Microsoft Defender Mistakenly Saw a Threat in Chrome and Electron Apps

Due to a bug in an update, Microsoft Defender incorrectly identified Google Chrome, Microsoft Edge, Discord, Spotify, and other Electron apps as a Win32/Hive.ZY threat every time they ran on Windows.

Let me remind you that we also said that Microsoft Defender Scanner for Log4j Problems finds non-existent bugs, and also that LockBit Ransomware Uses Windows Defender to Download Cobalt Strike.

The problem of false positives manifested itself last weekend, after the release of signature update 1.373.1508.0. This update includes two new threats, including the already mentioned Win32/Hive.ZY. Microsoft writes that this is a universal identifier for suspicious behavior, which will come in handy when “detecting potentially malicious files.”

Users from all over the world wrote on Twitter and on Reddit that warnings about the detection of a serious threat appear every time they launch a browser or any application based on Electron.

Of course, neither Spotify, nor Chrome, nor other legitimate applications were associated with malware, but rather annoying false positives.

After a flurry of reports about a bug in Microsoft Defender, developers have already released three updates in an effort to fix the problem. The most recent one (1.373.1537.0) seems to have finally fixed the problem and rid users of false positives and the “phantom” Win32/Hive.ZY.

It must be said that this is far from the first case of its kind, and false positives have existed for as long as antiviruses themselves. For example, in 2020, the Microsoft Defender ATP (Advanced Threat Protection) enterprise solution added a lot of gray hair to administrators when it allegedly detected Mimikatz and Cobalt Strike infections on devices. Back in 2011, a signature update for Microsoft Security Essentials and Microsoft Forefront identified the Chrome for Windows executable as a component of the notorious ZeuS Trojan.