December 2, 2021

Microsoft Defender for Endpoint is currently blocking access to Office documents and some executables because the files are marked false-positive and may bundle an Emotet malware payload.

Windows system admins have reported this since they updated Microsoft’s enterprise endpoint security platform definitions, to version 1.353.1874.0.

When triggered, Defender for Endpoint will block the file from opening and displays an error indicating suspicious activity related to Win32 /PowEmotet.SB or Win32 /PowEmotet.SC.

While Microsoft has not yet released final information about the problem, the most likely reason is that the tech giant has increased sensitivity to detecting Emotet-like behaviour in updates released yesterday, and that renders Defender’s generic behavioural detection engine is extremely sensitive and prone to reporting false positives.

The change was also most likely caused by the recent revival of the Emotet botnet two weeks ago, after Emotet research group Cryptolaemus, GData, and Advanced Intel began to detect TrickBot dropping Emotet loaders on infected devices.

Amid the false alarms, the timing of the bug is really bad, since Emotet is coming back and most Windows administrators are already panicking.

Many of them reported that they had almost taken their data centers offline to prevent the possible Emotet infection before realizing that these were likely false positives.

Microsoft has stated that it has solved the problem for cloud-connected users and will fix the bug for everyone else as soon as possible.

For more information, read the original story in BleepingComputer.