Microsoft 365 Defender Log4j Scanner Has False Positive Alerts

Colin Thierry
Colin Thierry Writer
Colin Thierry Colin Thierry Writer

Microsoft Defender for Endpoint has shown “sensor tampering alerts” linked to the company’s new Microsoft 365 scanner for Log4j processes.

The alerts are reportedly shown mainly on Windows Server 2016 systems and warn of “possible sensor tampering in memory was detected by Microsoft Defender for Endpoint” created by an OpenHandleCollector.exe process.

According to customer reports, Microsoft admins have been dealing with this specific issue since at least Dec. 23.

Tomer Teller, Principal Group PM Manager at Microsoft, Enterprise Security Posture, identified the reports as false positives and clarified that they’re not actually malicious.

Microsoft said that it’s looking into this Microsoft 365 Defender issue and is working hard on a solution that should soon be delivered to all impacted systems.

“This is part of the work we did to detect Log4J instances on disk. The team is analyzing why it triggers the alert (it shouldn’t of course),” Teller said.

On Dec. 28, Microsoft shared a tweet that covered its new Log4j scanner that was unveiled with a new consolidated Microsoft 365 Defender portal for threat and vulnerability management.

This new dashboard is designed to assist customers in identifying and remediating files, software, and devices exposed to attacks exploiting Log4j vulnerabilities.

Since October 2020, Windows has experienced a variety of other alert issues with Defender for Endpoint. This includes an alert that marked Office documents as Emotet malware payloads, one that falsely showed network devices infected with Cobalt Strike, and another that tagged Chrome updates as PHP backdoors.

Earlier this month, the Apache Software Foundation (ASF) rolled out a new patch, version 2.17.0, to combat a new Log4j vulnerability. According to the ASF, this vulnerability in the widely used logging library could potentially be exploited by hackers in order to set up a denial-of-service (DOS) attack.

About the Author

About the Author

Colin Thierry is a former cybersecurity researcher and journalist for SafetyDetectives who has written a wide variety of content for the web over the past 2 years. In his free time, he enjoys spending time outdoors, traveling, watching sports, and playing video games.