Skip to main content
Sign in

CloudLinux Knowledge Base

  1. CloudLinux
  2. Imunify Security Products
  3. How do I

How to submit a false positive/negative results?

Denis Bykov
  • Updated

Issue

We strive to provide an effective malware scanner for websites, consistently updating our malware database and refining our proactive defense rules. Nonetheless, there is a chance that you face so-called “false-positives” or “false-negatives” while scanning the websites for malware or when Proactive Defense is triggered:

  1. When the Malware Scanner marks a legitimate file as malicious because the file may contain some specific piece of code previously noticed in malware, it is called “false-positives”. 
  2. Also when Proactive Defense prevents legitimate script execution, the rule is "falsing". 
  3. If scanner misses files that are malicious this is called “false-negatives”.

Note:

  1. To be sure it is a "false-negative" it is important to make sure that all protections are active, and a malicious file is not detected by Imunify while Malware Database Scanner and ModSecurity scanner are switched on.
  2. if file is detected and can not be cleaned, it is worth checking whether the owner is not root and the user has sufficient privileges to edit the file. 

When the above is confirmed we ask to submit those files to us for the further analysis.

Environment

  • ImunifyAV
  • Imunify360
  • Malware Scanner
  • Proactive Defense

Solution

If you haven’t added the file to the Malware Scanner ignore list yet, you can follow this guide:
How to add files to the Ignore List of Imunify Malware Scanner

For Proactive Defense, the instructions are available here:
How to add a file to the Proactive Defense ignore list

To submit a false-negative/positive report right away:

This is the simple, classic method. You only need SSH access and the full path to the file. This method does not support tracking, but your submission still reaches the Imunify analysis team.

  • Submit a false-positive
    ImunifyAV:

    imunify-antivirus submit false-positive /path/to/file --reason "your-reason-here"

    Imunify360:

    imunify360-agent submit false-positive /path/to/file --reason "your-reason-here"

  • Submit a false-negative
    ImunifyAV:

    imunify-antivirus submit false-negative /path/to/file

    Imunify360:

    imunify360-agent submit false-negative /path/to/file

 

 

For Imunify360 licenses purchased through CLN (new submission & tracking tool):

This new method allows you to submit files and later check the verdict from the Imunify malware analysis team.
Available for Imunify360 v6.7.3+.

The script is located here, and you can check available options anytime:

/opt/imunify360/venv/share/imunify360/scripts/track-fpfn-submissions.sh --help

  • Before starting, install the required tools:

    yum install jq -y
yum install oniguruma -y
yum install libsodium -y

  • Then create an API token: Go to https://cm.imunify.com/#/tokens, log in with your CLN/Imunify credentials, click “Create API key,” and copy the token.

  • Submitting a file (false positive or false negative):

    FILE_PATH=./suspicious-file.php REASON=false_negative NOTE="Support ticket 400" API_TOKEN=<YOUR_API_KEY> /opt/imunify360/venv/share/imunify360/scripts/track-fpfn-submissions.sh --post

    You will replace <YOUR_API_KEY> in the commands below with this generated token.

    After running, the tool returns a unique submission _id. Keep it for tracking.

  • Checking the status of your submission: Example (search by NOTE):

    NOTE="Support ticket 400" API_TOKEN=<YOUR_API_KEY> /opt/imunify360/venv/share/imunify360/scripts/track-fpfn-submissions.sh --get

    If the “verdicts” section is empty, the file is still being analyzed. Once completed, you will see the final verdict (malicious / clean) and analyst comments.

  • Example verdict snippet:

    "result": [
  {
    "_id": "636ea1b46a47fc5ce5b4a01f",
    "file_path": "/root/test/eicar.suspicious",
    "note": "support ticket 400",
    "reason": "false_negative",
    "verdicts": [
      {
        "date": "2022-11-11 20:14:40",
        "verdict": "malicious",
        "comment": "Added after scan with build 9231"
      }
    ]
  }
],
"status": "ok"

This method provides full visibility into your report and helps the team improve detection quality for everyone.

Note: This feature is not available for resellers. For privacy and access control reasons, the information it provides is intended to be available only to end users.

Reference: https://blog.imunify360.com/streamlined-false-positive-false-negative-reporting

Useful links

Comments

0 comments

Please sign in to leave a comment.

Related articles