A new Microsoft Office update has triggered a false positive in its Defender for Endpoint cybersecurity solution, the company has admitted.
The tool labeled the updates as potential ransomware behavior, and given how prevalent supply chain attacks are, it’s no wonder people took it seriously.
Microsoft was quick to react, confirming the issue was in fact only a false positive alert, and quickly tweaked Defender for Endpoint to alleviate the issue.
We’re looking at how our readers use VPNs with different devices so we can improve our content and offer better advice. This survey shouldn’t take more than 60 seconds of your time, and entrants from the UK and US will have the chance to enter a draw for a £100 Amazon gift card (or equivalent in USD). Thank you for taking part.
“Starting on the morning of March 16th, customers may have experienced a series of false-positive detections that are attributed to a Ransomware behavior detection in the file system,” Microsoft said in its report. “Admins may have seen that the erroneous alerts had a title of ‘Ransomware behavior detected in the file system,’ and the alerts were triggered on OfficeSvcMgr.exe.”
The company added that the issue concerned a problem with the code that was swiftly addressed.
“Our investigation found that a recently deployed update within service components that detect ransomware alerts introduced a code issue that was causing alerts to be triggered when no issue was present. We deployed a code update to correct the problem and ensure that no new alerts will be sent, and we’ve re-processed a backlog of alerts to completely remediate impact.”
This is not the first time Defender for Endpoint has seen issues with false positives. In early December 2021, the antivirus program prevented users from opening some Office files and launching various applications, triggering false positives related to Emotet malware.
Back then, the program detected print jobs as Emotet malware, as well as any Office app using MSIP.ExecutionHost.exe and slpwow64.exe.
Following this, Microsoft reportedly tried to increase the sensitivity of its filters for detecting Emotet and similar activity, due to the malware’s recent resurgence.
Emotet, which is believed to have originated in Ukraine, was almost extinct at the start of last year, after law enforcement seized control of Emotet infrastructure and reportedly arrested individuals linked with the operation.
However, since mid-November 2021, new Emotet samples have started popping up once again. These are quite similar to the previous strain, but have a different encryption scheme, and are being delivered to machines infected by TrickBot.
Here’s our list of the best endpoint protection solutions right now