Forum Discussion
Microsoft Defender false positive and WDSI submission details page bug
Hello,
I am the developer and publisher of Pulse Launcher, a legitimate signed Windows application / Minecraft mod launcher.
I already submitted this through Microsoft Security Intelligence and also opened a Microsoft Q&A thread, but I am posting here because the WDSI submission portal itself appears to be broken for these submissions.
Related Microsoft Q&A thread:
https://learn.microsoft.com/en-us/answers/questions/5929545/microsoft-defender-false-positive-and-wdsi-submiss
There are two related issues:
1. Microsoft Defender cloud ML false positives keep appearing on public multi-engine scan results for the same signed application/product family. The Microsoft detection name changes across rescans and equivalent builds, including:
- PUA:Win32/Puwaders.C!ml
- Program:Win32/Wacapew.C!ml
- Trojan:Win32/Wacatac.B!ml
- Trojan:Win32/Wacatac.C!ml
- Trojan:Win32/Sabsik.EN.A!ml
2. Microsoft Security Intelligence submissions are visible in Submission history and show status "In progress", but opening the submission details page returns:
"The details for the submission were not found or the submission has expired."
Affected submission IDs:
- dd476efa-fc04-4f13-82cf-631bbfd145a6
- efc6514c-d700-4d6a-a7e2-67a9a83334a2
- ff8d04b7-c5fc-4a05-bd53-ee7ac5981284
File details:
- File name: pulse_launcher.exe
- SHA-256: def6059c07c3e1f4a8c5649a1bbf190d4f355ee8e8b88c55c5b404edee99ecc8
- Signer: FOP Haponiuk Mykola Viktorovych
- Certificate: GlobalSign EV Code Signing certificate
The executable is not VMProtect-packed or obfuscated. It is EV-signed. A previous Microsoft analyst response stated that the file did not meet Microsoft criteria for malware or PUA, but Microsoft cloud detections continue to appear.
Could someone route this to Microsoft Defender Security Intelligence / malware analysis, or advise how to escalate WDSI submissions that exist in history but whose details endpoint returns "not found or expired"?
Thank you.
1 Reply
Hi, since you already have multiple WDSI submissions and the details page is failing, I’d collect the SHA256 hashes, signing certificate details, detection names, submission IDs, and timestamps into one support case so Microsoft can route it to Defender Security Intelligence. For immediate business impact, if you use Defender for Endpoint and you fully trust the signed binary, you can consider a temporary allow indicator while the false positive is reviewed. I would keep that scoped as tightly as possible. The broken submission-details page sounds like a portal issue, so including screenshots and HAR timing in the support case may help.