[German]A curious story that German blog reader Paul B. just told me about. Windows Defender triggers a false alarm on a Windows native file reporting a Trojan Win32.AccessibilityEscalation.
Paul wrote within a private e-mail that he observed a strange behavior of Windows Defender since the last signature update. I’ve translated the text below:
After today’s update of the virus signatures for the Defender KB2267602 it detects the “osk.exe” from Microsoft, found in the \system32 directory, as Trojan infected.
This is the “On Screen Keyboard” the Windows own on-screen keyboard.
Fun with Microsoft!
The above screenshot is proof, it shows the Windows Defender notification. Searching the internet doesn’t revealed other people affected. Microsoft included the detection for the malware Win32/AccessibilityEscalation.A in Defender:
This generic detection for suspicious behaviors is designed to catch potentially malicious files. If you downloaded a file or received it through email, ensure that it is from a reliable source before opening it.
My German blog readers could not confirm that – but shortly after publishing the German edition of this article, another reader left this comment. He observed a similar behavior of his Defender.
Addendum: It’s by design
It’s not a false alarm. Microsoft’s malware scan engine will trigger an Win32/AccessibilityEscalation.A-Alert, if a system file (like utilman.exe has been manipulated). Such attempts are used within the utilman.exe hack to receive admin rights on a blocked Windows (see my blog post Activate Build-in Administrator account in Windows – II and this article for instance). Since August/September 2018 those hacks won’t work anymore, if Microsoft’s Defender or Microsoft Security Essentials are running.