Update Microsoft Defender falsely detects Win32/Hive.ZY in Google Chrome, Electron apps

Gandalf_The_Grey

Level 66
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
5,595
A bad Microsoft Defender signature update mistakenly detects Google Chrome, Microsoft Edge, Discord, and other Electron apps as 'Win32/Hive.ZY' each time the apps are opened in Windows.

The issue started Sunday morning when Microsoft pushed out Defender signature update 1.373.1508.0 to include two new threat detections, including Behavior:Win32/Hive.ZY.

"This generic detection for suspicious behaviors is designed to catch potentially malicious files. If you downloaded a file or received it through email, ensure that it is from a reliable source before opening it," reads the Microsoft detection page for Win32/Hive.ZY.

According to BornCity, the false positive is widespread, with users reporting on BleepingComputer, Twitter, and Reddit that the detections appear each time they open their browser or an Electron app.

Even though Microsoft Defender will continuously display these detections when apps are opened, it is important to note that this is a false positive, and your device is mistakenly being detected as infected.

Microsoft has since released two new Microsoft Defender security intelligence updates, the latest being 1.373.1518.0.

While this signature update does not display Win32/Hive.ZY detections in BleepingComputer's tests, other users report that they continue to receive false positives.

While it is usually not required, in this case, it may be helpful to reboot Windows after installing the new security intelligence update to see if it resolves the false positive.

As this issue is widespread and causing panic among Windows users worldwide, we will likely see a new update fixing the problem within a few hours, if not sooner.

At this time, there has been no formal confirmation of the issue from Microsoft.
 

upnorth

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Jul 27, 2015
5,469
200 (27).gif
 

SeriousHoax

Level 44
Verified
Top Poster
Well-known
Mar 16, 2019
3,310
Saw this on someone's PC tonight. Every time Edge was opened, there was this detection from Defender. But Chrome wasn't affected on this device. Also, it didn't stop Edge from running. Edge functioned just fine. I thought the device has been infected till I saw the BleepingComputer tweet. As they stated, it has been fixed. I think it was fixed rather quickly, but since Defender updates the local signature only once a day on a device by default, most people's device wasn't updated to the signature version where it was fixed till they force updated and restarted the system. Cache for previous detections are usually removed after a restart and also a signature update is performed after a few minutes.
Funny thing is, almost everyday multiple times I check what threat has been added/updated on MD's database and I saw this one too when it was the latest update at that time. I was thinking that it's nice that they have added a behavioral detection for this ransomware. Who knew that this would end up causing this dilemma!
 

Gandalf_The_Grey

Level 66
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
5,595
Microsoft shared the following statement with BleepingComputer:
"We have released an update to address this issue and customers using automatic updates for Microsoft Defender do not need to take additional action." - a Microsoft spokesperson.
In addition Microsoft shared that enterprise customers managing their updates should ensure they are using detection build 1.373.1537.0 or newer.
 

ScandinavianFish

Level 6
Verified
Dec 12, 2021
289
Its honestly why I dont like AV's that utilize signature/definition updates, not only are do they not need them as signatures make up an fraction of all detections now that pretty much all of them use AI/ML, behavioral analysis, heuristics, etc, but it also drains an device's resources, the icing on the cake is now this that can brick systems
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top