Microsoft Defender for Endpoint users (version focused on protecting endpoints) started facing false positive alerts for Log4J threat after an update included a threat identifier scanner in Microsoft 365 Defender tools.
False alerts are mostly detected on machines running Windows Server 2016, and identify a process created by the executable OpenHandleCollector as the cause of memory modifications. The problem has been happening since last Thursday (23).
Anyone else getting “Possible sensor tampering in memory was detected by Microsoft Defender for Endpoint” alerts created by OpenHandleCollector.exe? cc: @msftsecurity @GossiTheDog https://t.co/X6P75VBdvP
— CISOwithHoodie (@SecGuru_OTX) December 29, 2021
Want to catch up on the best tech news of the day? Access and subscribe to our new youtube channel, Kenyannews News. Every day a summary of the main news from the tech world for you!
While the alert may frighten users, the truth is that so far there is no indication that people should be worried, as it is just a false positive, as explained by Microsoft Program Group Manager Tomer Teller, to the BleepingComputer website.
Microsoft has already confirmed that it studies the flaw and intends to make a fix available as soon as possible.
recurrent false positives
Over the past year, several Windows Server administrators have had to deal with false positive failures in Defender for Endpoint, like the one a few weeks ago, which had the solution identify Microsoft Office files as possible vectors for the Emotet virus.
Typically, crashes are fixed in a few days, but without Microsoft explaining much detail about why they continue to occur with other types of files. Therefore, even when the Log4J false positives issue is resolved, it is possible that there are still other programs that have been wrongly identified as threats.