Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

Block vulnerable applications beta and EUS:Win32/TvmWarn reported in Chrome

Brass Contributor

Hello,

 

Passing this along for anyone whom it my assist.

 

Due to all the recent Google Chrome vulnerabilities, I signed up for a trial of M365 Defender Vulnerability Management with the option to block vulnerable apps. I decided to block Chrome until users updated their instance. I pushed the latest one via MEM/Intune.

 

Then, later I see all my users have malware - EUS:Win32/TvmWarn reported in Chrome. I uploaded the file to virustotal and nothing was detected.  I submitted to https://www.microsoft.com/en-us/wdsi/filesubmission/ and the team reported back that no problem was detected.  

 

Tonight I scanned my computer again and it was listed as vulnerable.  I then removed the "block vulnerable applications" feature from security.microsoft.com, scanned again and my system was clean.  The version of Google Chrome and the version of the Defender updates did not change between the two scans.

 

2022-09-09T23:55:41.314Z DETECTION EUS:Win32/TvmWarn startup:C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2022-09-10T02:08:30.888Z Version: Product 4.18.2207.7 Service 4.18.2207.7 Engine 1.1.19600.3 AS 1.375.118.0 AV 1.375.118.0
2022-09-10T02:09:18.154Z DETECTION EUS:Win32/TvmWarn file:C:\Program Files\Google\Chrome\Application\chrome.exe
2022-09-10T02:09:18.154Z DETECTION EUS:Win32/TvmWarn file:C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2022-09-10T02:09:18.154Z DETECTION EUS:Win32/TvmWarn file:C:\Users\Public\Desktop\Google Chrome.lnk
2022-09-10T02:09:18.154Z DETECTION EUS:Win32/TvmWarn file:C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Inte

1 Reply
I saw this too so contacted the product team. This was their reply:

This behavior is by design. Processing of Application Block is handled by Windows Defender, and app block enforcements will be reported as TvmBlock or TvmWarn threats which are detected and subsequently remediated (blocked). This helps add visibility into the correct detection and blocking of the software under Block/Warn on the endpoint devices.
You will notice that the detections are not reported as active malware, but rather as detection-remediation pair.