Microsoft Defender ATP quarantined Chrome Update as PHP-Backdoor

[German]According to reports from administrators, Microsoft Defender ATP seems to have incorrectly classified the latest 88 version updates of the Google Chrome browser as malware and quarantined them. However, the problem is now said to have been fixed by a new signature file.


Microsoft Defender ATP is Microsoft's commercial version of it's the security solution, which can only be used in corporate environments with certain enterprise licenses. However, that's exactly where there seems to have been problems with updates to Google Chrome browser version 88 yesterday. I already came across this notice a few hours ago, which various administrators are complaining about on Twitter and on the web.

Microsoft Defender ATP detectes Chrome Update as Malware

The affected updates are for Google Chrome to versions v88.0.4324.104 (dated January 19, 2021) through v88.0.4324.146 (dated February 3, 2021), which are classified as PHP/Funvalget.A-Backdoor.

ZDNet first reported for the incident in the article linked in the above tweet. A screenshot shown there indicates that the Chrome language file sl.pak (solven language customization) in the installer is classified as a backdoor. Microsoft Defender for Endpoint, which is included in the package, then automatically blocks the detected files and quarantines them. In other words, the Google Chrome browser has not received any updates since version v88.0.4324.104, which was released on January 19, 2021.

Microsoft has since fixed this false positive again, with Bleeping Computer quoting a store as saying, "We've corrected an automation error that incorrectly classified the installation package as malware." System administrators should use the commands in an administrative command prompt:


cd %ProgramFiles%\Windows Defender
MpCmdRun.exe -removedefinitions -dynamicsignatures
MpCmdRun.exe -SignatureUpdate

to update the signatures of Defender. Then the false alarm should be gone again. Were any of you affected by this incident?

Cookies helps to fund this blog: Cookie settings


This entry was posted in browser, Security, Software, Update and tagged , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *