Skip to main content

Bitdefender detects legitimate applications as a threat

This section explains what to do when Bitdefender reports a legitimate file as being infected (false positive).

Bitdefender strives to reduce false-positive reports to a minimum. However, these reports are commonly due to bad programming practices. For example, applications that change the Master Boot Record, add run registry entries, change system files without the user’s confirmation, or execute custom macros in office applications.

When an application is wrongfully detected, try adding exclusions, as explained in In-policy exclusions.

Should the exclusions fail, you need to send us the detected file(s) as described below:


These files are used only for malware analysis and are treated accordingly.

  1. Locate the file(s) on your drive.

  2. Add the detected file(s) to a ZIP file using file compression software of your choice (WinZip, WinRAR, etc.)


    If you can not access the files you will need to temporarily disable the Bitdefender On-access antivirus protection on the endpoint where the file is located.

    To do this, clone your current policy, disable the protection, and apply the new policy only on the endpoint where the file is located.

    1. Go to the Policies page and select the policy you are currently using on the endpoint.

    2. Give the policy a descriptive name.

    3. Under Antimalware > On-access, disable the On-access Scanning by deselecting the checkbox.

    4. Click Save.

    5. Go to the Network page.

    6. Select the endpoint where the file is located, click the Assign Policy button and select the previously created policy.

  3. Password-protect the ZIP file with the password infected.

  4. Complete the Contact Customer Care form and provide us with the following:

    • The ZIP file (upload via the Attach a file field)

    • The message body must contain the words FALSE POSITIVE.

  5. Click the Submit button.

  6. If you had issues accessing the file and had to apply the workaround provided in step 3, apply the original policy back on the endpoint and/or enable any other security software you have disabled.