A false positive in Windows Defender and Microsoft Security essentials


Gene
 

Considering the importance of this news, Brian, do you approve me placing it on the main list?

If you use Windows Defender or are using Windows 7 with Microsoft Security Essentials and are getting warnings about threats when you run Edge, Chrome, or any Chrome-based browser, don't worry about them.  Microsoft introduced a false positive this morning into its virus definitions.
https://www.bleepingcomputer.com/news/microsoft/microsoft-defender-falsely-detects-win32-hivezy-in-google-chrome-electron-apps/

Gene


 

At this point, Gene, no.

This appears to have been stopped in its tracks at the moment, so unless there's more "flare up" not too many people are likely to encounter it in the wild.
--

Brian - Windows 10, 64-Bit, Version 21H2, Build 19044

Nothing in all the world is more dangerous than sincere ignorance and conscientious stupidity.

   ~ Martin Luther King, Jr.


Gene
 

I see that the problem was corrected in a definitions update perhaps forty-five minutes ago.  I manually updated but I think automatic updates occur once a day so I expect a lot of people are still seeing this behavior. 

I don't know why people haven't discussed this with the number of Chrome-based browsers being used and the number of people who use
Windows Defender. 

Gene

On 9/4/2022 5:44 PM, Brian Vogel wrote:

At this point, Gene, no.

This appears to have been stopped in its tracks at the moment, so unless there's more "flare up" not too many people are likely to encounter it in the wild.
--

Brian - Windows 10, 64-Bit, Version 21H2, Build 19044

Nothing in all the world is more dangerous than sincere ignorance and conscientious stupidity.

   ~ Martin Luther King, Jr.



 

Hmmm heard about this, but I never got hit with this.

I was away for most of yesterday so maybe it had already been sorted.

On 5/09/2022 10:01 am, Gene wrote:
Considering the importance of this news, Brian, do you approve me placing it on the main list?

If you use Windows Defender or are using Windows 7 with Microsoft Security Essentials and are getting warnings about threats when you run Edge, Chrome, or any Chrome-based browser, don't worry about them.  Microsoft introduced a false positive this morning into its virus definitions.
https://www.bleepingcomputer.com/news/microsoft/microsoft-defender-falsely-detects-win32-hivezy-in-google-chrome-electron-apps/

Gene




Gene
 

It began this morning.

Gene

On 9/4/2022 5:56 PM, Shaun Everiss wrote:
Hmmm heard about this, but I never got hit with this.

I was away for most of yesterday so maybe it had already been sorted.


On 5/09/2022 10:01 am, Gene wrote:
Considering the importance of this news, Brian, do you approve me placing it on the main list?

If you use Windows Defender or are using Windows 7 with Microsoft Security Essentials and are getting warnings about threats when you run Edge, Chrome, or any Chrome-based browser, don't worry about them.  Microsoft introduced a false positive this morning into its virus definitions.
https://www.bleepingcomputer.com/news/microsoft/microsoft-defender-falsely-detects-win32-hivezy-in-google-chrome-electron-apps/

Gene







 

On Sun, Sep 4, 2022 at 06:55 PM, Gene wrote:
I don't know why people haven't discussed this with the number of Chrome-based browsers being used and the number of people who use
Windows Defender. 
-
Because few people, given the size of the user base, have been hit by it.

Like I said, all indications are that it was stopped in its tracks and definition update checks are, taken as a whole, utterly random around the 24 hours when the entire Windows user base is taken into account.

If this had been causing a furor you can be almost certain we would have seen a post (or many) on the main group as it was being encountered "by the masses."  But we didn't.

I really do support the idea of warning people when it can be expected that a major dumpster fire is in the offing.  This is more of a match tossed in the dumpster that burned itself out.
--

Brian - Windows 10, 64-Bit, Version 21H2, Build 19044

Nothing in all the world is more dangerous than sincere ignorance and conscientious stupidity.

   ~ Martin Luther King, Jr.


 
Edited

Correction: The problem was identified as being with definitions prior to version 1.373.1518.0, and this was supposed to have been 2 definitions after the problematic set.

