IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Microsoft Defender drops "downpour" of false ransomware alerts on customers

System administrators made numerous reports of false-positive results being flagged for seemingly innocuous files and behaviours on Wednesday

Someone holding a padlock in front of the Microsoft logo

Microsoft has confirmed that a code issue in Microsoft Defender for Endpoint has led to a wave of false-positive ransomware alerts for Microsoft customers.

Some system administrators reported issues on Wednesday afternoon involving numerous ransomware detections in their file systems.

Specifically, the erroneous alerts were titled ‘Ransomware behaviour detected in the file system’ and were triggered on ‘OfficeSvcMgr.exe.’, Microsoft said, with alerts occurring for around two hours between 14:39 - 16:50 (UTC).

It said a recent update that it deployed “within service components that detect ransomware alerts” introduced a code issue that led to false ransomware detections in the company’s security solution.

Microsoft has issued another code update that should correct the problem, according to Microsoft's Steve Sholz, principal technical specialist at Microsoft, updating customers via social media.

Sholz said Microsoft has updated its cloud logic to suppress the false-positive alerts and has re-processed a backlog of alerts to “completely remediate impact”. Affected customers should find the false-positives should clear from their portal without any intervention.

Microsoft is now investigating how the code error slipped through its testing and validation processes, with the hope that it will prevent similar issues from occurring again in the future.

Microsoft customers reported that the errors began appearing after they updated their security definitions, which led to a “downpour of ransomware alerts” for some.

Microsoft Office files were commonly being flagged as ransomware, according to some reports, while other behaviours like deleting shadow copies also triggered false-positive alerts for some.

Elsewhere, users on Windows 11 have reported numerous problems since installing the March security update, including slow program load times after booting, File Explorer lagging, and a malfunctioning Windows Terminal, among other issues.

Related Resource

Modernise your server infrastructure for speed and security

Infrastructure lifecycle automation paves the way for an adaptive, resilient organisation

Whitepaper cover with title and block dark green rectangle with grey and white arrow graphicsFree Download

IT Pro has contacted Microsoft to understand if it’s aware of the issues and what is being done to address them, but it did not immediately reply at the time of publication.

A total of 92 security vulnerabilities were fixed as part of the most recent March update, including a Windows 11 issue that prevented some users from erasing all their files after a system reset.

Microsoft has also been criticised by system administrators this year for releasing ‘broken’ patches that have led numerous organisations to forgo important security fixes out of fear they may cause more disruption than they solve.

Windows Server administrators said January’s security fixes “made the problem worse”, including creating an issue where they were unable to see the Active Directory environment in Microsoft Exchange, for example.

Featured Resources

Four strategies for building a hybrid workplace that works

All indications are that the future of work is hybrid, if it's not here already

Free webinar

The digital marketer’s guide to contextual insights and trends

How to use contextual intelligence to uncover new insights and inform strategies

Free Download

Ransomware and Microsoft 365 for business

What you need to know about reducing ransomware risk

Free Download

Building a modern strategy for analytics and machine learning success

Turning into business value

Free Download

Recommended

Microsoft says it's provided over $100 million in tech support to Ukrainian government
cyber attacks

Microsoft says it's provided over $100 million in tech support to Ukrainian government

20 May 2022
Microsoft to double salary budget to retain workers
Careers & training

Microsoft to double salary budget to retain workers

17 May 2022
Microsoft warns of new botnet variant targeting Windows and Linux systems
Security

Microsoft warns of new botnet variant targeting Windows and Linux systems

16 May 2022
Windows Server admins say latest Patch Tuesday broke authentication policies
Server & storage

Windows Server admins say latest Patch Tuesday broke authentication policies

12 May 2022

Most Popular

16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

13 May 2022
Russian hackers declare war on 10 countries after failed Eurovision DDoS attack
hacking

Russian hackers declare war on 10 countries after failed Eurovision DDoS attack

16 May 2022
(ISC)2 launches free scheme to get 100,000 UK citizens into cyber security
Careers & training

(ISC)2 launches free scheme to get 100,000 UK citizens into cyber security

17 May 2022