Earlier today, Reddit sysadmins and others started reporting (1 , 2) that Google Chrome updates were flagged as “suspicious” by Microsoft Defender for Endpoint. Apparently Microsoft’s security solution thought the “goopdate” DLL file was suspicious because it was not signed by the Google Updater service (GoogleUpdate.exe).
As you can see in the image below, the Twitter user Kevin Gray noticed the following activity on the Defender side when performing Google Chrome updates:
Microsoft appears to have confirmed that the finding was indeed a false positive and has since fixed the bug according to MVP Ota Hirufumi on Twitter:
[DZ361393] Administrators may receive a false positive alert for Google Update on Microsoft Defender for Endpoint monitored devices
Service: Microsoft 365 Defender
Status: Service restored
Last Updated: 2022-04-20T00:30:32.717Z
— Ota Hirofumi 📖 Microsoft Teams 踏み込み活用術 (@hrfmjp) April 20, 2022
While Microsoft Defender for Home has generally done well in recent antivirus rankings for AV-Comparatives and AV-TEST, the enterprise variant of the product has had many instances where it has flagged genuinely harmless files and services as malicious.
For example, last year in February, the same thing happened when Defender for Endpoint thought Chrome updates were malicious; and very recently it even falsely flagged its own Office updates as malware.
Following this incident, Microsoft published a guide for false positives/negatives to reduce these errors, but this decision does not seem to have helped much yet.
Going through BeepComputer