Get in Touch
Microsoft Defender – Hive false positives
Severity level: Low – flaw will make finding real events a longer process.
Microsoft has issued a new signature to their Defender Antivirus system that mistakenly detects Electron apps such as Google Chrome, Microsoft Edge and Discord as prominent malware, also known as’Win32/Hive.ZY’, each time the apps are opened in Windows.
The issue of these signatures started on the morning of 4th September with Microsoft’s Defender signature update 1.373.1508.0.
The flaw with this latest signature update means that organisations using Microsoft Defender will accumulate a lot of false positives for Hive ransomware. This could cause confusion within the organisation’s network defence team and ultimately lead to a significant delay in accurate threat detection while the false positives are being triaged.
Vulnerability affects users operating the 1.373.1508.0 version of Microsoft Defender.
Microsoft Defender Antivirus
Containment, Mitigations & Remediations
Since issuing the faulty update, Microsoft has released further updates that resolve the issue. Customers experiencing negative effects from the faulty signatures should update their Defender software to the latest version as soon as possible.
Indicators of Compromise
Significant increase of Hive ransomware alerts connected to the use of Electron applications.
Unfortunately, disruptive updates such as this one will highly likely occur again in the future. Whilst legitimate Hive ransomware attacks cannot be ruled out and base level investigations should still be taken, it is likely that alerts highlighted while having this version installed will be false positives.
Confidence Terminology Yardstick
0%-5% Remote Chance
10%-20% Highly Unlikely
40%-50% Realistic Possibility
80%-90% Highly Likely
95%-100% Almost Certain