Threat Watch

Microsoft Defender Update Creates MS Office False Positive Alerts

Researchers and system administrators have noted multiple instances of false positives generated by legitimate Microsoft Office activity since updating Microsoft Defender for Endpoint to version 1.353.1874.0. Researchers have reported in some cases that simply opening Excel, or any Office app using MSIP.ExecutionHost.exe (AIP Sensitivity Client) and splwow64.exe, generates a Defender block which keeps the file from opening. An error is also generated that mentions suspicious activity linked to Win32/PowEmotet.SB or Win32/PowEmotet.SC. The changes are speculated to be related to an attempt to detect malicious behavior associated with the new Emotet malware campaign.

The issue is ongoing, but Microsoft issued a statement noting that “We are working to resolve an issue where some customers may have experienced a series of false-positive detections. This issue has been resolved for cloud-connected customers.” 

Subscribe to Threat Watch

Daily summaries of threats, delivered straight to your inbox!


Click Here to Subscribe to Threat Watch

ANALYST NOTES

Depending on an organization’s risk management framework and overall security strategy, it may be advisable to pause Windows update through group policy until the issue is resolved to avoid blocking Microsoft Office applications. For organizations that have already updated, individual users who require applications that are being blocked can utilize the cloud version of the application or roll back the change on individual machines. Software updates on enterprise level infrastructure requires the central coordination and management of all updates as well as thorough testing before deployment into production.

https://www.bleepingcomputer.com/news/microsoft/microsoft-defender-scares-admins-with-emotet-false-positives/

Facebook Twitter Instagram Youtube Linkedin
Solutions
Become a Reseller

Industries

Resources

About

Contact Us
Contact Support