Since late Tuesday, several users of Microsoft Defender for Endpoint have been sharing issues encountered when Chrome updates are received through Google Update.
They claim the Defender Endpoint suite was tagging these updates are malicious, even though they are not. Microsoft later clarified that it was a false positive issue, and was rectified soon. But, it didn’t provide what exactly is causing these issues.
False Positive Issues in Defender for Endpoint
One of the core jobs of antivirus software is to spot and highlight any malicious activity happening in the concerned system. For this, they deep dive into apps and their process with an extensive set of permissions. Yet, sometimes they make mistakes in flagging the appropriate software.
Microsoft’s Defender for Endpoint is one such security software that previously reported false positives. Some of them include detection of network devices with possible Cobalt Strike tool and Chrome updates with PHP backdoors in past.
Even the Microsoft Office updates were tagged as malicious in past, pointing to suspicious ransomware behavior. And now, the Endpoint suite is falsely flagging Google Chrome updates delivered via Google Update.
This is reported by many in various forums [1, 2, 3, 4], that Microsoft’s security solution is marking the Chrome updates as suspicious even though they’re good. People who encountered this issue are shown an error as “Multi-stage incident involving Execution & Defense evasion” on their Windows endpoints systems.
Hearing them, Microsoft responded with a service advisory saying that those are false alarming alerts caused by some unknown error, and not due to any malicious activity. An hour and a half later, the company updated this advisory saying the issue has been rectified. But, it didn’t specify what exactly has caused the issue all this time.