December 5, 2021 — Eric Swotinsky
Incident reports

Windows Defender generates numerous Emotet-related false positives

Acronis Cyber Protect Cloud

Shortly after Trickbot was observed dropping an updated version of the Emotet botnet malware, Windows Defender began incorrectly reporting certain executables and Microsoft Office documents as Emotet payloads.

While Microsoft has not commented on what caused these false positives, it is suspected that the sensitivity of the detection for Emotet-like behavior was misconfigured, erring on the side of caution rather than accuracy. Unfortunately, this nearly shut down some businesses, who thought they were victims of an Emotet attack.

Even without shutting down systems, admins were reporting that numerous documents and applications would not open, causing interruptions to normal business operations. Microsoft has pushed out a fix for cloud-connected users, and are working on a fix for the remaining userbase.

The backup solution in Acronis Cyber Protect allows you to automatically generate an allow list of known safe files and applications, preventing false positives and keeping your business running smoothly.