Microsoft Defender for Endpoint (formerly known as Microsoft Defender Advanced Threat Protection) began flagging yesterday’s Google Chrome update as malicious, alarming users and admins and creating confusion among them. Some users took to Twitter to report the behavior and to inquire if the detections were false positives.
Hey @msftsecresponse – Seeing lots of Defender ATP alerts this morning on C:\Program Files (x86)\Google\Chrome\Application\88.0.4324.104\Locales\sl.pak detected as PHP/Funvalget.A. Can you confirm this is a false positive? SHA256 in reply.
— W. David Winslow (@wdwinslow) February 3, 2021
The folks over at ZDNet shared an image of the detection, where the software flags the 'sl.pak' file as a “Funvalget backdoor”, which was in line with multiple reports on forums such as VirusTotal. The file in question seems to be related to a language localization that is present in the installer for Chrome version 88.0.4324.104 that began rolling out to users yesterday.
It was not clear, at the time, if there was indeed a security risk with the file, or if the detection was falsely being made. The detection meant that the installer was automatically being blocked on many systems. However, as per ZDNet, the consumer version of the security software is currently not flagging the same install files as malicious.
While the company has not made any public statements yet, at least one user on VirusTotal claims that the Redmond firm has acknowledged the detection as being false positive, and that it has removed the detection. The user adds that the firm has provided steps for admins and users to clear cached detections and pull the latest malware definitions. Here are the steps, which can also be found in the documentation here:
- Open command prompt as administrator and change directory to c:\Program Files\Windows Defender
- Run “MpCmdRun.exe -removedefinitions -dynamicsignatures”
- Run "MpCmdRun.exe -SignatureUpdate""
It is best for system admins to clear cached detection to remedy the issue with the false positive. This should also unblock the installer for the latest Chrome version.