We are excited to bring Transform 2022 back in-person July 19 and virtually July 20 - 28. Join AI and data leaders for insightful talks and exciting networking opportunities. Register today!


Microsoft is investigating reports that the Apache Log4j vulnerability scanner in Defender for Endpoint is triggering erroneous alerts.

Update: The company told VentureBeat on Wednesday afternoon it has resolved the issue (see below).

Microsoft released the scanner with the aim of assisting with the identification and remediation of the flaws in Log4j, a popular logging software component. Microsoft disclosed an expansion of the Log4j scanning capabilities in Defender on Monday evening.

False positives

Today, reports emerged on Twitter about false positive alerts from the scanner, which reportedly tell admins that “Possible sensor tampering in memory was detected by Microsoft Defender for Endpoint.” Twitter users reported seeing the issue as far back as December 23.

Event

Transform 2022

Join us at the leading event on applied AI for enterprise business and technology decision makers in-person July 19 and virtually from July 20-28.

Register Here

The reports prompted a response on Twitter from Tomer Teller, an executive in Microsoft’s security business. “Thank you for reporting this. The team is looking into that,” Teller said in a tweet.

“The team is analyzing why it triggers the alert (it shouldn’t, of course),” he wrote in a second tweet.

In response to a question from VentureBeat about the reports, a Microsoft spokesperson said in a statement Wednesday afternoon that “we have resolved an issue for some customers who may have experienced a series of false-positive detections.”

On Monday, Microsoft announced it has rolled out new capabilities in its Defender for Containers and Microsoft 365 Defender offerings for addressing Log4j vulnerabilities.

The Defender for Containers solution is now enabled to discover container images that are vulnerable to the flaws in Log4j. Container images are scanned automatically for vulnerabilities when they are pushed to an Azure container registry, when pulled from an Azure container registry, and when running on a Kubernetes cluster, Microsoft’s threat intelligence team wrote in an update to its blog post about the Log4j vulnerability.

Defender updates

Meanwhile, for Microsoft 365 Defender, the company said it has introduced a consolidated dashboard for managing threats and vulnerabilities related to the Log4j flaws. The dashboard will “help customers identify and remediate files, software, and devices exposed to the Log4j vulnerabilities,” Microsoft’s threat intelligence team tweeted.

These capabilities are supported on Windows and Windows Server, as well as on Linux, Microsoft said. However, for Linux, the capabilities require an update to version 101.52.57 or later of the Microsoft Defender for Endpoint Linux client.

This “dedicated Log4j dashboard” provides a “consolidated view of various findings across vulnerable devices, vulnerable software, and vulnerable files,” the threat intelligence teams wrote in the blog post.

Additionally, Microsoft said it has launched a new schema in advanced hunting for Microsoft 365 Defender, “which surfaces file-level findings from the disk and provides the ability to correlate them with additional context in advanced hunting.”

Microsoft said it’s working to add support for the capabilities in Microsoft 365 Defender for Apple’s macOS, and said the capabilities for macOS devices “will roll out soon.”

Widespread vulnerabilities

Many enterprise applications and cloud services written in Java are potentially vulnerable to the flaws in Log4j prior to version 2.17.0. The open source logging library is believed to be used in some form — either directly or indirectly by leveraging a Java framework — by the majority of large organizations.

The latest patch for Log4j, version 2.17.1, was released Tuesday and addresses a newly discovered vulnerability (CVE-2021-44832). It is the fourth patch for flaws in the Log4j software since the initial discovery of a remote code execution (RCE) vulnerability on December 9.

However, a number of security professionals say that the latest vulnerability does not pose an increased security risk for the majority of organizations. As a result, for many organizations that have already patched to version 2.17.0 of Log4j, released December 17, it should not be necessary to immediately patch to version 2.17.1.

Article updated to include a response from Microsoft about the resolution of the false positives issue, along with new details about the version 2.17.1 patch for Log4j.

VentureBeat's mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Learn more about membership.

Author
Topics