[German]A brief note for administrators. Microsoft Defender reportes a PowEmotoet.SB infection has been blocked and quarantined and possibly triggers Microsoft Office? This is a false alarm, which was triggered by an update of the signature files to version 1.353.1874.0. Here is some information on what is known so far.
German blog reader Constantin contacted me by email an hour ago (thanks for that) and alerted me to a problem on Windows related to Microsoft Defender for Endpoint with the following lines:
Definitely worth a nice article ,how Microsoft screwed up again and scared all admins.
Microsoft has gone into the toilet with a Defender definition and every Office start is now probably a Defender false positive….
PowEmotet we recognized.
Twitter explodes just to it. Since all admins are happy tomorrow morning….
In addition, Constantin has sent me a link to the following tweet from security researcher Kevin Beaumont, which addresses these observations. Defender seems to trigger something so that Microsoft Office opens.
Christopher Mage then recreated this in a virtual machine. On 11/30/2021, Defender alerted a Behavior:Win32/PowEmotet.SB finding to him while printing. Defender then blocked the PowEmotet.SB (signature) file in question. Beaumont quickly came to the conclusion that it was a rolled-out change in the virus signature that basically triggered a false positive on any Office DDE control.
On Twitter, there is this tweet, where a user posts something similar. In this tweet, a user writes that "PowEmotet" is currently being flagged as a false positive by Microsoft Defender via "C:\Windows\splwow64.exe" when users try to print from Office365 applications. On reddit.com there is this post:
MsDefender detect Emotet in Microsoft Excel
For the last 40 minutes we have 5-6-7 windows device that MSDefender detected Win32/PowEmotet.SB . If we update the antivirus definition and open a new Excel file after we will have detection.
who complains about an Emotet infections in Microsoft Excel and asks if he is alone. In the meantime,Within the thread more and more users are reporting this observation. Quite quickly, users state that these findings occur with the virus definition v.1.353.1874.0 of Defender. Meanwhile, Microsoft has posted the following information, which I found in the reddit thread.
"Starting on the evening of November 29th, customers may have experienced a series of false-positive detections that are attributed to the Behavior:Win32/PowEmotet.SB malware detection. Microsoft has investigated this spike of detections and determined they are false positive results. The affected Security Intelligence builds began with 1.353.1842.0. Microsoft has suppressed the detection preventing future alert spikes for those customers connected to the cloud. An upcoming Security Intelligence build to address the issue will be released shortly."
So confirmation that a flawed Defender Antivirus signature 1.353.1842.0, rolled out Nov. 29, is responsible for these false alerts. Microsoft suppressed the detection to prevent future spikes in alerts for customers connected to the cloud. A new security intelligence build to fix the issue is expected to be released soon. Addendum: Bleeping Computer colleagues also report the same issue here. A week ago, there has been also an issue with Defender, see Windows Server 2019/2022: Microsoft Defender for Endpoint fails after Nov. 2021 updates.
Cookies helps to fund this blog: Cookie settings