Skip to main content

Microsoft investigating Defender issue with Log4j scanner

Microsoft.
Microsoft.
Image Credit: Getty Images

Join us in Atlanta on April 10th and explore the landscape of security workforce. We will explore the vision, benefits, and use cases of AI for security teams. Request an invite here.


Microsoft is investigating reports that the Apache Log4j vulnerability scanner in Defender for Endpoint is triggering erroneous alerts.

Update: The company told VentureBeat on Wednesday afternoon it has resolved the issue (see below).

Microsoft released the scanner with the aim of assisting with the identification and remediation of the flaws in Log4j, a popular logging software component. Microsoft disclosed an expansion of the Log4j scanning capabilities in Defender on Monday evening.

False positives

Today, reports emerged on Twitter about false positive alerts from the scanner, which reportedly tell admins that “Possible sensor tampering in memory was detected by Microsoft Defender for Endpoint.” Twitter users reported seeing the issue as far back as December 23.

VB Event

The AI Impact Tour – Atlanta

Continuing our tour, we’re headed to Atlanta for the AI Impact Tour stop on April 10th. This exclusive, invite-only event, in partnership with Microsoft, will feature discussions on how generative AI is transforming the security workforce. Space is limited, so request an invite today.
Request an invite

The reports prompted a response on Twitter from Tomer Teller, an executive in Microsoft’s security business. “Thank you for reporting this. The team is looking into that,” Teller said in a tweet.

“The team is analyzing why it triggers the alert (it shouldn’t, of course),” he wrote in a second tweet.

In response to a question from VentureBeat about the reports, a Microsoft spokesperson said in a statement Wednesday afternoon that “we have resolved an issue for some customers who may have experienced a series of false-positive detections.”

On Monday, Microsoft announced it has rolled out new capabilities in its Defender for Containers and Microsoft 365 Defender offerings for addressing Log4j vulnerabilities.

The Defender for Containers solution is now enabled to discover container images that are vulnerable to the flaws in Log4j. Container images are scanned automatically for vulnerabilities when they are pushed to an Azure container registry, when pulled from an Azure container registry, and when running on a Kubernetes cluster, Microsoft’s threat intelligence team wrote in an update to its blog post about the Log4j vulnerability.

Defender updates

Meanwhile, for Microsoft 365 Defender, the company said it has introduced a consolidated dashboard for managing threats and vulnerabilities related to the Log4j flaws. The dashboard will “help customers identify and remediate files, software, and devices exposed to the Log4j vulnerabilities,” Microsoft’s threat intelligence team tweeted.

These capabilities are supported on Windows and Windows Server, as well as on Linux, Microsoft said. However, for Linux, the capabilities require an update to version 101.52.57 or later of the Microsoft Defender for Endpoint Linux client.

This “dedicated Log4j dashboard” provides a “consolidated view of various findings across vulnerable devices, vulnerable software, and vulnerable files,” the threat intelligence teams wrote in the blog post.

Additionally, Microsoft said it has launched a new schema in advanced hunting for Microsoft 365 Defender, “which surfaces file-level findings from the disk and provides the ability to correlate them with additional context in advanced hunting.”

Microsoft said it’s working to add support for the capabilities in Microsoft 365 Defender for Apple’s macOS, and said the capabilities for macOS devices “will roll out soon.”

Widespread vulnerabilities

Many enterprise applications and cloud services written in Java are potentially vulnerable to the flaws in Log4j prior to version 2.17.0. The open source logging library is believed to be used in some form — either directly or indirectly by leveraging a Java framework — by the majority of large organizations.

The latest patch for Log4j, version 2.17.1, was released Tuesday and addresses a newly discovered vulnerability (CVE-2021-44832). It is the fourth patch for flaws in the Log4j software since the initial discovery of a remote code execution (RCE) vulnerability on December 9.

However, a number of security professionals say that the latest vulnerability does not pose an increased security risk for the majority of organizations. As a result, for many organizations that have already patched to version 2.17.0 of Log4j, released December 17, it should not be necessary to immediately patch to version 2.17.1.

Article updated to include a response from Microsoft about the resolution of the false positives issue, along with new details about the version 2.17.1 patch for Log4j.

VB Daily - get the latest in your inbox

Thanks for subscribing. Check out more VB newsletters here.

An error occured.