Microsoft Defender for Endpoint is currently displaying “sensor tampering” warnings associated with the company’s newly deployed Microsoft 365 Defender scanner for Log4j processes.
The warnings are reportedly seen primarily on Windows Server 2016 systems and to warn of “Possible sensor tampering in memory was detected by Microsoft Defender for Endpoint”, created by an OpenHandleCollector.exe process.
According to admins, administrators have been dealing with this issue since at least December 23rd Customer reports.
While the behavior of this Defender Process is flagged as malicious, there is nothing to worry as it is false positives. as revealed by Tomer Teller, Principal Group PM Manager at Microsoft, Enterprise Security Posture.
Microsoft is currently investigating this problem with Microsoft 365 Defender and work on a solution which the company will soon deliver to affected systems.
“This is part of our job of discovering Log4J instances on disk. The team is analyzing why it is triggering the alert (of course it shouldn’t),” said Teller.
As Microsoft divided On Tuesday, this newly deployed Log4j scanner was introduced with a new consolidated Log4j dashboard of the Microsoft 365 Defender portal for threat and vulnerability management.
The new dashboard is designed to help customers identify and remediate files, software and devices that are exposed to attacks that exploit Log4j vulnerabilities.
Since October 2020, Windows administrators have had to deal with other Defender for Endpoint, including one that marked Office documents as Emotet malware payloads, one of showed network devices infected with Cobalt Strike, and one more thing Chrome updates marked as PHP backdoors.
The same thing. and it looks like it had something to do with finding log4j based on the command line. Emails started and didn’t stop for me within the last hour
“OpenHandleCollector.exe” -p: java.exe -p: javaw.exe -p: eclipse.exe -f: log4j
– Blake (@irestartpcs) December 29, 2021
This is a development story …