Microsoft Defender has a serious false positive: its own Office update is detected as ransomware

Microsoft Defender for Endpoint had a very serious false positive incident today and even detected its own Office application update OfficeSvcMgr.exe as ransomware. Earlier today, system administrators noticed a malicious program false positive when updating Microsoft Defender for Endpoint. Microsoft later admitted that the problem did exist.

join us on telegram

On the Reddit community, Steve Scholz, chief technologist for security and compliance, explained the issue in a thread there. He wrote:


This was a false positive and has now been corrected.

Beginning on the morning of March 16, customers may have experienced a series of false-positive detections attributed to ransomware behavioral detections in their file systems. Microsoft has investigated this spike in detections and determined they were false positives. Microsoft has updated the cloud logic to suppress false-positive results.


  • Customers may have encountered a series of false-positive detections attributable to ransomware behavior detections in the file system.
  • Microsoft has updated the cloud computing logic to prevent future alerts and to clear previous false positives.

In another response on the same thread, Scholz explained that the issue was caused by a code issue that has since been fixed.

Leave a Comment