Windows Defender reports (false positive) Behaviour:Win32/Hive.ZY (Sept. 4, 2022)

Windows[German]Short note for Windows users who are startled by Microsoft Defender with a virus detection on their system on Sunday (Sept. 4, 2022). For a few hours now, the Microsoft virus scanner has been reporting a Behaviour:Win32/Hive.ZY as a detection. However, this is probably a false alarm – could be due to Microsoft Edge – and is currently trending in forums. Addendum: The false positive has been fixed with a new signature file.


Reader reports about Behaviour:Win32/Hive.ZY

German blog reader Martin contacted me by email and reported, that his Microsoft Defender detected Behaviour:Win32/Hive.ZY on his Windows 10 system. Martin wrote about it:

Windows Defender false-positive / Behaviour:Win32/Hive.ZY

Hello Günter,

I just got a proper scare when Windows Defender on my Windows 10 laptop suddenly throws the following error:


No program is given, only a PID – and the process is stupidly terminated immediately, so I was "blind" and couldn't see what was causing it. At the same time, I had not installed any new software in the last few days, nor had I opened any suspicious mails, etc.

The message appeared periodically from then on, but not at fixed times. I scanned several times with Windows Defender, which found nothing – and then the message suddenly came back. Quite strange.

[…] I currently have the following definitions 1.373.1508.0 and can reproduce the message every time I start Chrome.

Just wanted to shout this out to you, in case you want to write something about it in your blog or maybe you already got a scare about a possible infection ;-)

And German blog reader Christoph Gierl reported within this comment about a similar scenario, but there related to Microsoft Edge.

apparently Defender is running amok again.
It has found "Behavior:Win32/Hive.ZY" three times now on my PC; when I tried to open Edge, mind you. This is a trending topic in several forums. It's a bit off-topic, but Edge is also affected.



Thanks to the two readers for the hint – there was no virus alert at my barbeque grill – but I stopped that for a moment to post a few lines here on the blog.

This is also a topic in other forums. At Microsoft Answers, there is this thread, where apps with the Electron framework, such as WhatsApp, Discord, Spotify, etc., are also mentioned, where Defender triggers a false alarm. I found other forums with similar user reports.

A false positive alarm

Blog reader Martin already pointed out this thread at in his mail, where this issue is also discussed. It's obviously a false positiv alarm, annoying, but not dangerous. At reddit, somebody wrote:


All Electron-based apps and Chrome detected as `Behavior:Win32/Hive.ZY` on open as of today.

Google yields no results.

What is going on?!

More information is already provided there. Not only any Chromium-based browser (like Google Chrome and Microsoft Edge) is affected, but also all apps and applications based on the Electron framework. So it seems to be a false-positive from Windows Defender.

Waiting for a fix from Microsoft

There is now a wide trail of messages on the Internet about different programs that trigger this "find" (even VScode or Windows settings page has been among them). One way to avoid the alerts is to temporarily set an exception for the invoked program in Defender.

Otherwise, the only thing left to do is to wait for an update from Microsoft that fixes the false alarm. However, previous signature updates do not seem to have worked for all users – although you should restart Windows after an update as a precaution.

Addendum: The false positive has been fixed with a new signature file (see Microsoft fixes Windows false positive Behaviour:Win32/Hive.ZY alarm).

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security, Software, Windows and tagged , , . Bookmark the permalink.

One Response to Windows Defender reports (false positive) Behaviour:Win32/Hive.ZY (Sept. 4, 2022)

  1. Merlin says:

    BS! I spend more than half of day to try to clean this up ! Microsoft should pay for this!

Leave a Reply

Your email address will not be published. Required fields are marked *