False positive: Suspicious PowEmotet behavior was blocked

%3CLINGO-SUB%20id%3D%22lingo-sub-3020802%22%20slang%3D%22en-US%22%3EFalse%20positive%3A%20Suspicious%20PowEmotet%20behavior%20was%20blocked%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3020802%22%20slang%3D%22en-US%22%3E%3CP%3EBased%20on%20social%20media%20posts%2C%26nbsp%3B%20it%20seems%20quite%20a%20few%20of%20us%20are%20experiencing%20numerous%20false%20positive%20alerts%20related%20to%20'PowEmotet'.%26nbsp%3B%20While%20it's%20understandable%20that%20false%20positives%20happen%20it's%20also%20somewhat%20amazing%20this%20one%20made%20it%20through%20QA.%26nbsp%3B%20%26nbsp%3BBut%20this%20also%20highlights%20some%20things%20that%20I%20find%20extremely%20frustrating%20about%20Defender%20for%20Endpoint.%26nbsp%3B%20%26nbsp%3BThere%20does%20not%20seem%20to%20be%20a%20reliable%20way%20to%20deal%20with%20these%20at%20a%20tenant%20level%2C%26nbsp%3B%20aside%20from%20setting%20status%20to%20%22false%20positive%22%20and%20potentially%20adding%20a%20file%20hash%20of%20a%20related%20executable%20to%20Indicators%20and%20hoping%20it%20goes%20away.%26nbsp%3B%20Is%20there%20anything%20I'm%20missing%20here%3F%3CBR%20%2F%3E%3CBR%20%2F%3EAlso%2C%26nbsp%3B%20where%20is%20Microsoft%20acknowledging%20this%20issue%3F%26nbsp%3B%20Where%20should%20I%20go%20for%20up%20to%20the%20minute%20updates%20on%20occurrences%20like%20this%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E
New Contributor

Based on social media posts,  it seems quite a few of us are experiencing numerous false positive alerts related to 'PowEmotet'.  While it's understandable that false positives happen it's also somewhat amazing this one made it through QA.   But this also highlights some things that I find extremely frustrating about Defender for Endpoint.   There does not seem to be a reliable way to deal with these at a tenant level,  aside from setting status to "false positive" and potentially adding a file hash of a related executable to Indicators and hoping it goes away.  Is there anything I'm missing here?

Also,  where is Microsoft acknowledging this issue?  Where should I go for up to the minute updates on occurrences like this?

0 Replies