[German]At the end of the year, here is a small collection of articles about Microsoft's antivirus solution Defender. For Windows Server 2019, a problem with Defender has probably been fixed with the December 2021 updates. On the other hand, a Defender problem in Windows 8.1/Server 2012 R2 has been going on for months without being fixed. And to make matters worse, Microsoft has rolled out a Microsoft 365 Defender Log4j scanner that triggers an alert in Defender from the OpenHandleCollector.exe process.
Fix for Windows Server 2019/2022 Defender issue
I had addressed it in the blog post Windows Server 2019/2022: Microsoft Defender for Endpoint fails after Nov. 2021 updates. Microsoft had to admit, it after installation of certain updates on Windows Server 2019 or even Windows Server 2022 the Microsoft Defender for Endpoint as virus protection makes problems and possibly no longer starts.
With the December 2021 security updates, Microsoft then fixed the issue of Microsoft Defender not starting in Windows Server Core (e.g., through cumulative update KB5008218) (see my blog post Patchday: Windows 10 Updates (December 14, 2021)).
Defender real-time protection blocked (Error 0x800705b4)
Im Blog-Beitrag Windows 8.1/Server 2012 R2: KB5003681 blockt Defender Echtzeitschutz (Error 0x800705b4) habe ich berichtet, dass das Juni 2021-Sicherheitsupdates KB5003681 (Security Only Quality) dem Echtzeitschutz des Windows Defender unter Windows 8.1 und Windows Server 2012 R2 blockieren kann. Der Defender lässt sich dann nicht mehr öffnen und stürzt mit dem Fehlercode 0x800705b4 ab. Nach Deinstallation des Updates funktioniert alles wieder.
I had described a possibly working workaround in the blog post and the hope that Microsoft will give milk and provide a fix in the following months. As of December 28, 2021, this German comment has arrived on the German blog, and claimed, that Windows Defender's real-time protection was still not working.
False alerts from Defender Log4j scanner
Microsoft probably rolled out a Log4j scanner for Microsoft 365 Defender, but did not document anything. Since that time, Microsoft Defender for Endpoint has suddenly been reporting "sensor tampering" alerts and complaining about a process OpenHandleCollector.exe. I first came across this via the following tweet.
The user asks if anyone else gets the message "Possible sensor tampering in memory was detected by Microsoft Defender for Endpoint". This is created by OpenHandleCollector.exe. Microsoft then got back to me and said that there were false positives, which have now been corrected.
Hi there, thank you for flagging this issue. Microsoft has updated cloud logic to suppress any false positives and has resolved the alerts on behalf of the customers.
Security researcher Kevin Beaumont picked up on it in a series of tweets, and writes:
It is something Microsoft have added to Defender for Endpoint it appears, new binary never seen before, that Defender for Endpoint's own EDR rules trigger on.. so it is detecting itself.
It looks like Microsoft rolled out a completely undocumented file globally, C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\DataCollection\OpenHandleCollector.exe, and ran it on Defender for Endpoint looking for log4j processes. But Defender detected it.
The following tweet then confirms that these are probably false alarms from Defender. In the meantime, the colleagues from Bleeping Computer have also taken up the topic here and provide some more details.
The first reports on Twitter were probably published as early as December 23, 2021. According to Microsoft's responses, they are working on a fix and claim to have already fixed this. Is anyone else affected?
Cookies helps to fund this blog: Cookie settings