There is no feature to refer a quarantined file to Microsoft for analysis directly. Why not add one?

Copper Contributor

In response to ticket TrackingID#2312150050002027, technical support advised, 'Customer can restore the quarantined file(by adding exclusion to that folder if required) and submit it to WDSI for analysis via - Submit a file internally - Microsoft Security Intelligence. If you feel this is not helpful, you can submit your "Product Feedback" here'

In this case, a series of factors, including user unavailability, errors, and failure of the 'Collect file' feature resulted in loss of the samples when the 30-day quarantine limit was reached. It was later determined that the detection was a false positive, making this unnecessary data loss caused by Defender.

A useful sample submission feature should be:

i) usable without disabling protection (adding an exclusion for a folder so that suspected malware can be restored there carries risk)

ii) easy to use

iii) where multiple sample files are involved, allow selection of which ones to submit, e.g. where some contain personal data

iv) well documented

2 Replies
I think I'm encountering the same problem as what you're describing here.... I uploaded an HTML file which was an attachment on an email which also was saved to OneDrive, where it was detected by MDO as Malicious. I used Standard urgency and it went unanswered for over a week (and counting) by the 3-day point I submitted the same file again as High (only allowed 3 per day per tenant), and a day later I get this back:

SubmissionId: cf8504a3-9ef8-4d36-9d94-ecc5c0df80dc (and earlier one was 9ee0c08b-4ab7-48a4-ad1b-dbea5782d970)

"Researcher comment
The submitted files do not meet our criteria for malware or potentially unwanted applications. No detection will be added for these files. More detailed information about the approach and criteria categories currently used by the Microsoft researchers are available here: https://docs.microsoft.com/windows/security/threat-protection/intelligence/criteria Thank you for contacting Microsoft."

Not sure I follow and so I've opened an MS Support case to get clarification. Not sure what I could be doing wrong. I've submitted a detected-as-malware file using Defender Portal > Submissions > Files, where it allowed me to upload the file (twice) and didn't complain whatsoever in the process. Maybe the product should be more clear. The linked article in the researcher's comment doesn't give any clarity to me at all about what I could have done wrong here.

In my case, I obtained the file from the ZAPPED email which I downloaded from the Quarantine. It was an HTML file (13MB), and I uploaded that using Submissions > Files. BTW, on the local computer, scanning this file with Defender AV results in "No threats found".