Microsoft Defender for Endpoint has been tagging Google Chrome updates delivered via Google Update as suspicious activity due to a false positive issue.
According to Windows system admins reports [1, 2, 3, 4], the security solution (formerly known as Microsoft Defender ATP) began marking Chrome updates as suspicious starting last evening.
Those who encountered this issue reported seeing “Multi-stage incident involving Execution & Defense evasion” alerts on affected Windows endpoints monitored using Defender for Endpoint.
In a Microsoft 365 Defender service advisory issued after reports of these alarming alerts started showing up online, Microsoft revealed that they were erroneously triggered by a false positive and not due to malicious activity.
“Admins may receive a false positive alert for Google Update on Microsoft Defender for Endpoint monitored devices,” Microsoft said.
Roughly one and a half hours later, the advisory was updated, with Redmond saying the false positive issue was addressed and the service restored.