Microsoft Defender caught flagging legit URLs as malicious

Alfonso Maruccia

Posts: 971   +294
Staff
In context: Born as a Windows-specific antimalware program, Microsoft Defender is now a brand encompassing many security services for Windows, the cloud, and Office applications. Which can be a real nuisance, as the AV tends to act weird every now and then.

Microsoft Defender is once again turning its "security" protection against legit features. This time, system administrators have been flooded with security warnings regarding legitimate URL links, which were "incorrectly" flagged as malicious by the Defender service.

Users and admins complained that links coming from Zoom or even Google services were being flagged as a potential security threat, which triggered a flow of security alerts to the Microsoft 365 Admin Center portal. The portal itself was working intermittently, the users said.

Microsoft was soon obliged to acknowledge the issue, stating that they were investigating the incident and the fact that some of the alerts were "not showing content as expected." The incident, which is being tracked as DZ534539, was seemingly affecting hundreds of accounts worldwide.

After reviewing diagnostic data such as network telemetry, Microsoft was finally able to identify the root cause for the issue. The company later said that some "recent additions to the SafeLinks feature" resulted in the false alerts experienced by admins around the world. Reverting said additions was enough to fix the issue, Microsoft said.

The Safe Links feature is an additional security protection in Defender for Office 365, which is intended for business customers who have Microsoft Defender for Office 365. SafeLinks provides "URL scanning and rewriting" functionality for incoming email messages, searching for potential threats in addition to the regular anti-spam and anti-malware services included in the Exchange Online Protection (EOP) service.

As confirmed by third-party reviews and comparatives, Microsoft Defender is essentially a cloud-based security solution that lacks basic offline detection capabilities third-party antivirus programs usually provide. But the cloud is often poisoning Defender's ability to properly recognize security threats, as the AV engine is prone to a significant issue with false positives.

Just a couple of months before the URL incidents of these past hours, Defender started to "kill" Start Menu shortcuts, icons, and even executable files from users' PCs. That time, the issue was caused by an ASR rule modified by a recent update for the antivirus.

Permalink to story.

 
Is Defender perfect? No! Does it get it right, more often than not? Probably. Is the online world better off with it being included in all Windows 10 and 11 systems? Yes!

False positives will happen with every piece of software that tries to identify malicious code. It is an unfortunate fact. We need to not lose site of the forest, which is cyber-security, for the trees, which is the occasional false positive. Let us not forget that 3rd party solutions also experience false positives and also provide an addition attack vector through zero day exploits in the anti-virus/anti-malware software.

The article makes some claims, without backing them up with sources, such as "But the cloud is often poisoning Defender's ability to properly recognize security threats, as the AV engine is prone to a significant issue with false positives." Such a bold claim needs to have some sources attached. How is it being poisoned? Is defender significantly worse at false positives than others? According to av-test.org, Defender is as good as the leading brands for false positives.
 
The article makes some claims, without backing them up with sources, such as "But the cloud is often poisoning Defender's ability to properly recognize security threats, as the AV engine is prone to a significant issue with false positives." Such a bold claim needs to have some sources attached. How is it being poisoned? Is defender significantly worse at false positives than others? According to av-test.org, Defender is as good as the leading brands for false positives.

It's not a claim, it's a well-known fact that doesn't need extensive source backing at this point :)

I've read (and written) reviews and experimented with antivirus software and malware samples since the DOS days, so I've got a bit of experience with that.

Defender is often the worst offender when it comes to false positives and mediocre offline scanning capabilities. And my personal and professional opinion is that a really useful antivirus program must have both (low fp, high offline scannig %). Not "should". It must. Defender does not.
 
This really should not be that hard to fix and would be way more useful that anything else they put out .....
 
Microsoft should just give us an option during a clean install to not install Defender. Nobody asked for it. If you've ever done a clean install and disabled Defender with group policy, service editing through the registry along with other registry tweaks and removing tasks in the task scheduler you'd understand how much that pile of crap slows down a computer, especially when installing things. It's quite laughable honestly. If they did that they'd know most users would either install Bitdefender Free, Kaspersky or Malwarebytes unless they pay for something or use nothing at all and that would hurt their ego too much.
 
It's not a claim, it's a well-known fact that doesn't need extensive source backing at this point :)

I've read (and written) reviews and experimented with antivirus software and malware samples since the DOS days, so I've got a bit of experience with that.

Defender is often the worst offender when it comes to false positives and mediocre offline scanning capabilities. And my personal and professional opinion is that a really useful antivirus program must have both (low fp, high offline scannig %). Not "should". It must. Defender does not.


When someone asks why the article didn't include what they thought was important, you reply with, "I know what I'm talking about. I'm a professional. It's a known fact that doesn't need extensive source backing."

You spoke of your own experience and testing. Why not include the work you've done in your reply to him?
lol
 
Last edited:
Is Defender perfect? No! Does it get it right, more often than not? Probably. Is the online world better off with it being included in all Windows 10 and 11 systems? Yes!

False positives will happen with every piece of software that tries to identify malicious code. It is an unfortunate fact. We need to not lose site of the forest, which is cyber-security, for the trees, which is the occasional false positive. Let us not forget that 3rd party solutions also experience false positives and also provide an addition attack vector through zero day exploits in the anti-virus/anti-malware software.

The article makes some claims, without backing them up with sources, such as "But the cloud is often poisoning Defender's ability to properly recognize security threats, as the AV engine is prone to a significant issue with false positives." Such a bold claim needs to have some sources attached. How is it being poisoned? Is defender significantly worse at false positives than others? According to av-test.org, Defender is as good as the leading brands for false positives.

AV comparatives does a Malware protection test every March & September and publishes the result in April & October respectively. Link for their Sep 22 test - https://www.av-comparatives.org/tests/malware-protection-test-september-2022/

According to them, compared to other products, Defender is slightly worse at false positives and much worse at offline scanning (no AI or cloud-based technology). But it catches up to other products when cloud technology is enabled.

Otherwise agree with you that claims should be backed up with some data, especially regarding poisoning of cloud results...
 
I really dont know why people arent suing M$ anymore! It was pretty close to M$ get broken in half before just cos internet explorer monopoly, and today windows is holding you as hostage. You cant uninstall edge, you cant turn off defender, you cant disable updates...
 
And for all of those people who say not to use Windows Defender, what would you choose? Norton? Avast? Please don't make me laugh.

I would use Windows Defender any day of the week over those overbloated pieces of crap.
 
There are good free options like Comodo and AVG, and you can just run a Malwarebytes scan if something looks suspicious. Windows Defender is more a reddit thing, they are clueless, think they're experts, and are quick to hivemind while raging on about whatever.

On Linux you're usually fine with just the built in firewall, and it's a lot more secure than Windows. You can grab AVG or another anti virus on there but you'll mostly just need that to scan Windows stuff anyway, which if you sandbox those I'm not sure if they can do much of anything. You can get other firewalls but really just a better GUI and easier rulemaking is all you'd want or need most times.
 
I leave defender turned off from a previous experience where a third party app was periodically getting deleted without any warning. I’ll run malwarebytes on occasion but in general I don’t have an antivirus running and certainly not one running and checking for problems in real-time.

Having been the guy who cleaned up infected PCs, I lean towards the research that shows malware infections are not highly correlated with running an antivirus (of any flavor) nor with os versions or patch levels but instead with the browsing habits of individuals. Going back to the same group of PCs to clean out malware was normal, and as people came and went, so did the incidents of malware.
 
This article is hardly new information. Windows Defender FREQUENTLY flags and deletes things that are completely legit.
 
Back