Google Chrome updates Identified as suspicious by Microsoft Defender
Endpoint’s Microsoft Defender has been flagging Google Chrome updates that are delivered via the Google Update program as suspicious activity due to a false identification.
According to Windows system admins reports, the security system began flagging Chrome updates as suspicious activity as of last evening.
For those who have encountered this issue, they have reported seeing “Multi-stage incident involving Execution & Defense evasion” alerts on affected Windows endpoints monitored using Defender for Endpoint.
Additionally, a Microsoft 365 Defender service advisory issued after reports of these alarming carters started showing up online, Microsoft revealed that they were erroneously triggered by a false positive, not due to malicious activity on the system.
According to Microsoft, “Admins may receive a false positive alert for Google Update on Microsoft Defender for Endpoint monitored devices,” Microsoft said.
About One and a half hours later, the advisory was updated, with REdmon saying that the false positive issue was addressed and the service reported.
“We determined these are false-positive results and we have updated the logic for this alert to resolve the issue some customers may have experienced,” said a Microsoft spokesperson.
For the last two years, Windows admins have had to deal with multiple other Defender for Endpoint false positive issues;
For instance, they were hit by a wave of Defender for Endpoint alerts where Office updates were tagged as malicious in warnings pointing to ransomware behaviour detected on Windows endpoints.
In November, Defender ATP blocked Office documents and some Office executables from opening or launching because of another false positive tagging the files Emotet malware payloads.
One month later, it mistakenly displayed "sensor tampering" alerts linked to the Microsoft 365 Defender scanner for Log4j processes.
Other similar Defender for Endpoint issues include alerts of network devices infected with Cobalt Strike and Chrome updates as PHP backdoors, both caused by false-positive detections.