[German]It looks like a classic false positive that Microsoft Defender pulled yesterday (Wednesday, March 16, 2022). If you suddenly had Microsoft Office updates quarantined as ransomware on your systems, you were affected by this case.
Advertising
Yesterday, all hell broke loose for some administrators as Microsoft Defender ran amok on Windows machines. On reddit.com, there's this thread that takes it all in. One affected person asks if others were also informed by Defender that Office files were detected as malicious.
Defender Alerts for Ransomware regarding Office
Looks like MS goofed the Security definitions again, seeing false positives from Office come through on ATP like the issue a few months ago. Anyone else getting Defender alerts?
Another affected person confirms that and writes in his reply that ransomware behavior has been reported in the file system:
YES! Downpour of ransomware alerts right now! "Ransomware behavior detected in the file system"
In the thread in question, there are a number of affected people who have responded and confirmed the problem. There were also corresponding messages on Twitter here, here and here.
I couldn't respond yesterday due to web server outage. But the colleagues from Bleeping Computer picked it up promptly in a post.
Advertising
In the meantime, Microsoft has confirmed and fixed the problem. Here are the statements, Bleeping Computer citing Microsoft:
Starting on the morning of March 16th, customers may have experienced a series of false-positive detections that are attributed to a Ransomware behavior detection in the file system. Admins may have seen that the erroneous alerts had a title of 'Ransomware behavior detected in the file system,' and the alerts were triggered on OfficeSvcMgr.exe.
Our investigation found that a recently deployed update within service components that detect ransomware alerts introduced a code issue that was causing alerts to be triggered when no issue was present. We deployed a code update to correct the problem and ensure that no new alerts will be sent, and we've re-processed a backlog of alerts to completely remediate impact.
So it was a false alarm and Microsoft has published code to prevent these false alarms in the future.
