Ah, ok. I didn't realize that was your concern.
Without seeing the alert I can't be sure why its being flagged. If it is being caught by a malware signature you should see a the field file.Ext.malware_signature which will contain some details describing what signature matched it.
If it didn't match a signature it may still have been caught by the malware machine learning model, which will contain details in the field file.Ext.malware_classification. If there is a matching malware signature, the score reported in malware_classification field may be explicitly reported as 1.0 despite what the model calculated (depending on your Endpoint version). If there isn't a matching signature, or the score isn't 1.0, then a higher score means the file has more correlation with other known malware but there isn't more information for you to dig into.
I know it might be a little hard to parse what I wrote above. If you'd like, go ahead share a sanitized alert here and I can see what information can be gleaned from it.
You seem confident this is a false positive. Please report the false positive using these instructions or if you have Elastic support via that channel.
I hope that helps.