Microsoft has confirmed that a code issue in Microsoft Defender for Endpoint has led to a wave of false-positive ransomware alerts for Microsoft customers.
Some system administrators reported issues on Wednesday afternoon involving numerous ransomware detections in their file systems.
Specifically, the erroneous alerts were titled ‘Ransomware behaviour detected in the file system’ and were triggered on ‘OfficeSvcMgr.exe.’, Microsoft said, with alerts occurring for around two hours between 14:39 - 16:50 (UTC).
It said a recent update that it deployed “within service components that detect ransomware alerts” introduced a code issue that led to false ransomware detections in the company’s security solution.
Microsoft has issued another code update that should correct the problem, according to Microsoft's Steve Sholz, principal technical specialist at Microsoft, updating customers via social media.
Sholz said Microsoft has updated its cloud logic to suppress the false-positive alerts and has re-processed a backlog of alerts to “completely remediate impact”. Affected customers should find the false-positives should clear from their portal without any intervention.
Microsoft is now investigating how the code error slipped through its testing and validation processes, with the hope that it will prevent similar issues from occurring again in the future.
Microsoft customers reported that the errors began appearing after they updated their security definitions, which led to a “downpour of ransomware alerts” for some.
Microsoft Office files were commonly being flagged as ransomware, according to some reports, while other behaviours like deleting shadow copies also triggered false-positive alerts for some.
Elsewhere, users on Windows 11 have reported numerous problems since installing the March security update, including slow program load times after booting, File Explorer lagging, and a malfunctioning Windows Terminal, among other issues.
RELATED RESOURCE
Modernise your server infrastructure for speed and security
Infrastructure lifecycle automation paves the way for an adaptive, resilient organisation
IT Pro has contacted Microsoft to understand if it’s aware of the issues and what is being done to address them, but it did not immediately reply at the time of publication.
A total of 92 security vulnerabilities were fixed as part of the most recent March update, including a Windows 11 issue that prevented some users from erasing all their files after a system reset.
Microsoft has also been criticised by system administrators this year for releasing ‘broken’ patches that have led numerous organisations to forgo important security fixes out of fear they may cause more disruption than they solve.
Windows Server administrators said January’s security fixes “made the problem worse”, including creating an issue where they were unable to see the Active Directory environment in Microsoft Exchange, for example.
-
Using DeepSeek at work is like ‘printing out and handing over your confidential information’News Thinking of using DeepSeek at work? Think again. Cybersecurity experts have warned you're putting your enterprise at huge risk.
-
Can cyber group takedowns last?ITPro Podcast Threat groups can recover from website takeovers or rebrand for new activity – but each successful sting provides researchers with valuable data
-
Average ransom payment doubles in a single quarterNews Targeted social engineering and data exfiltration have become the biggest tactics as three major ransomware groups dominate
-
BlackSuit ransomware gang taken down in latest law enforcement sting – but members have already formed a new groupNews The notorious gang has seen its servers taken down and bitcoin seized, but may have morphed into a new group called Chaos
-
Google cyber researchers were tracking the ShinyHunters group’s Salesforce attacks – then realized they’d also fallen victimNews In an update to an investigation on the ShinyHunters group, Google revealed it had also been affected
-
Nearly one-third of ransomware victims are hit multiple times, even after paying hackersNews Many ransomware victims are being hit more than once, largely thanks to fragmented security tactics
-
75% of UK business leaders are willing to risk criminal penalties to pay ransomsNews A ransom payment ban is a great idea - until you're the one being targeted...
-
The Scattered Spider ransomware group is infiltrating Slack and Microsoft Teams to target vulnerable employeesNews The group is using new ransomware variants and new social engineering techniques - including sneaking into corporate teleconferences
-
Hackers breached a 158 year old company by guessing an employee password – experts say it’s a ‘pertinent reminder’ of the devastating impact of cyber crimeNews A Panorama documentary exposed hackers' techniques and talked to the teams trying to tackle them
-
The ransomware boom shows no signs of letting up – and these groups are causing the most chaos
News Thousands of ransomware cases have already been posted on the dark web this year
