October 6, 2022
Microsoft recently addressed an issue that was prompting its security software to mistakenly flag Chromium- and Electron-based apps as malware and suggest their removal.Over the weekend, several Microsoft Windows users complained that trying to open regular apps such as Spotify or Chrome would trigger a “Behavior:Win32/Hive.ZY” alert on their devices.The inconvenient false-positive bug was likely…

Microsoft recently addressed an issue that was prompting its security software to mistakenly flag Chromium- and Electron-based apps as malware and suggest their removal.

Over the weekend, several Microsoft Windows users complained that trying to open regular apps such as Spotify or Chrome would trigger a “Behavior:Win32/Hive.ZY” alert on their devices.

The inconvenient false-positive bug was likely caused by a recent Security Intelligence Update for Microsoft’s antivirus solution – KB2267602 (Version 1.373.1508.0). It wasn’t restricted to a handful of Chromium-based apps, either.

The issue affected all Chromium-based web browsers and Electron-based apps, including Microsoft’s Edge web browser, Spotify, Discord, WhatsApp, Twitch, Slack and Visual Studio Code, as an independent advisor pointed out on Microsoft’s forum.

After catching wind of the bug, Microsoft quickly rolled out another security intelligence update (version 1.373.1537.0). Reportedly, installing the patch prevents false-flagging of the affected apps as malware.

Users who encounter the bug should apply the latest updates to their systems and software to fix the issue. Some forum commenters suggested allowing the falsely flagged threats on their computers to get rid of the pesky notification. While it might’ve been harmless in this case, allowing threats on suspicion they might be false positives could place you in serious jeopardy.

Hive is a strain of ransomware first noticed in June 2021, notorious for its “double-extortion” technique. The ransomware-as-a-service (RaaS) exfiltrates data from compromised devices and threatens to leak it on its official website on the Dark Web unless the victims pay a ransom.

A few months ago, Hive members migrated their RaaS service completely from GoLang to Rust to imbue it with even more vicious capabilities. The migration occurred shortly after the Korea Internet & Security Agency (KISA) released a free decryptor utility for Hive ransomware victims.

Source