14 DAY TRIAL // Microsoft Defender for Endpoint security has recently issued a warning that many people were pretty surprised to see: the app warned of ransomware in Office process OfficeSvcMgr.exe, therefore blocking access to it.
It all happened following the latest definition updates received by Microsoft Defender for Endpoint, and while system administrators were flooded with ransomware alerts, it was pretty clear that it was all just a false positive.
Microsoft engineer Steve Scholz, who is the Principal Technical Specialist for Security at the company, explained on reddit that the software giant has also resolved the problem after noticing a sudden spike in the number of alerts sent to customers.
“Starting on the morning of March 16th, customers may have experienced a series of false-positive detections that are attributed to a Ransomware behavior detection in the file system. Microsoft has investigated this spike of detections and determined they are false positive results. Microsoft has updated cloud logic to suppress the false positives,” he said.
It was all because of a code issue not caught during testing, Microsoft says
As for what caused the whole thing, a message posted in the admin center earlier today blames a code issue in Microsoft Defender for Endpoint.
“Our investigation found that a recently deployed update within service components that detect ransomware alerts introduced a code issue that was causing alerts to be triggered when no issue was present. We deployed a code update to correct the problem and ensure that no new alerts will be sent, and we've re-processed a backlog of alerts to completely remediate impact,” Microsoft explains.
At this point, everything is working as expected, as the false positive has also been resolved. System administrators are recommended to keep Microsoft Defender for Endpoints up-to-date in order to receive the most recent definitions, including the fix for this false positive.