A new functionality shipped by Microsoft to its own Defender security product has been setting klaxons blaring in SOCs and with security professionals after Defender itself detected it and flagged it as malicious.
The “sensor tampering” alerts are being triggered by Microsoft Defender for Endpoint, seemingly mostly on Windows Server 2016, social media posts suggest, after a new binary, OpenHandleCollector.exe, tries to run.
This appears to have started as early as December 23, with a flurry of users also reporting it triggering alerts on December 29 as Microsoft security investigated. (Users were quick to upload the program to VirusTotal, where no other vendors flagged it as malicious and Microsoft staffers today confirmed it was a false positive.)
Defender flagged sensor tampering after OpenHandleCollector.exe unexpectedly (to Defender) opened a handle to SenseIR processes (
C:\program files\Windows Defender Advanced Threat Protection\SenseIR.exe
Closer investigation revealed the process was stemming from Defender’s own legitimate “datacollection” folder.
As users wondered what the hell was going on, Microsoft security professional Tomer Teller jumped in to a Twitter discussion to emphasise no funny business was involved: “This is part of the work we did to detect Log4J instances on disk. The team is analyzing why it triggers the alert (it shouldn’t of course)” he emphasised to users.
The incident happened after Microsoft made a flurry of changes to its security tools including Microsoft Defender for Office 365 designed to help customers from falling victim to Log4j-related vulnerabilities.
“Great of MS to ship a new functionality to 365 defender for endpoint without telling anyone, not even the 365 frontend team, the following binary “OpenHandleCollector.exe” has been throwing red alarms in the SOC all day” the first reported affected customer tweeted on December 23, as fresh notifications followed.
“It looks like Microsoft rolled out a completely undocumented file globally, C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\DataCollection\OpenHandleCollector.exe, and ran it on Defender for Endpoint looking for log4j processes. But Defender detected it” mused security researcher Kevin Beaumont.
“Fixing!” came back the response from one dev manager at Microsoft security.
Such bloopers aside, Microsoft’s security team have put a lot of work into helping customers avoid falling victim to Log4shell-related attacks. You can dip into a sprawling range of resources, last updated December 27, here.