My computer last checked for definition updates today and is on 1.373.1524.0, so there are already several sets of definitions that supersede the problematic set and the issue does not seem to persist.
--

Brian - Windows 10, 64-Bit, Version 21H2, Build 19044

Nothing in all the world is more dangerous than sincere ignorance and conscientious stupidity.

   ~ Martin Luther King, Jr.


 

Another aside, but I think an important one:  this is also one of the huge benefits of OS (not just Windows, but in this case Windows) telemetry.

Microsoft does get telemetry reports about detections from Windows Security, and if there's a sudden massive uptick after a definition set is released, that is a clear indication that something's off.  There could be some uptick, but a sudden spate of positive detections on browsers would raise all sorts of red flags, and not about the browsers, particularly when one of them was Edge.

One of the great blessings of OS telemetry is that things that once would have been bad updates unleashed on the entire user base seldom get very far at all these days.  Even the ones that go pretty darned far generally don't ever come close to making it out to the entire Windows user base.
--

Brian - Windows 10, 64-Bit, Version 21H2, Build 19044

Nothing in all the world is more dangerous than sincere ignorance and conscientious stupidity.

   ~ Martin Luther King, Jr.


 

You know brian, you actually bring up a super intresting point.

On a lot of the lists and software, etc I am always disabling the background data sending services.

Not on everything, the new privacy guidelines in europe mean a lot of companies actually explain what and why, however for ages now especially with the china thing and the spying thing we have been told that most of this getting data without concent is bad.

There are even hack tools to stop windows updating due to privacy concerns.

But yeah there are times where this data is actually good for a responsable company.



On 5/09/2022 11:24 am, Brian Vogel wrote:

Another aside, but I think an important one:  this is also one of the huge benefits of OS (not just Windows, but in this case Windows) telemetry.

Microsoft does get telemetry reports about detections from Windows Security, and if there's a sudden massive uptick after a definition set is released, that is a clear indication that something's off.  There could be some uptick, but a sudden spate of positive detections on browsers would raise all sorts of red flags, and not about the browsers, particularly when one of them was Edge.

One of the great blessings of OS telemetry is that things that once would have been bad updates unleashed on the entire user base seldom get very far at all these days.  Even the ones that go pretty darned far generally don't ever come close to making it out to the entire Windows user base.
--

Brian - Windows 10, 64-Bit, Version 21H2, Build 19044

Nothing in all the world is more dangerous than sincere ignorance and conscientious stupidity.

   ~ Martin Luther King, Jr.


 

On Sun, Sep 4, 2022 at 10:33 PM, Shaun Everiss wrote:
There are even hack tools to stop windows updating due to privacy concerns.
-
Which is the height of stupidity and insanity in the prevailing conditions in the cyberworld.  Any individual user's largest attack surface is an unpatched OS.

I just went through this again on one of the JAWS groups very recently, and it infuriates me that there is still anyone who advocates blocking Windows updates.  No one ever said it better than this gentleman, now retired, who was a BSOD expert over at BleepingComputer:

There really isn't a point to checking for updates and not installing them. . .  It's important to install all available updates. I've been doing this since the days of DOS, and I still don't have the confidence to pick and choose among updates.  There are just too many variables involved - and most people can't evaluate the full consequences of installing/not installing updates.

        ~ John Carrona, AKA usasma on BleepingComputer.com, http://www.carrona.org/

He gets to the meat of the matter at the end, "most people can't evaluate the full consequences of installing/not installing updates."  I'm one of those "most people."  The entities that created a given OS, and are tasked with maintaining it, know far better than I ever will, or could hope to.  Most of us don't consult (for pay) professional subject matter experts and then blithely ignore their advice.  Well, even though we're not paying for it, directly, that's what you have in Windows Update and the people behind it.

--

Brian - Windows 10, 64-Bit, Version 21H2, Build 19044

Nothing in all the world is more dangerous than sincere ignorance and conscientious stupidity.

   ~ Martin Luther King, Jr.


Brian's Mail list account
 

Wonderful. I have also had to tweak defender on a laptop as it found something disagreeable about an update to ccleaner a couple of days back.
I guess these are the dangers of anti virus software.
Brian

--
bglists@...
Sent via blueyonder.(Virgin media)
Please address personal E-mail to:-
briang1@..., putting 'Brian Gaff'
in the display name field.

