Gandalf_The_Grey

Level 55
Verified
Helper
Top poster
Content Creator
Well-known
Apr 24, 2016
4,400
Microsoft Defender for Endpoint is currently blocking Office documents from being opened and some executables from launching due to a false positive tagging the files as potentially bundling an Emotet malware payload.

Windows system admins are reporting [1, 2, 3, 4, 5] that this is happening since updating Microsoft's enterprise endpoint security platform (previously known as Microsoft Defender ATP) definitions to version 1.353.1874.0.

When triggered, Defender for Endpoint will block the file from opening and throw an error mentioning suspicious activity linked to Win32/PowEmotet.SB or Win32/PowEmotet.SC.

"We're seeing issues with definition update 1.353.1874.0 detecting printing as Win32/PowEmotet.SB this afternoon," one admin said.

"We are seeing this detected for Excel, any Office app using MSIP.ExecutionHost.exe ( AIP Sensitivity Client ) and splwow64.exe," another added.

A third one confirmed the issues with today's definition updates: "We're seeing the same behavior specifically with v.1.353.1874.0 of the definitions, which was released today, & included a definition for Behavior:Win32/PowEmotet.SB & Behavior:Win32/PowEmotet.SC."

BleepingComputer was able to trigger the false positive on a Windows 10 virtual machine with the latest Microsoft Defender signatures, as shown below.

Emotet false positive in Microsoft Defender
Microsoft has told BleepingComputer that they have fixed the issue for cloud-connected users and working on a fix for everyone else.
 
Top