You want to know how to retrieve samples from WFBS and submit a false positive case when such occurs.
To submit a false positive case:
- Sign in to the Trend Micro Support Portal. If you are logged in but on eSupport, click My Support found in the header navigation.
- On the side navigation, click New Request.
- Fill in the Product Profile and Affected Operating System fields. The Request Type field's default is the “Submit a Case” option. There is no need to change it.
- Select the appropriate category: Virus False Alarm.
- Enter the Scan Engine Version and Virus Pattern Type that WFBS is using.
- Enter a subject and description to include detection name for your case. It is necessary to include falsely detected files as attachments.
- Fill out the Case Urgency, CC Emails, and Contact Method fields.
- Click Submit.
To determine the detection types based on specific protection that caught the FA sample, refer to the instructions below.
- Open the WFBS Agent console.
- Click Logs.
- In the Type dropdown menu, select Virus/Malware.
- Check the Threat column.
- Open the WFBS Agent console.
- Click Logs.
- In the Type dropdown menu, select Behavior Monitoring.
- Check the Threat column.|
- Open the WFBS Agent console.
- Click Logs.
- In the Type dropdown menu, select Behavior Monitoring.
- Check the Threat column.
To collect falsely detected attachment, go to [Server folder]/PCCSRV/Admin/Utility/VSEncrypt. You need to use VSEncode.exe to decrypt the quarantined file and remove encryption.
To know more about the steps when using VSEncode, refer to Restoring quarantined files in Worry-Free Business Security (WFBS) KB article.