- Windows Defender is alerting people about a “threat detected” for “Behavior: Win32/Hive.ZY”
- The issue is related to a recent listing in the Microsoft Defender update file, which is performing an incorrect detection
- The trigger seems linked to Defender detecting “electron or chrome based applications as malware”.
- Microsoft is expected to patch/update Microsoft Defender to alleviate the issue
Update #1 (1:50 p.m. ET): According to the Microsoft support forums, the Defender team indicated that they are looking into this and will hopefully release a patch for this soon.
Update #2: (7:50 p.m. ET): According to the Microsoft support forums, “Indications from a Microsoft agent is that a fix has been released (Version: 1.373.1537.0)”
In Windows 10/11, select Check for updates on the Windows security virus and threat protection screen to check for the latest updates.
Offline installers are available at these links:
64 bit downloads
https://go.microsoft.com/fwlink/?LinkID=121721&arch=x64 (opens in a new tab)
32 bit download:
https://go.microsoft.com/fwlink/?LinkID=121721&arch=x86 (opens in a new tab)
This morning, a listing in the Microsoft Defender Database (or even Windows Update) is wreaking havoc on people’s Windows PCs.
people in Reddit they’re “crazed” not just by a reported Microsoft Defender threat, but by one that keeps popping up and repeating itself even though the supposed threat is blocked.
The threat is revealed in a pop-up message stating that “Behavior: Win32/Hive.ZY” has been detected and appears as “serious”. However, after taking action to correct the problem, it does not go away and the user will continue to receive the same message. The reminder may return after 20 seconds, with the cycle repeating endlessly .
We experienced the issue on a PC; see the screenshots below.
The actual threat is only stated as “This generic detection of suspicious behavior is designed to capture potentially malicious files.”
The good news is that your computer, if you experience this problem, is not infected with any virus or malware. This detection appears to be a false positive, according to a Microsoft support forum (opens in a new tab)where a listing in the Microsoft Defender database incorrectly reports the activity as dangerous.
From DaveM121, an independent consultant:
“This appears to be a false positive, it’s a bug hundreds of people are reporting right now, it seems to be related to all Chromium based web browsers and Electron based apps like Whatsapp, Discord, Spotify…etc. .”
“This is an evolving situation with no official word from Microsoft yet, but appears to be caused by Security Intelligence Update for Microsoft Defender Antivirus – KB2267602 (Version 1.373.1508.0)”
The common thread among users experiencing this issue is using “Electron or Chromium-based applications” including Google Chrome, Microsoft Edge, and anything running Visual Studio Code.
The problem seems to come from Defender Update/Definition Version 1.373.1508.0which means that Microsoft needs to update that file and the issue should be resolved.
As of yet, Microsoft has not publicly commented on the issue as it is a public holiday weekend in the United States. There could be a long delay in the distribution of the update to the millions of potentially affected computers.
We will update this article accordingly if there are any new fixes or feedback from Microsoft.