----- Original Message -----
From: "Gene" <gsasner@...>
To: <chat@nvda.groups.io>
Sent: Sunday, September 04, 2022 11:01 PM
Subject: [chat] A false positive in Windows Defender and Microsoft Security essentials


Considering the importance of this news, Brian, do you approve me placing it on the main list?

If you use Windows Defender or are using Windows 7 with Microsoft Security Essentials and are getting warnings about threats when you run Edge, Chrome, or any Chrome-based browser, don't worry about them. Microsoft introduced a false positive this morning into its virus definitions.
https://www.bleepingcomputer.com/news/microsoft/microsoft-defender-falsely-detects-win32-hivezy-in-google-chrome-electron-apps/

Gene




Brian's Mail list account
 

I believe I have turned off telemetry using winaero tweak tool on windows 10, so it does make one think.
Brian

--
bglists@...
Sent via blueyonder.(Virgin media)
Please address personal E-mail to:-
briang1@..., putting 'Brian Gaff'
in the display name field.

----- Original Message -----
From: "Shaun Everiss" <sm.everiss@...>
To: <chat@nvda.groups.io>
Sent: Monday, September 05, 2022 3:33 AM
Subject: Re: [chat] A false positive in Windows Defender and Microsoft Security essentials


You know brian, you actually bring up a super intresting point.

On a lot of the lists and software, etc I am always disabling the
background data sending services.

Not on everything, the new privacy guidelines in europe mean a lot of
companies actually explain what and why, however for ages now especially
with the china thing and the spying thing we have been told that most of
this getting data without concent is bad.

There are even hack tools to stop windows updating due to privacy concerns.

But yeah there are times where this data is actually good for a
responsable company.



On 5/09/2022 11:24 am, Brian Vogel wrote:
Another aside, but I think an important one: this is also one of the
huge benefits of OS (not just Windows, but in this case Windows)
telemetry.

Microsoft does get telemetry reports about detections from Windows
Security, and if there's a sudden massive uptick after a definition
set is released, that is a clear indication that something's off.
There could be some uptick, but a sudden spate of positive detections
on browsers would raise all sorts of red flags, and not about the
browsers, particularly when one of them was Edge.

One of the great blessings of OS telemetry is that things that once
would have been bad updates unleashed on the entire user base seldom
get very far at all these days. Even the ones that go pretty darned
far generally don't ever come close to making it out to the entire
Windows user base.
--

Brian -Windows 10, 64-Bit, Version 21H2, Build 19044

*/Nothing in all the world is more dangerous than sincere ignorance
and conscientious stupidity./*

~ Martin Luther King, Jr.





 

Microsoft has clearly identified exactly what it collects at each level of telemetry.  I'd never consider turning telemetry off entirely, but one of my standard actions when setting up any Windows machine is to set the level to "basic" rather than the default "everything we'd like to take" level, which can include potentially private material (not that I think they're reading this) when telemetry for Office burps is sent.  All I care to send is what's needed to monitor whether the OS itself is healthy and whether newly installed updates are functioning as expected.

OS telemetry in general, and your phones have it, MacOS has it, Linux has it, pretty much any modern OS has it - though some do allow it to be turned off entirely by the user - is what has saved our collective bacon from the "bad update" of yore that on rare occasion did take out the entire user base with widespread the damage.  That just doesn't happen anymore, as the updates get intentionally stopped in their tracks when irregularities are detected.  Someone, of course, is going to be the source of those irregularities, but the number of those someones is small compared to the past.

Even the now ancient, and disastrous, Windows 10 Feature Update back in the 18XX era that wiped machines never made it out beyond a select few (and too many were in that few).

In the end, though, if it hasn't become apparent to any long term computer user that having a full system image backup protocol in place, and running it on a regular cycle which is dictated by how much "new data" you'd be willing to lose without rending your garments and tearing your hair out, is essential then it never will.  Computers can and do fail for a very wide variety of reasons.  The best and cheapest insurance policy against losing everything is having a backup protocol in place.
--

Brian - Windows 10, 64-Bit, Version 21H2, Build 19044

Nothing in all the world is more dangerous than sincere ignorance and conscientious stupidity.

