Yesterday, Microsoft Defender for Endpoint, a cyber-defense application, began to recognize Office updates as ransomware. The antivirus mistook the OfficeSvcMgr.exe file for malware.
The issue came to light when system administrators began receiving ransomware injection attempts after updating Microsoft Defender for Endpoint Antivirus. As soon as the number of complaints reached a certain limit, Microsoft began to work on fixing the failure and confirmed that it was a “false positive” reaction.
Company spokesperson Steve Scholz outlined the issue in a Reddit thread, saying that since the morning of March 16, many Microsoft Defender for Endpoint users have started receiving notifications related to ransomware activity. Microsoft determined that the positives were false and updated the “cloud logic” to correct the problem.
In one of the replies in the same thread, Scholz explain that the problem was due to bugs in the code.
This was a False/Positive and has now been corrected. Please see the details below:
Starting on the morning of March 16th, customers may get a series of false-positive detections due to a Ransomware behavior detection in the file system. Microsoft has investigated this spike of detections and determined they are false positive results. Microsoft has updated cloud logic to suppress the false positives.
• Customers may have experienced a series of false-positive detections that are attributed to a Ransomware behavior detection in the file system.
• Microsoft has updated cloud logic to prevent future alerts being generated and to clear the previous false positives.
Microsoft Defender Antivirus
Microsoft Defender Antivirus has recently got a fix for a vulnerability that was in news about a month ago; although some experts found signs of it about 8 years ago. This vulnerability allowed arbitrary malicious code to run without triggering antivirus alerts.
The principle of the vulnerability is relatively simple – it allows malware files to be in folders inaccessible by Microsoft Defender. Such folders are usually in use to house regular programs that, for various reasons, cause antivirus false positives, so they have not to be object of scanning.
The problem with this approach is that the registry entry containing the list of such exclusions was available to the Everyone group; which means that local users, regardless of their privileges, could view it. Knowing in advance exactly where Microsoft Defender would not look; all that remained was to place the malware at those locations. Accordingly, only those who had physical access to the computer could exploit this vulnerability.
According to the BleepingComputer resource , citing cybersecurity expert SecGuru_OTX, this vulnerability has now got a fix. SentinelOne specialist Antonio Cocomazzi suggest that the fix of the problem exists in a Windows update released on Tuesday. Analyst Will Dormann, however, stated that some system permission settings have changed; without installing Windows updates – perhaps this was due to Microsoft Defender.
The vulnerability affects Windows 10 21H1 and Windows 10 21H2 systems but does not affect Windows 11.