A rash of false positives that began last night should worry enterprise IT administrators: Incorrectly labeling Microsoft Office upgrades as malicious, Microsoft Defender for Endpoint claimed that suspected ransomware behavior had been found on the systems.
The Microsoft endpoint protection software directly warns, continually popping up the security hazards encountered by each device because practically all office PCs in the organization are installed with Office software. Microsoft received reports from a sizable number of IT administrators who were required to momentarily halt all activities and validate the aforementioned condition.
In a statement, Microsoft acknowledged that beginning on March 16’s morning, customers may have encountered a string of false-positive detections linked to ransomware behavior monitoring of the file system. From Microsoft:
Customers may have noticed a string of false-positive detections that began the morning of March 16 and were linked to a ransomware activity detection in the file system. Administrators may have noticed that the false alarms were issued by OfficeSvcMgr.exe and carried the headline “Ransomware behavior identified in the file system.”
According to our study, a recently applied update to service components that detect ransomware alarms revealed a coding flaw that was resulting in alerts being delivered even when there was no problem. To fix the issue and guarantee that no further alerts would be delivered, we deployed a code upgrade. In addition, we reprocessed a backlog of alerts to fully mitigate the impact.
IT administrators in some locations may take longer to receive changes, so if you experience a lot of alerts, just pause all activities and wait for Microsoft Defender for Endpoint to handle them automatically. Cloud code updates and policy updates have been distributed for a few hours now.