Recently, Microsoft made a major blunder when the company’s endpoint security solution, Defender, flagged its own Office updates as malware. The product incorrectly identified the “OfficeSvcMgr.exe” executable as having ransomware behavior. Microsoft may have noticed the problem after receiving numerous notifications from system administrators.
The company’s chief technologist for security and compliance, Steve Scholz, later clarified that it was a false positive and that the issue was fixed within a day. However, Microsoft didn’t stop after fixing this “false positive” bug, and it looks like they are actively working to stamp out such issues, at least in their endpoint defense products, as these false alarms often cause widespread Destroy, worst case make the computer unbootable.
Microsoft has published a guide for operators and security administrators who are using Microsoft Endpoint Guard, steps that can be used to help eliminate a large number of these false positives. The diagram below shows the gist of these steps, and you can also see their details in the original article here: