Submit files in Microsoft Defender for Endpoint

Applies to

• Microsoft Defender for Endpoint
• Microsoft 365 Defender

Want to experience Microsoft Defender for Endpoint? Sign up for a free trial.

In Microsoft Defender for Endpoint, admins can use the unified submissions feature to submit files and file hashes (SHAs) to Microsoft for review. The unified submissions experience is a one-stop shop for submitting emails, URLs, email attachments, and files in one, easy-to-use submission experience. Admins can use the Microsoft 365 Defender portal or the Microsoft Defender for Endpoint Alert page to submit suspicious files.

What do you need to know before you begin?

• The new unified submissions experience is available only in subscriptions that include Microsoft 365 Defender or Microsoft Defender for Endpoint Plan 2.

• To submit files to Microsoft, you need to be a member of one of the following groups:

  • Organization Management or Security Administrator role groups in Email & collaboration permissions in the Microsoft 365 Defender portal.
  • Global Administrator or Security Administrator roles in Azure AD permissions. Membership in these roles give the required permissions and permissions for other features in Microsoft 365.

• For more information about how you can submit spam, phish, URLs, and email attachments to Microsoft, see Use the Submissions page to submit suspected spam, phish, URLs, legitimate email getting blocked, and email attachments to Microsoft.

• To find the SHA256 hash value of a file in Windows, run the following command in a Command Prompt: certutil.exe -hashfile "<Path>\<Filename>" SHA256.

Submit a file or file hash to Microsoft from the Defender portal

1. In the Microsoft 365 Defender portal at https://security.microsoft.com, go to Actions & submissions > Submissions. Or, to go directly to the Submissions page, use https://security.microsoft.com/reportsubmission.

2. On the Submissions page, select the Files tab.

3. On the Files tab, select Add new submission.

   

4. In the Submit items to Microsoft for review flyout that opens, select Files or File hash from the Select the submission type dropdown list.

   • If you selected Files, configure the following options:

     • Select Browse files. In the dialog that opens, find and select the file, and then select Open. Repeat this step as many times as necessary. To remove an entry from the flyout, select next to the entry.
       • The maximum total size of all files is 500 MB.
       • Use the password 'infected' to encrypt archive files.
     • The file should have been categorized as: Select one of the following values:
       • Malware (false negative)
       • Unwanted software
       • Clean (false positive)
     • Choose the priority: Select one of the following values:
       • Low - bulk file or file hash submission
       • Medium - standard submission
       • High - needs immediate attention (max three per day)
     • Notes for Microsoft (optional): Enter an optional note.
     • Share feedback and relevant content with Microsoft: Read the privacy statement and then select this option.

     

   • If you selected File hash, configure the following options:

     • In the empty box, enter the file hash value (for example, 2725eb73741e23a254404cc6b5a54d9511b9923be2045056075542ca1bfbf3fe) and then press the ENTER key. Repeat this step as many times as necessary. To remove an entry from the flyout, select next to the entry.
     • The file should have been categorized as: Select one of the following values:
       • Malware (false negative)
       • Unwanted software
       • Clean (false positive)
     • Notes for Microsoft (optional): Enter an optional note.
     • Share feedback and relevant content with Microsoft: Read the privacy statement and then select this option.

     

   When you're finished in the Submit items to Microsoft for review flyout, select Submit.

Back on the Files tab of the Submissions page, the submission is shown.

To view the details of the submission, select the submission by clicking anywhere in the row other than the check box next to the Submission name. The details of the submission are in the details flyout that opens.

Report items to Microsoft from the Alerts page in the Defender portal

1. In the Microsoft 365 Defender portal at https://security.microsoft.com, go to Incidents & alerts > Alerts. Or, to go directly to the Alerts page, use https://security.microsoft.com/alerts.

2. On the Alerts page, find the alert that contains the file you want to report. For example, you can select Filter, and then select Service sources > Microsoft Defender for Endpoint.

3. Select the alert from the list by clicking anywhere in the row other than the check box next to the Alert name value.

4. In the details flyout that opens, select > Submit items to Microsoft for review.

   

5. The options that are available in the Submit items to Microsoft for review flyout that opens are basically same as described in the previous section.

   The only difference is an Include alert story option that you can select to attach a JSON file that helps Microsoft investigate the submission.

   

   When you're finished in the Submit items to Microsoft for review flyout, select Submit.

The submission is available on the Files tab of the Submissions page at https://security.microsoft.com/reportsubmission?viewid=file.

Related information

• Exclusions for Microsoft Defender for Endpoint and Microsoft Defender Antivirus
• Microsoft Defender for Endpoint in Microsoft 365 Defender
• Address false positives/negatives
• View and organize alerts queue in Microsoft Defender for Endpoint

Tip

Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender for Endpoint Tech Community.