   ~ Martin Luther King, Jr.


Sarah k Alawami
 

Actually, someone already did on another list.   As my system auto scans and I don’t ever check that but every few months Microsoft probably updated the database already.

 

From: chat@nvda.groups.io <chat@nvda.groups.io> On Behalf Of Brian Vogel
Sent: Sunday, September 4, 2022 3:45 PM
To: chat@nvda.groups.io
Subject: Re: [chat] A false positive in Windows Defender and Microsoft Security essentials

 

At this point, Gene, no.

This appears to have been stopped in its tracks at the moment, so unless there's more "flare up" not too many people are likely to encounter it in the wild.
--

Brian - Windows 10, 64-Bit, Version 21H2, Build 19044

Nothing in all the world is more dangerous than sincere ignorance and conscientious stupidity.

   ~ Martin Luther King, Jr.


 

On Tue, Sep 6, 2022 at 10:37 AM, Sarah k Alawami wrote:
As my system auto scans and I don’t ever check that but every few months Microsoft probably updated the database already.
-
The Windows Defender definition files are typically updated at least once per day, and often more often.  They were updated at least three or four times on the day this issue presented, and the issue was promptly extinguished.

I have not yet heard a single firsthand report of anyone being hit by this.  It's not that I doubt it happened, it did, but "the system worked" in preventing it from spreading like wildfire.  The problem was identified promptly and fixed promptly.  For most of the world, it was a complete non-issue since their definition update cycle was such that the corrupt definition file was never picked up for use.

Not everything becomes an immense conflagration.  This certainly didn't.
--

Brian - Windows 10, 64-Bit, Version 21H2, Build 19044

Nothing in all the world is more dangerous than sincere ignorance and conscientious stupidity.

   ~ Martin Luther King, Jr.


Gene
 

This is a first hand report.  The reason I knew about the problem was because I started getting Windows Defender warnings every time I opened a Chrome-based browser.  I checked online and found out about the bad update.  It may be that a lot of users didn't get the bad update but my definitions were updated somewhere between eight and nine in the morning and that update contained the problem.

Gene

On 9/6/2022 11:26 AM, Brian Vogel wrote:

On Tue, Sep 6, 2022 at 10:37 AM, Sarah k Alawami wrote:
As my system auto scans and I don’t ever check that but every few months Microsoft probably updated the database already.
-
The Windows Defender definition files are typically updated at least once per day, and often more often.  They were updated at least three or four times on the day this issue presented, and the issue was promptly extinguished.

I have not yet heard a single firsthand report of anyone being hit by this.  It's not that I doubt it happened, it did, but "the system worked" in preventing it from spreading like wildfire.  The problem was identified promptly and fixed promptly.  For most of the world, it was a complete non-issue since their definition update cycle was such that the corrupt definition file was never picked up for use.

Not everything becomes an immense conflagration.  This certainly didn't.
--

Brian - Windows 10, 64-Bit, Version 21H2, Build 19044

Nothing in all the world is more dangerous than sincere ignorance and conscientious stupidity.

   ~ Martin Luther King, Jr.



 

On Tue, Sep 6, 2022 at 01:07 PM, Gene wrote:
This is a first hand report. 
-
OK, that was not clear.

That being said, is it fixed now?

My point yesterday is that by the time the issue was even raised here the fix had been out for hours.  If you were not one of the unfortunate few who happened to have a definitions update cycle occur when the corrupted set was what was being fetched, you would never even have known this occurred.

One should only be putting warnings out about active issues.  And by the time this one was brought up here it was no longer active for anyone who had not previously been hit.  That means it's fixed, and does not warrant further warnings about.
 
I really don't think I was at all unclear on that concept from the outset.  At this point, all reports on this issue should be in the "historical" category.
--

Brian - Windows 10, 64-Bit, Version 21H2, Build 19044

Nothing in all the world is more dangerous than sincere ignorance and conscientious stupidity.

   ~ Martin Luther King, Jr.


