The battle against malware is constant, ever-changing and incredibly complicated. It’s so complicated, in fact, that Microsoft Defender for Endpoint this week detected activity that it found suspicious and mistakenly warned some system administrators that Office updates were a threat.
Numerous reports were posted on Reddit from admins who saw the alerts popping up the morning of March 16th. Defender started sounding the alarm on activity from Office Update service that suddenly looked like ransomware activity.
It wasn’t, of course. What actually happened, according to Microsoft, was that a code update caused Defender to think that ransomware activity had been detected even when it hadn’t.
Within hours of the first reports coming in Microsoft confirmed that the detections were false positives and issued a fix. The erroneous reports were all cleared from their Defender log files.
False positives aren’t terribly rare, and they’re certainly not unique to Defender. They’re an issue that every company that develops security software has to contend with.
Years ago false positives were mostly limited to mistakes within definition files. Malware was less sophisticated then, so programs tended to rely on a static set of rules to identify it.
Today it’s not so simple. Malware has become incredibly sophisticated. It would be nearly impossible to defend against if definition files were the only information security apps could turn to for help identifying a threat.
That’s why most anti-malware apps have added behavioral analysis. It allows them to monitor systems and detect when activity crosses the threshold between unexpected to malicious.
It’s a valuable additional layer of defense. Today’s systems are under constant attack from bad actors all over the globe. Malware evolves more rapidly than ever and cybercriminals are constantly exploiting new vulnerabilities.
Being connected to the Internet would be much more dangerous if your anti-malware app of choice didn’t have the ability to detect suspicious activity as it occurred.
Ultimately, it’s far better to deal with a false positive from time to time than it is to stay safe with more rudimentary protection from advanced malware.