Microsoft Fixes Bug Blocking Defender for Endpoint on Windows Server
Microsoft has addressed a known issue that plagued Windows Server customers for weeks, preventing the Defender for Endpoint enterprise security platform from launching on some systems.
When it acknowledged the bug in November, Microsoft explained that the endpoint security solution (previously known as Microsoft Defender Advanced Threat Protection or Defender ATP) failed to start or run on devices running Windows Server Core installations.
The issue only impacts devices where customers installed Windows Server 2019 and Windows Server 2022 security updates issued during last month’s Patch Tuesday.
As Redmond revealed, KB5008223 “addresses a known issue that might prevent Microsoft Defender for Endpoint from starting or running on devices that have a Windows Server Core installation.”
You can install this cumulative update through Windows Update and Microsoft Update, Windows Update for Business, Windows Server Update Services (WSUS), and the Microsoft Update Catalog.
Reports of Defender crashes and false positives
After Microsoft confirmed this Defender for Endpoint issue, BleepingComputer also spotted reports of Microsoft Defender Antivirus crashes with EventID 3002 notifications (MALWAREPROTECTION_RTP_FEATURE_FAILURE) and “Real-time protection encountered an error and failed” errors codes.
They occurred after installing security intelligence updates between versions 1.353.1477.0 and 1.353.1486.0 and were fixed by Microsoft with the release of version 1.353.1502.0.
Later last month, Microsoft Defender for Endpoint also scared Windows admins with Emotet false positives, as it started blocking Office documents from being opened and some executables from launching, falsely tagging them as potentially bundling Emotet malware payloads.
While Microsoft didn’t reveal what triggered these false positives, the most likely reason was that the company increased the sensitivity for detecting Emotet-like behavior making its generic behavioral detection engine too sensitive.
The change was probably prompted by the recent revival of the Emotet botnet from two weeks ago, when Emotet research group Cryptolaemus, GData, and Advanced Intel began seeing TrickBot deploying Emotet loaders on infected devices.
Since October 2020, Windows admins have dealt with similar false positive issues affecting Defender for Endpoint, including one that marked network devices infected with Cobalt Strike and another that tagged Chrome updates as PHP backdoors.