Microsoft Defender falsely detects an Office update as 'ransomware' and becomes a storm of alerts

Microsoft Defender, the security software that comes standard with Windows, has been so highly rated that the former Mozilla developer said, ' If you have this, you don't need third-party security software .' However, it turns out that Microsoft Defender misidentified the update of Microsoft Office, which was supposed to be 'relative', as ransomware and issued an alert.

Microsoft Defender tags Office updates as ransomware activity
https://www.bleepingcomputer.com/news/security/microsoft-defender-tags-office-updates-as-ransomware-activity/

From March 16th to 17th, 2022, there were a series of reports on Twitter that 'Microsoft Defender is tagging Office updates as ransomware.' There are also many posts on the Reddit thread on the online bulletin board stating that Microsoft Defender falsely detects Office as ransomware.

Did anyone else get juked by Microsoft Defender flagging Office updates (specifically VSS shadow deletes IIRC) as Ransomware? #Microsoft #DefenderATP #MicrosoftDefender #IncidentResponse #DFIR

— OneFishTwoFishRedFishYouPhish (@OnePhish) March 16, 2022

Hey @msftsecurity @msftsecresponse why is defender false flagging freaking office files as Ransomware ...... pic.twitter.com/cjrMsDBvvC

— Bones ???? ️‍ ???? (@ drb0n3z) March 16, 2022

Defender for endpoint Spamming ransomware alerts ?? Happy Wednesday ...

— SighSec (@SighSec) March 16, 2022

In response to this, Microsoft said, 'Since March 16, a series of false positives due to the detection of ransomware behavior in the file system have occurred. Specifically,' Detecting ransomware behavior in the file system. 'Yes' is displayed, and an alert to 'OfficeSvcMgr.exe' has occurred. '

According to a Microsoft research report, the problem was that the update of Microsoft Defender for Endpoints , a Microsoft service that analyzes security via the cloud, triggered an alert even though the ransomware was not working. Is the cause. Microsoft has announced that its engineers have updated the logic in the cloud to prevent alerts and automatically delete log false positives.

In November 2021, Microsoft Defender for Endpoint had a problem of falsely detecting 'Office was infected with malwareEmotet ', and in December, it falsely detected its own Log4j scanner and issued an alert. There was a problem that was displayed.

Bleeping Computer, which handles security-related news, contacted a Microsoft spokeswoman, but said that no comments were received at the time of writing the article.