Microsoft Defender’s security infrastructure has been mistakenly providing false positive security alerts to users of platforms such as Google Chrome, Discord, and Twitch. Users are seeing a notice titled “Behavior:Win32/Hive.ZY,” which Microsoft claims is designed to alert users of potentially harmful files that are frequently downloaded via channels like email. Perhaps reassuringly, “Hive” is the name of a ransomware-as-a-service (RaaS) enterprise suspected in the September 2021 attack on European consumer electronics shop Media Markt.
What happens next?
According to reports, the flaw has been fixed in Microsoft Defender update version 1.373.1537.0. After the release of the Security Intelligence Update KB2267602, users began reporting the problem on Microsoft support forums. The timing of the upgrade was particularly bad since Microsoft US was enjoying a long vacation weekend for Labor Day. The common denominator across the compromised applications is that they use Google’s open-source Chromium browser engine or the Electron JavaScript framework, which is used by apps such as WhatsApp, Yammer, and Visual Studio Code. This isn’t the first time Microsoft’s firewall has reported incorrect false positives concerning Chrome. Back in 2011, Microsoft Security Essentials and Microsoft Forefront identified a Chrome executable as the ZeuS trojan, which was designed to steal users’ bank logins. Users were allegedly unable to use Chrome for several hours as a result of the problem.
More recently, a number of Windows system administrator complaints revealed that Microsoft Defender for Endpoint has flagged Google Update browser updates as suspicious.