thank you for your reply but I do think it's whitelisting or something similar because of these high number FPs
without BAFS, WD should produce similar results to the hub or its old results from MRG-effitas
It is totally different from whitelisting, because it is blacklisting.
"When Windows Defender Antivirus encounters a suspicious but undetected file, it queries our cloud protection backend. The cloud backend applies heuristics, machine learning, and automated analysis of the file to determine whether the files are malicious or clean."
Enable Block at First Sight to detect malware in seconds
So, the suspicious but
undetected file is not checked against a kind of whitelist (like SmartScreen Application Reputation).
BAFS can produce false positives, because the blacklisting in done by AI. You can see this on VirusTotal, just see how many false positives have some AVs based on the AI detection.
If you will submit the false positive to Microsoft, then the whitelisting signature is created for WD, and the file is considered as
detected but clean (excluded from BAFS AI). Such whitelisting, cannot produce the false positives.
If the file (undetected by signatures) flagged in BAFS as malicious is executed by someone, then it is first checked in the cloud blacklist, and
immediately blocked (this can produce false positives).
Edit.
There is one thing that can be slightly similar to whitelisting. The execution of the suspicious but undetected file is suspended for some seconds, by default (but not totally blocked). If the AI thinks too long or makes the wrong decision, then the malware will be executed, anyway. Yet, another user who will try to execute the same malware later, will be safe in most cases.
