Some recently-released Microsoft Office updates are causing the company's Defender for Endpoint platform to raise the alarm about cyberattacks, it has warned.
The security tool was found to be labelling the Office updates as potential ransomware behavior, and given how prevalent supply chain attacks are, it’s no wonder people took it seriously.
Microsoft was quick to react, confirming the warnings were in fact only a false positive alert, and quickly tweaked Defender for Endpoint to alleviate the issue.
We're looking at how our readers use VPNs with different devices so we can improve our content and offer better advice. This survey shouldn't take more than 60 seconds of your time. Thank you for taking part.
>> Click here to start the survey in a new window (opens in new tab) <<
"Starting on the morning of March 16th, customers may have experienced a series of false-positive detections that are attributed to a Ransomware behavior detection in the file system,” Microsoft said in its report. “Admins may have seen that the erroneous alerts had a title of 'Ransomware behavior detected in the file system,' and the alerts were triggered on OfficeSvcMgr.exe."
The company added that the issue concerned a problem with the code that was swiftly addressed.
"Our investigation found that a recently deployed update within service components that detect ransomware alerts introduced a code issue that was causing alerts to be triggered when no issue was present. We deployed a code update to correct the problem and ensure that no new alerts will be sent, and we've re-processed a backlog of alerts to completely remediate impact."
This is not the first time Defender for Endpoint has seen issues with false positives. In early December 2021, the antivirus (opens in new tab) program prevented users from opening some Office files and launching various applications, triggering false positives related to Emotet malware.
Back then, the program detected print jobs as Emotet malware (opens in new tab), as well as any Office app using MSIP.ExecutionHost.exe and slpwow64.exe.
> Are your Microsoft Office files refusing to open? This could be why (opens in new tab)
> Turns out Microsoft Defender had a rather embarrassing security flaw of its own (opens in new tab)
> Microsoft Defender for Endpoint wants to help your employees use iOS devices (opens in new tab)
Following this, Microsoft reportedly tried to increase the sensitivity of its filters for detecting Emotet and similar activity, due to the malware’s recent resurgence.
Emotet, which is believed to have originated in Ukraine, was almost extinct at the start of last year, after law enforcement seized control of Emotet infrastructure and reportedly arrested individuals linked with the operation.
However, since mid-November 2021, new Emotet samples have started popping up once again. These are quite similar to the previous strain, but have a different encryption scheme, and are being delivered to machines infected by TrickBot.
- Here's our list of the best endpoint protection (opens in new tab) solutions right now
Via: BleepingComputer (opens in new tab)