Microsoft Defender for Endpoint is now reporting “sensor tampering” alerts in connection with the company’s recently introduced Microsoft 365 Defender scanner for Log4j processes. According to reports, the notifications are mostly displayed on Windows Server 2016 servers. The alert of suspected sensor manipulation in memory was discovered by Microsoft Defender for Endpoint generated by the OpenHandleCollector.exe process.
As per customer reports, administrators have been working on this problem since at least December 23. While the conduct of this Defender process has been classified as malicious, Tomer Teller, Principal Group PM Manager at Microsoft, Enterprise Security Posture, claims that they are false positives:
The team is analyzing why it triggers the alert (it shouldn’t of course), said Tomer Teller, Principal Group PM Manager at Microsoft, Enterprise Security Posture.
Microsoft is presently investigating the Microsoft 365 Defender problem and developing a patch that should be available to impacted PCs soon. “This is part of the work we did to detect Log4J instances on disk. The team is analyzing why it triggers the alert (it shouldn’t of course),” Teller explained.
This newly installed Log4j scanner was pushed out alongside a new integrated Microsoft 365 Defender portal Log4j dashboard for threat and vulnerability management, as Microsoft announced on Tuesday. The new dashboard is intended to assist clients in identifying and remediating data, software, and devices that have been compromised by attacks using Log4j flaws.
Other Defender for Endpoint features, like one that identified Office documents as Emotet malware payloads, one that displayed network endpoints compromised with Cobalt Strike, and another that classified Chrome upgrades as PHP backdoors, have been available to Windows administrators from October 2020.