Microsoft Defender Log4j Scanner Triggers False Positive Alerts

Microsoft Defender for Endpoint is currently showing "sensor tampering" alerts linked to the company's newly deployed Microsoft 365 Defender scanner for Log4j processes. BleepingComputer reports: The alerts are reportedly mainly shown on Windows Server 2016 systems and warn of "possible sensor tampering in memory was detected by Microsoft Defender for Endpoint" created by an OpenHandleCollector.exe process. Admins have been dealing with this issue since at least December 23, according to customer reports.

While this Defender process' behavior is tagged as malicious, there's nothing to worry about since these are false positives, as revealed by Tomer Teller, Principal Group PM Manager at Microsoft, Enterprise Security Posture. Microsoft is currently looking into this Microsoft 365 Defender issue and working on a fix that the company should soon deliver to affected systems. "This is part of the work we did to detect Log4J instances on disk. The team is analyzing why it triggers the alert (it shouldn't of course)," Teller explained.

oh dear

[Anonymouse Cowtard]

Don't pop the corks, someone's working through to the new year.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[edis]

You forget, that people mostly are not compiling products, but obtain and use them.

Re:

[Antique Geekmeister]

Relying on someone else's components is pretty fundamental to object oriented programming. It's fundamental to Java libraries, to Python modules, and to Perl modules that most developers should avoid trying to build them locally because their build requirements may be conflicting or hazardous to leave in place.

Re:

[jmccue]

Where I work, that is the norm for Year End processing in IT. Sales people jam so much in during the last week of Dec we need to keep an eye on the systems to avoid issues. So what is 1 more thing to watch,

Well, it is Microsoft

[gweihir]

Of course they will not get it right. That is standard MO with them. Not that getting this one right should have been hard. But as all the fanbois still buy the 2nd-rated MS crap and ask to be fed more, MS has zero incentives to do better.

Windows Server?

[Gabest]

Why would you run Apache instead of IIS if you have a WS2016? Do WAMP kids still exist?

Re:

[ArchieBunker]

Hey I’m using UUCP!

Re:

[Zarhan]

Apache web server != Tomcat.

And if you want to run JSPs, Tomcat is still the easiest solution...

Re:

[Antique Geekmeister]

"Apache web server" is httpd.

https://httpd.apache.org/ [apache.org]

Tomcat is sometimes referred to as "Apache Tomcat"

https://tomcat.apache.org/ [apache.org]

While httpd, formerly known as "apache", has fallen out of favor among Java advocates, it's still a popular and effective web server in popular business use.

Re:

[edis]

May you have software embedded service?

Could it be

[JustAnotherOldGuy]

"Microsoft Defender Log4j Scanner Triggers False Positive Alerts"

Maybe it's just detecting Windows?

MS Testing Team

[Canberra1]

Production testing - we save money by trimming trivial environments. Clearly the testing teams have been decimated, If Kaspersky had its way, they could tell MS the problem faster. As no one has aired the cause, one suspects in flight adds/deletes without a non-interrupt wrapper trigger differences. Or it could be children of parent handles are not being cleanly terminated in an orderly manner - some previous cves, supposedly fixed. There again the Intel speculative workarounds could also ripple the memory

Re:

[antdude]

It's not just MS. Apple, Google, and many others do this too. :(