[German]A brief note for administrators. Microsoft Defender reportes a PowEmotoet.SB infection has been blocked and quarantined and possibly triggers Microsoft Office? This is a false alarm, which was triggered by an update of the signature files to version 1.353.1874.0. Here is some information on what is known so far.
Advertising
German blog reader Constantin contacted me by email an hour ago (thanks for that) and alerted me to a problem on Windows related to Microsoft Defender for Endpoint with the following lines:
Hello,
Definitely worth a nice article ,how Microsoft screwed up again and scared all admins.
Microsoft has gone into the toilet with a Defender definition and every Office start is now probably a Defender false positive….
PowEmotet we recognized.
Twitter explodes just to it. Since all admins are happy tomorrow morning….
In addition, Constantin has sent me a link to the following tweet from security researcher Kevin Beaumont, which addresses these observations. Defender seems to trigger something so that Microsoft Office opens.
Christopher Mage then recreated this in a virtual machine. On 11/30/2021, Defender alerted a Behavior:Win32/PowEmotet.SB finding to him while printing. Defender then blocked the PowEmotet.SB (signature) file in question. Beaumont quickly came to the conclusion that it was a rolled-out change in the virus signature that basically triggered a false positive on any Office DDE control.
On Twitter, there is this tweet, where a user posts something similar. In this tweet, a user writes that "PowEmotet" is currently being flagged as a false positive by Microsoft Defender via "C:\Windows\splwow64.exe" when users try to print from Office365 applications. On reddit.com there is this post:
Advertising
MsDefender detect Emotet in Microsoft Excel
For the last 40 minutes we have 5-6-7 windows device that MSDefender detected Win32/PowEmotet.SB . If we update the antivirus definition and open a new Excel file after we will have detection.
who complains about an Emotet infections in Microsoft Excel and asks if he is alone. In the meantime,Within the thread more and more users are reporting this observation. Quite quickly, users state that these findings occur with the virus definition v.1.353.1874.0 of Defender. Meanwhile, Microsoft has posted the following information, which I found in the reddit thread.
"Starting on the evening of November 29th, customers may have experienced a series of false-positive detections that are attributed to the Behavior:Win32/PowEmotet.SB malware detection. Microsoft has investigated this spike of detections and determined they are false positive results. The affected Security Intelligence builds began with 1.353.1842.0. Microsoft has suppressed the detection preventing future alert spikes for those customers connected to the cloud. An upcoming Security Intelligence build to address the issue will be released shortly."
So confirmation that a flawed Defender Antivirus signature 1.353.1842.0, rolled out Nov. 29, is responsible for these false alerts. Microsoft suppressed the detection to prevent future spikes in alerts for customers connected to the cloud. A new security intelligence build to fix the issue is expected to be released soon. Addendum: Bleeping Computer colleagues also report the same issue here. A week ago, there has been also an issue with Defender, see Windows Server 2019/2022: Microsoft Defender for Endpoint fails after Nov. 2021 updates.
Advertising
If this fixed now, what should I do with this virus in quarantine? Allow or remove it? I am using Microsoft Security Essentials on Windows 7 PRO x64bit. Thank you in advance.
Got a comment from German readers, that a new signature update has been shipped at 8:00 a.m. MEZ for Defender. My MSE on Win 7 ESU shows v1.353.1888.0 – so it's updated.
If you don't have malfunctions, let the file in quarantine.
But the file doesn't remove automatically right? I don't want to screw it if I delete it.
It shall not be removed. I would not delete it, in case somethis is screwed up. In a month, you are probably able to delete the quarantined file, if no harm has been observed.
I still can allow it instead of remove, if this really false positive.
Ok, I simply fixed by reinstall MSE and download actual 1.353.1934.0 definition :) . I have Windows 7 , so I can reinstall antivirus. Now I have clean quarantine and after open any Office document I don't have any Emotet alert :) . So, problem is fixed for me now.