Microsoft Defender – Hive false positives

Overview

Severity level: Low – flaw will make finding real events a longer process.

Microsoft has issued a new signature to their Defender Antivirus system that mistakenly detects Electron apps such as Google Chrome, Microsoft Edge and Discord as prominent malware, also known as’Win32/Hive.ZY’, each time the apps are opened in Windows.

The issue of these signatures started on the morning of 4th September with Microsoft’s Defender signature update 1.373.1508.0.

Impact

The flaw with this latest signature update means that organisations using Microsoft Defender will accumulate a lot of false positives for Hive ransomware. This could cause confusion within the organisation’s network defence team and ultimately lead to a significant delay in accurate threat detection while the false positives are being triaged.

Vulnerability Detection

Vulnerability affects users operating the 1.373.1508.0 version of Microsoft Defender.

Affected Products

Microsoft Defender Antivirus

Containment, Mitigations & Remediations

Since issuing the faulty update, Microsoft has released further updates that resolve the issue. Customers experiencing negative effects from the faulty signatures should update their Defender software to the latest version as soon as possible.

Indicators of Compromise

Significant increase of Hive ransomware alerts connected to the use of Electron applications.

Threat Landscape

Unfortunately, disruptive updates such as this one will highly likely occur again in the future. Whilst legitimate Hive ransomware attacks cannot be ruled out and base level investigations should still be taken, it is likely that alerts highlighted while having this version installed will be false positives.

Further Information

Microsoft Behaviour:Win32/Hive.ZY

Confidence Terminology Yardstick

0%-5% Remote Chance
10%-20% Highly Unlikely
25%-35% Unlikely
40%-50% Realistic Possibility
55%-75% Likely/Probable
80%-90% Highly Likely
95%-100% Almost Certain