Share via

x64 driver submission blocked due to false positive malware block

Laurens Bremers 5 Reputation points
2026-02-27T10:58:02.4566667+00:00

Our x64 drivers are blocked during submission if we obfuscate them. We need to obfuscate the driver, because it is a security-driver type that performs network filtering and process access protection. We expect this issue to be cause due to a false-positive during malware scanning, as we receive the following error message and our support case with the App Assure Program, indicated that this was the problem.

{"code":"FileSigningFailed","details":{"error":"FailDoNotRetry returned from Scan service. 4001 [errorInfo, BlockingDetectionFound]"},"innerError":null}

How can we report this false positive as such?

Microsoft Partner Center | Other
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Q&A Assist
    2026-02-27T10:58:14.2433333+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    Report the driver as a false positive to Microsoft using the official malware/driver submission channels so it can be reanalyzed and unblocked.

    For driver binaries specifically:

    1. Submit the driver to the Microsoft Security Intelligence Driver Submission page for security analysis. This is the channel used to review potentially vulnerable or malicious drivers and to adjust driver-related block rules as needed.
    2. If the driver is being impacted by the Microsoft vulnerable driver blocklist or related protections, request a review or change to the block (for example, if a clean or fixed version is being blocked) through the Microsoft Security Intelligence portal. This is the documented way to request changes to driver block rules.

    For general malware/false-positive handling (applies to any file flagged as malicious):

    1. Collect the exact file that is being blocked (the obfuscated x64 driver binary).
    2. Submit the file to Microsoft for analysis as a suspected false positive. For files detected by Defender or related scanning services, this is done via the Microsoft Security Intelligence submission workflows described in the documentation. After analysis, if Microsoft confirms a false positive and updates definitions, the file should no longer be blocked.
    3. If the issue persists after Microsoft confirms a false positive and updates signatures, open or continue working through a support case and reference the prior analysis, indicating that the same binary is still being blocked during Partner Center submission.

    These submission/reporting paths are the supported methods to have a driver or binary reclassified and to correct false-positive malware or vulnerable-driver detections that are blocking signing or deployment.

    References:

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.