Gene
 

I manually updated my definitions twice that day and either in the evening or late afternoon, I don't remember, an update was provided that corrected the problem.  Can Microsoft  release Windows Defender updates that are  installed more often than the program's usual daily update?

Gene

On 9/6/2022 12:39 PM, Brian Vogel wrote:

On Tue, Sep 6, 2022 at 01:07 PM, Gene wrote:
This is a first hand report. 
-
OK, that was not clear.

That being said, is it fixed now?

My point yesterday is that by the time the issue was even raised here the fix had been out for hours.  If you were not one of the unfortunate few who happened to have a definitions update cycle occur when the corrupted set was what was being fetched, you would never even have known this occurred.

One should only be putting warnings out about active issues.  And by the time this one was brought up here it was no longer active for anyone who had not previously been hit.  That means it's fixed, and does not warrant further warnings about.
 
I really don't think I was at all unclear on that concept from the outset.  At this point, all reports on this issue should be in the "historical" category.
--

Brian - Windows 10, 64-Bit, Version 21H2, Build 19044

Nothing in all the world is more dangerous than sincere ignorance and conscientious stupidity.

   ~ Martin Luther King, Jr.



 

On Tue, Sep 6, 2022 at 01:53 PM, Gene wrote:
Can Microsoft  release Windows Defender updates that are  installed more often than the program's usual daily update?
-
Actually, it's not uncommon for multiple definition updates to be released per day.  It all depends on what new detections occur "in the wild" and are confirmed, thus requiring a definition update to guard against them.

It is possible to reconfigure how often Windows Updates are checked for, but not through the standard user interface.  This is an admin thing.  See: https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/manage-protection-update-schedule-microsoft-defender-antivirus?view=o365-worldwide for additional details.

You can force a manual check just by opening Windows Security, Virus and Threat Protection, then activating the "Check for Updates" link in that pane.  Also, since this is handled via the regular Windows Update mechanism, you can simply open the Windows Update pane and manually trigger a check for updates.

Since the default intervals have worked, quite well, for years there is no logical reason to change them due to a one-off incident, in my opinion.  But it can be done if you want to dig in under the hood.

Windows Defender is not consistently in the top 10 products for antivirus/security suite testing labs, often the top 5 and beating out paid competitors, because it's not set up well.
--

Brian - Windows 10, 64-Bit, Version 21H2, Build 19044

Nothing in all the world is more dangerous than sincere ignorance and conscientious stupidity.

   ~ Martin Luther King, Jr.


Gene
 

I'm not sure what you mean by this sentence:
Windows Defender is not consistently in the top 10 products for antivirus/security suite testing labs, often the top 5 and beating out paid competitors, because it's not set up well.

You have praised  the program before and it isn't clear if you said what you meant in this sentence.

Gene
On 9/6/2022 1:17 PM, Brian Vogel wrote:

On Tue, Sep 6, 2022 at 01:53 PM, Gene wrote:
Can Microsoft  release Windows Defender updates that are  installed more often than the program's usual daily update?
-
Actually, it's not uncommon for multiple definition updates to be released per day.  It all depends on what new detections occur "in the wild" and are confirmed, thus requiring a definition update to guard against them.

It is possible to reconfigure how often Windows Updates are checked for, but not through the standard user interface.  This is an admin thing.  See: https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/manage-protection-update-schedule-microsoft-defender-antivirus?view=o365-worldwide for additional details.

You can force a manual check just by opening Windows Security, Virus and Threat Protection, then activating the "Check for Updates" link in that pane.  Also, since this is handled via the regular Windows Update mechanism, you can simply open the Windows Update pane and manually trigger a check for updates.

Since the default intervals have worked, quite well, for years there is no logical reason to change them due to a one-off incident, in my opinion.  But it can be done if you want to dig in under the hood.

Windows Defender is not consistently in the top 10 products for antivirus/security suite testing labs, often the top 5 and beating out paid competitors, because it's not set up well.
--

Brian - Windows 10, 64-Bit, Version 21H2, Build 19044

Nothing in all the world is more dangerous than sincere ignorance and conscientious stupidity.

   ~ Martin Luther King, Jr.