Earlier today, system administrators on Reddit, among other places, started reporting (1 , 2) that Google Chrome updates were being flagged as "suspicious" by Microsoft Defender for Endpoint. Apparently, Microsoft"s security solution thought that the "goopdate" DLL file was suspicious since it wasn"t signed by Google Updater service (GoogleUpdate.exe).
As you can see in the image below, Twitter user Kevin Gray noticed the following activity on Defender"s end when running the Google Chrome updates:
.jpg){kind=link}
Microsoft appears to have confirmed that finding was indeed a false positive and has since resolved the bug according to MVP Ota Hirufumi on Twitter:
SERVICE ADVISORY:
— Ota Hirofumi 📖 Microsoft Teams 踏み込み活用術 (@hrfmjp) April 20, 2022
[DZ361393] Admins may receive a false positive alert for Google Update on Microsoft Defender for Endpoint monitored devices
Service: Microsoft 365 Defender
Status: ServiceRestored
LastUpdated: 2022-04-20T00:30:32.717Z
While Microsoft Defender for Home has generally performed quite well in the recent anti-virus rankings for AV-Comparatives and AV-TEST, the enterprise variant of the product has had many instances where it has flagged genuinely harmless files and services as malicious.
For example, last year in February, the same thing had happened as Defender for Endpoint thought Chrome updates were malicious; and very recently, it even wrongly flagged its own Office updates as malware.
Following that incident, Microsoft published a guidance for false positives / negatives to reduce such errors but the move doesn"t seem to have helped much yet.
via BleepingComputer