[German]Have you had more frequent messages from Microsoft Defender blocking legitime URLs the last few days when accessing websites? Or was the access to files blocked because of alleged malware? Microsoft has now confirmed that there was an issue and that the Defender included in Windows was blocking unauthorized access to files and URLs because they were considered malicious.
Reports from my readers
Windows users are not getting any peace of mind regarding Microsoft Defender. Windows' built-in Defender has once again attracted attention because it was classifying various files or URLs as malicious and denying access. I had pointed out this phenomenon in my German blog in the post Windows 11: Defender meldet RAR-Archive als Trojaner "Wacatac.H!ml". German blog reader Peter G. has sent me an email on Sunday about the issue that has been bugging him for several days. In his case, the Defender under Windows 11 alarms with RAR archive files and reports a Trojan "Wacatac.H!ml" as a detection.
Hello Mr. Born
I work parallel with Win 10 and Win 11 computers.
Only on the Win 11 computers, Defender reports since a few days that it has found the Trojan "Wacatac.H!ml".
When I download the same file on the Win 10 computer, there is no alert.
Only files of the type ".RAR" are affected.
Feedback from other users to my blog post revealed that some users were affected in different scenarios. It was soon clear, that it might be a false positive, because Windows 11 complains malicious files, while Defender remains silent on Windows 10.
Microsoft confirms Defender issues
Now Microsoft has confirmed that there was a problem with Defender. There are a number of tweets on Twitter that address the problem. Hours ago, Microsoft wrote that it was investigating an issue where legitimate URL links were being incorrectly flagged as malicious by the Microsoft Defender service. Also, some of the warnings did not display the expected content.
A couple of hours ago, Microsoft confirmed that false-positive warnings were being triggered by Defender – users could still access the legitimate URLs. The status messages in question were filed in the Microsoft 365 Admin Center under the identifier DZ534539. Later, Twitter said:
We determined that recent additions to the SafeLinks feature resulted in the false alerts and we subsequently reverted these additions to fix the issue. More detail can be found in the Microsoft 365 admin center under DZ534539.
So Microsoft found a problem in its SafeLinks feature, which was due to incorrect additions and subsequently alerts from Defender. They have reverted those additions to the SafeLinks feature that led to the false alerts to fix the problem. A user posted the following status updates on reddit.com in this thread. Were any of you affected?
Title: Admins may be receiving an unexpected amount of high severity alert email messages
User impact: Admins may be receiving an unexpected amount of high severity alert email messages.
More info: The high severity alert emails refer to 'A potentially malicious URL click was detected'. Additionally, admins may be unable to view alert details using the 'View alerts' link in the emails.
Current status: We're reviewing service monitoring telemetry to isolate the root cause and develop a remediation plan.
Scope of impact: Impact is specific to any admin served through the affected infrastructure.
Next update by: Wednesday, March 29, 2023, 3:30 PM (1:30 PM UTC)
