The Microsoft Defender security platform incorrectly displayed false security alerts to users of applications such as Google Chrome, Discord, and Twitch.
Users receive a message known as “Behavior: Win32 / Hive.ZY”, which Microsoft says is used to signal potentially malicious files (opens in a new tab) often downloaded through channels such as email.
Perhaps reassuringly, “Hive” is the name of a ransomware-as-service (RaaS) operation that was implicated in an attack on European consumer electronics retailer Media Markt in September 2021.
What now?
The bug was reportedly fixed in Microsoft Defender 1.373.1537.0 update.
Users started reporting a bug in the Micorosft Support Forums after the Security Intelligence Update was released, called KB2267602.
The timing of the update also felt quite unfortunate, Microsoft US was enjoying a long holiday weekend for Labor.
The common denominator of the affected applications is that they use Google’s Chromium open browser engine or the Electron JavaScript platform, an open source software platform used by applications such as WhatsApp, Yammer, and Visual Studio Code.
This would not be the first time a Microsoft firewall has reported false false positives for Chrome
In the dark days of 2011, Microsoft Security Essentials and Microsoft Forefront referred to the Chrome executable as a ZeuS Trojan that was designed to steal user bank credentials.
This problem reportedly prevented users from using Chrome for hours.
Recently, several reports by Windows administrators showed that Microsoft Defender for Endpoint marked browser updates made via Google Update as suspicious.