Microsoft Defender tags Office updates as ransomware activity

Home windows admins were strike today by a wave of Microsoft Defender for Endpoint false positives exactly where Business updates ended up tagged as destructive in alerts pointing to ransomware actions detected on their units.

In accordance to Windows technique admins stories [1, 2, 3, 4], this started out going on numerous several hours ago and, in some circumstances, it led to a “downpour of ransomware alerts.”

Following the surge of reports, Microsoft verified the Office environment updates were being mistakenly marked as ransomware exercise due to untrue positives.

Redmond added that its engineers current cloud logic to prevent future alerts from exhibiting up and clear away the prior bogus positives.

“Starting on the early morning of March 16th, shoppers could have experienced a collection of bogus-positive detections that are attributed to a Ransomware behavior detection in the file method. Admins may well have observed that the erroneous alerts had a title of ‘Ransomware actions detected in the file technique,’ and the alerts ended up activated on OfficeSvcMgr.exe,” Microsoft stated following users’ studies.

“Our investigation uncovered that a just lately deployed update within company components that detect ransomware alerts released a code issue that was producing alerts to be induced when no difficulty was existing. We deployed a code update to appropriate the challenge and ensure that no new alerts will be sent, and we’ve re-processed a backlog of alerts to totally remediate impression.”

Just after the cloud logic update rollout, the incorrect ransomware exercise alerts will no for a longer period be created. All logged fake positives really should also automatically very clear from the portal with no requiring the admins’ intervention.

Bogus positives brought on by a code modify

In accordance to Microsoft, the issue “may possibly have probably afflicted” admins who tried to perspective ransomware alerts in Microsoft Defender for Endpoint.

The root induce of the wrong positives was a recently deployed update inside of support elements for detecting ransomware alerts.

This introduced a code situation that incorrectly induced the alerts to be triggered devoid of ransomware activity being present on the system.

In November, Defender for Endpoint also blocked Office environment paperwork from opening and some Business executables from launching due to a different untrue constructive tagging the files Emotet malware payloads.

One particular month later, it also mistakenly showed “sensor tampering” alerts linked to the company’s recently deployed Microsoft 365 Defender scanner for Log4j processes.

Considering that October 2020, admins have had to offer with other equivalent Defender for Endpoint troubles, together with one alerting of community equipment infected with Cobalt Strike and another one marking Chrome updates as PHP backdoors.

A Microsoft spokesperson was not out there for remark when contacted by BleepingComputer earlier right now.