edge. I haven’t found any way to get the parameters for this form if you use another browser than Microsoft Edge or Internet Explorer.

There’s no other way to say this so I’ll be very blunt: unless you know for sure and have verified and double-checked your findings: you shouldn’t be reporting anything as a safe download unless you know that the exact file you’ve is safe. Assume your malware protection software is right unless you actually know better.

If Windows Defender begins recognizing a specific named threat or recognize your program as malicious after it has been installed, you can use the Windows Defender Security Intelligence File Submission form instead. Note that this form shouldn’t be used for reporting any executable that just haven’t yet established an application reputation (new or unpopular programs.)

My program was probably not flagged as malicious, but rather it doesn’t have what Microsoft calls an “application reputation.” SmartScreen looks at the history and number of downloads of executable files.

An uncommon and unusual download is assumed to be riskier than a frequently downloaded file. When a file has been downloaded enough times, it will be added to SmartScreen as a safe download.

You can help boost your application reputation by digitally signing your executables. Code signing isn’t a very complicated process, but the signing certificates have to be renewed yearly and they cost a couple of hundred dollars every year. I’m not interested in covering that cost considering that I’m developing a small utility program that I make available for free.