Microsoft Defender Tags Office Updates As Ransomware

joshuark writes: In one of those in-your-face irony or karmic debt, Bleeping Computer reports that Microsoft Defender tags Office updates as ransomware. The article states: "Windows admins were hit today by a wave of Microsoft Defender for Endpoint false positives where Office updates were tagged as malicious in alerts pointing to ransomware behavior detected on their systems."

Further on, an explanation for the source of the karmic irony is: "The root cause of the false positives was a recently deployed update within service components for detecting ransomware alerts." Couldn't this have waited for April 1st?

Bleeping Computer goes on, "A Microsoft spokesperson was not available for comment when contacted by BleepingComputer earlier today."

So... Defender works then?

[Lohrno]

Are we entirely sure the Office update is not ransom ware?

Re:

[Baconsmoke]

Wish I had some moderation points, I'd give you a funny. However, there is the flipside, where you're pretty much correct which makes it even funnier.

Re:

[cayenne8]

You just can't make stuff like this up....

:D

Re: So... Defender works then?

[rantrantrant]

Well, it doesn't quite count as ransomware since we can open Office files with LibreOffice. However, I'm sure MS would like it to be ransomware, you know, stop paying the protection... sorry, I mean 'licence fees,' & you lose access to your files.

Re:

[lrichardson]

If you switch to using Microsoft's 'OneCloud' storage - the default for Office365 - you DO lose access to your files if your O365 license is not paid ...

Re:

[fahrbot-bot]

Are we entirely sure the Office update is not ransom ware?

Well... MS does want people to move to subscription service for Office. Seems kinda ransom-y to me...

Re:

[UnknowingFool]

Definitely needed a tag #NotWrong

Re:

[Stephan Schulz]

Are we entirely sure the Office update is not ransom ware?

Indeed. I wonder why they call it a "false positive", when it is a piece of software harmful to your computer, your health, and the while industry!

And?

[smooth wombat]

You mean those "updates" aren't ransomware?

"That's a lot of data you have there. Sure would be a shame if something happened to it."

Re:

[BeerFartMoron]

You mean those "updates" aren't ransomware?

"That's a lot of data you have there. Sure would be a shame if something happened to it."

Maybe you are interested in our O365 subscription service? You know, for your own protection.

O365 subscription service use the full fat apps +

[Joe_Dragon]

O365 subscription service use the full fat apps + web apps.

Re:

[Yo Grark]

No they're not.

With Ransomware you get your system back after you pay (sometimes).

With Microsoft, they change things and even if you pay, there's no way to revert the changes they forced on you!

- Yo Grark

Finally

[The Evil Atheist]

Anti-virus being accurate for once.

Re:

[Vlad_the_Inhaler]

They are trying to make up for not having identified the Windows 10 "update" as malware back in the day. Too little, far too late.

As Foretold

[SuperKendall]

Microsoft Defender Tags Office Updates As Ransomware

Not sure which one, but I'm pretty sure Shakespeare wrote a play about this happening.

Re:

[Retired Chemist]

Microsoft Defender Tags Office Updates As Ransomware

Not sure which one, but I'm pretty sure Shakespeare wrote a play about this happening.

Maybe Comedy of Errors, where twins keep getting mistaken for each other?

Re: As Foretold

[flyingfsck]

MacBeth: Bubble, bubble, toil and trouble.

Re: As Foretold

[flyingfsck]

We still have judgement here, that we but teach bloody instructions, which, being taught, returns to plague the inventor.

Re:

[SuperKendall]

Yep that's the one!

Operational independence?

[MachineShedFred]

Irony aside, this just makes me trust Defender slightly more. The fact that they aren't just blanket allowlisting anything from Microsoft means that it might actually catch shit if Microsoft's update servers were compromised.

Re:

[devslash0]

*whitelisting

There, I've corrected it for you.

Latest AV software flags everything as malware

[bustinbrains]

Most of the malware detection software seems to be headed very much in the direction of, "I haven't seen this before, let's check the binary hash to see if the Internet has seen it (e.g. VirusTotal). No? Must be malware!" It's the most braindead approach to malware that anyone could write in their sleep. The result is that every single software update is malware until enough people declare it as "okay." And Enterprise AV companies are somehow making money off of that. Once an executable has been flagg

The Microsoft spokesman

[jd]

Was also identified as malware and will be replaced by Clippy.

"Trash" quality level

[gweihir]

Apparently MS can get away with that. This is so incompetent, it is staggering. Of course, you would not only test your own applications against your own AV, you would also explicitly whitelist them. Doing that reliably seems to be beyond the capabilities of Microsoft "engineers" or is unwanted by its management.

Re:

[F.Ultra]

Actually to be completely honest, that they haven't whitelisted their own products are actually a quality mark of their Defender software team, just because they are in house products does not mean that they are immune to infection. The problem is that the Office team didn't run the updates through Defender before shipping them, there is where the fault is not with the Defender team.

Re:

[wolverine1999]

Even gcc was flagged as malware a few weeks ago.

Re:

[gweihir]

Probably indicates that overall detection quality is getting worse and they tried (and obviously failed) to compensate by adjusting sensitivity. That does not bode well.

Microsoft products ARE ransomware

[Rick Schumann]

Guess someone on the Defender team didn't get the memo.