Microsoft fixes a bug blocking Defender for Endpoint on Windows Server
Microsoft has fixed a known issue that plagued Windows Server customers for weeks, preventing the launch of the Defender for Endpoint enterprise security platform on some systems.
When it recognized the bug in November, Microsoft explained that the endpoint security solution (formerly known as Microsoft Defender Advanced Threat Protection or Defender ATP) failed to start or run on devices. devices running Windows Server Core installations.
The issue only affects devices on which customers have installed the Windows Server 2019 and Windows Server 2022 security updates released during Patch Tuesday last month.
Microsoft fixed the bug with the release of KB5008223 this week as part of the December 2021 Patch Tuesday.
As revealed by Redmond, KB5008223 “addresses a known issue that could prevent Microsoft Defender for Endpoint from starting or running on devices with a Windows Server Core installation.”
You can install this cumulative update through Windows Update and Microsoft Update, Windows Update for Business, Windows Server Update Services (WSUS), and the Microsoft Update Catalog.
Reports of Defender crashes and false positives
After Microsoft confirmed this Defender for Endpoint issue, BleepingComputer also spotted reports Microsoft Defender Antivirus crashes with EventID 3002 (MALWAREPROTECTION_RTP_FEATURE_FAILURE) notifications and “Real-time protection encountered an error and failed” error codes.
They happened after installation security intelligence updates between versions 1.353.1477.0 and 1.353.1486.0 and have been corrected by Microsoft with the release of version 1.353.1502.0.
Later last month, Microsoft Defender for Endpoint also scared Windows admins with Emotet false positives, as it started blocking Office documents from opening and certain executables from launching, falsely labeling them as being able to bundle payloads. useful Emotet malware.
While Microsoft has not disclosed what triggered these false positives, the most likely reason was that the company increased the sensitivity of detecting Emotet-like behaviors, making its generic behavioral detection engine overly sensitive.
The change was likely sparked by the recent rebirth of the Emotet botnet two weeks ago, when Emotet research group Cryptolaemus, GData, and Advanced Intel began seeing TrickBot deploying Emotet loaders to infected devices.
As of October 2020, Windows admins have addressed similar false positive issues affecting Defender for Endpoint, including one that marked network devices infected with Cobalt Strike and another that marked Chrome updates as PHP backdoors.