Image provided to ZDNet by a reader
Microsoft Defender Advanced Threat Protection (ATP), the commercial version of the ubiquitous Defender antivirus and Microsoft’s top enterprise security solution, is currently having a bad day and labeling yesterday’s Google Chrome browser update as a backdoor trojan.
The detections, as can be seen in a screenshot above shared with ZDNet by one of our readers, are for Google Chrome 88.0.4324.146, the latest version of the Chrome browser, which Google released last night.
As per the screenshot above, but also based on reports shared on Twitter by other dismayed system administrators, Defender ATP is currently detecting multiple files part of the Chrome v88.0.4324.146 update package as containing a generic backdoor trojan named “PHP/Funvalget.A.”
The alerts have caused quite a stir in enterprise environments in light of recent multiple software supply chain attacks that have hit companies across the world over the past few months.
System administrators are currently awaiting a formal statement from Microsoft to confirm that the detection is a “false possitive” and not an actual threat.
ATP is triggering on C:Program Files (x86)GoogleChromeApplication88.0.4324.146Localessk.pak
— Dark Defender (@ShadyDefender) February 3, 2021
Hey @msftsecresponse – Seeing lots of Defender ATP alerts this morning on C:Program Files (x86)GoogleChromeApplication88.0.4324.104Localessl.pak detected as PHP/Funvalget.A. Can you confirm this is a false positive? SHA256 in reply.
— W. David Winslow (@wdwinslow) February 3, 2021
Defender detected sl.pak as ‘Backdoor:PHP/Funvalget.A’C:Program FilesGoogleChromeApplication88.0.4324.146Localessl.pakDefender detected chrome.7z as ‘Backdoor:PHP/Funvalget.A’C:Program FilesGoogleChromeApplication88.0.4324.146Installerchrome.7z
— itquartz (@itquartz) February 3, 2021
ZDNet has contacted a Microsoft spokesperson before this article publication, seeking a formal statement on the ATP detections.
Chances are that this is indeed an erroneous detection, but until a formal announcement, administrators are advised to wait before taking other actions.
The free version of the Microsoft Defender antivirus, the one that ships with all recent Windows versions, has not detected the recent Chrome update as malicious, according to multiple ZDNet tests.
Updated at 15:55 ET to add that Microsoft has confirmed that today’s Funvalget detections for Chrome files were false positive detections due to “an automation error.”
