WatchGuard Support Center

Article ID :000007948
How to report Gateway AntiVirus false positives and false negatives

Information

Question

How do I report Gateway AntiVirus false positives and negatives?

Answer

What is a False Positive or False Negative?

A false positive for Gateway AntiVirus occurs when content is incorrectly identified as virus infected when the content is clean. A false negative occurs when a virus-infected file is not correctly identified as a virus.

Before you Report

If you encounter a false positive or false negative, verify that you have the latest OS version for your Firebox or XTM device. You must also confirm that your device has the latest Gateway AntiVirus signature set, and that a signature exists for the virus.

Update your Gateway AntiVirus Signatures

To display the latest status and update your Gateway AntiVirus signature version:

Start Firebox System Manager.
Select the Subscription Services tab.
In the Gateway AntiVirus section, examine the Installed version, Last update, and Version available fields.
If you do not have the latest version, click Update.

The Firebox will download the most recent available signature update.

If the signatures were out-of-date, your Firebox will correctly identify that particular virus. To verify, re-test with the same content that caused the false negative or false positive. To learn more about Gateway AntiVirus signature updates, see:

Fireware v11.10.x and higher Help — Configure the Gateway AV Update Server
WatchGuard System Manager v11.8.x and v11.9.x Help — Configure the Gateway AV Update Server

If you encounter errors when you try to update the signatures, make sure that you can resolve DNS queries.

To learn more about DNS configuration, see:

Fireware v11.10.x and higher Help — Add WINS and DNS Server Addresses
WatchGuard System Manager v11.8.x and v11.9.x Help — Add WINS and DNS Server Addresses
Fireware XTM Web UI v11.8.x and v11.9.x Help — Add WINs and DNS Server Addresses

If your DNS resolution works correctly but your Firebox device still cannot update the Gateway AntiVirus signatures, contact WatchGuard Technical Support.

Confirm a Signature Exists

Gateway AntiVirus uses the BitDefender antivirus engine and signature sets. To confirm whether BitDefender or other Antivirus vendors have a signature for the virus, you can submit an infected file to a virus-scanning site. For example: https://www.virustotal.com.

Report False Positives and False Negatives in v12.0 and higher

You can report false positive or false negative results directly to BitDefender, our solutions partner for Gateway AntiVirus services.

To report a false positive or negative, visit https://www.bitdefender.com/submit/

Report False Positives and False Negatives in v11.x

If your Firebox OS version is older than v12.0, Gateway AntiVirus uses AVG.

To report a false positive or false negative, go to http://samplesubmit.avg.com/us-en/sample-scanning.

Knowledge Base - Article

Search the WatchGuard Knowledge Base