On March 16, 2022, Microsoft Defender began warning corporate customers about the presence of malware in the official MS Office update. The antivirus solution detected ransomware code in the update component OfficeSvcMgr.exe. In fact, this turned out to be a false positive, but these notifications made system administrators around the world nervous.

Microsoft dealt with the incident a few hours later, after receiving a large number of complaints from corporate customers.

A company representative said that the developers have already corrected the work of the protection system algorithm to fix the problem. He explained that it arose from a recently rolled out update to the Microsoft Defender service components for ransomware detection and warning. Due to errors in the code of this update, false warnings about the presence of malware in the code of legitimate applications began to appear. Moreover, the trigger of the warning algorithm was worked out at a time when there was no activity on the part of both ransomware programs in the system and simple applications.

Microsoft did not disclose why the antivirus algorithm reacted specifically to the OfficeSvcMgr.exe component, although there were no false positives for other files.

At the end of November 2021, system administrators were already experiencing false positives with the corporate version of Microsoft Defender. Anti-virus software began blocking user files en masse, explaining that activity was detected related to the Win32/PowEmotet.SB or Win32/PowEmotet malware. Todla's incident affected almost all user Excel files and any Microsoft Office component that involved the MSIP.ExecutionHost.exe and splwow64.exe applications. Microsoft fixed a bug in its cloud service and released a patch that disabled notifications and file blocking by Microsoft Defender for this incident.

bbabo.Net