Recently Microsoft had a major goof-up as the company"s Defender for Endpoint security solution flagged its own Office updates as malware. The product misidentified "OfficeSvcMgr.exe" as something that has ransomware behavior. After system admins made a hue and cry about it Microsoft probably noticed the issue and later Steve Scholz, the company"s Principal Technical Specialist for Security & Compliance, clarified that the report was a false positive. The issue was also fixed within the day.
However, Microsoft isn"t just basking in glory after fixing that false positive error. The company looks to be actively working on putting an end to such issues, at least in the case of its Defender for Endpoint product, since these alerts generally cause wide-scale disruptions.
It has published a guidance for security operators and security administrators who are using Microsoft Defender for Endpoint. Basically these are the steps that one can use to help eliminate a lot of such false positives. The following diagram shows the gist of the steps but you can view them in detail in the original article here.
Overall, it looks like a good initiative from the Redmond firm as this guidance can not only potentially help clear up a lot of false positives but will also help the company better understand threats and non-threats.