Microsoft is looking into a problem with the Log4j scanner in Defender

Microsoft is looking into complaints that Defender for Endpoint’s Apache Log4j vulnerability scanner is generating false alarms.

The business notified VentureBeat on Wednesday afternoon that the problem has been rectified (see below).

The scanner was published by Microsoft to aid in the detection and repair of issues in Log4j, a common logging software component. On Monday evening, Microsoft announced an extension of Defender’s Log4j scanning capabilities.

Positives that aren’t true

Today, complaints on Twitter surfaced concerning the scanner’s false positive warnings, which allegedly inform administrators that “possible sensor manipulation in memory was identified by Microsoft Defender for Endpoint.” As far back as December 23, Twitter users reported experiencing the problem.

Tomer Teller, a senior leader in Microsoft’s security division, responded to the claims on Twitter. “Thank you for bringing this to our attention. Teller stated in a tweet that the team is looking into it.

In a second tweet, he said, “The team is examining why it triggers the warning (it shouldn’t, of course).”

“We have rectified an issue for certain customers who may have suffered a series of false-positive detections,” a Microsoft official said in a statement Wednesday afternoon in response to an inquiry from VentureBeat about the claims.

Microsoft said on Monday that additional capabilities for tackling Log4j vulnerabilities have been added to its Defender for Containers and Microsoft 365 Defender services.

The Defender for Containers solution can now detect container images that are vulnerable to the Log4j issues. When container images are pushed to an Azure container registry, pulled from an Azure container registry, and run on a Kubernetes cluster, they are automatically scanned for vulnerabilities, according to Microsoft’s threat intelligence team in an update to its blog post about the Log4j vulnerability.

Updates for Defender

However, Microsoft 365 Defender now provides a centralised dashboard for addressing threats and vulnerabilities connected to the Log4j problems, according to the firm. Microsoft’s threat intelligence team stated that the dashboard will “assist clients discover and fix files, software, and devices vulnerable to the Log4j vulnerabilities.”

According to Microsoft, these functionalities are supported on Windows and Windows Server, as well as Linux. The features, however, are only available on Linux if the Microsoft Defender for Endpoint Linux client is updated to version 101.52.57 or later.

The threat intelligence teams noted in the blog post that this “special Log4j dashboard” gives a “unified view of diverse discoveries across susceptible devices, vulnerable applications, and vulnerable files.”

Microsoft also announced a new schema in advanced hunting for Microsoft 365 Defender, which “surfaces file-level results from the disc and gives the opportunity to correlate them with extra context in advanced hunting,” according to the company.

Microsoft had said it was working on adding support for Microsoft 365 Defender’s capabilities for Apple’s macOS, and that the capabilities “will roll out shortly.”

Vulnerabilities that are widespread

Several Java-based corporate and cloud applications and services are potentially vulnerable to the weaknesses in Log4j prior to version 2.17.0. The majority of big enterprises are thought to utilise the open source logging library in some way — either directly or indirectly through the usage of a Java framework.

The most recent Log4j patch, version 2.17.1, was issued on Tuesday, and it fixes a recently found vulnerability (CVE-2021-44832). Since the original discovery of a remote code execution (RCE) vulnerability on December 9, this is the fourth fix for weaknesses in the Log4j programme.

However, according to a number of security experts, the current vulnerability does not constitute an additional security risk to the majority of businesses. As a consequence, many businesses that have previously patched to Log4j version 2.17.0, released on December 17, should not need to upgrade to version 2.17.1 right now.

The article has been updated to include a statement from Microsoft on the false positives issue, as well as new information about the Log4j version 2.17.1 fix.