Earlier this week, Microsoft had an embarrassing episode with its cybersecurity suite. In a strange situation, Microsoft Defender was flagging the company's own Office suite as a virus. While this is hilarious, it also shows a problem with false positives. Microsoft has now decided to do more to prevent such issues in Defender.
False positives are when an anti-virus tool flags a legitimate tool as being infected and warns users about using its. Product misidentification does not happen often, but it is a problem Microsoft has seen sometimes on Microsoft Defender for Endpoint. This week's Office false positive was just a high profile incident.
System admins reached out to Microsoft to complain about the issue. Steve Scholz, Microsoft Principal Technical Specialist for Security & Compliance confirmed this was a false positive. Furthermore, Microsoft fixed the issue that same day.
A quick fix is one thing, but the company wants to do more. Microsoft is now working on adding features to Microsoft Defender that could greatly reduce the number of false positives.
In a new guidance for security admins and operators, Microsoft says there are steps they can take to prevent false positives:
“Fortunately, steps can be taken to address and reduce these kinds of issues. If you're seeing false positives/negatives in Microsoft 365 Defender, your security operations can take steps to address them by using the following process:
- Review and classify alerts
- Review remediation actions that were taken
- Review and define exclusions
- Submit an entity for analysis
- Review and adjust your threat protection settings”
Tip of the day: With a single registry tweak, it's possible to add a ‘Take Ownership' button to the right-click context menu that performs all of the necessary actions for you. You'll gain full access to all possible actions, including deletion, renaming, and more. All files and subfolders will also be under your name.
The Take Ownership context menu will set the currently active user as the owner of the files, though they must also be an administrator. They can then enter the folder or modify the file as they usually would.