Microsoft investigating Defender issue with Log4j scanner

Microsoft is investigating reports that the Apache Log4j vulnerability scanner in Defender for Endpoint is triggering erroneous alerts.

The company released the scanner with the aim of helping to identify and remediate the flaws in Log4j, a popular logging software component. Microsoft disclosed an expansion of the Log4j scanning capabilities in Defender on Monday evening.

False positives

Today, reports emerged on Twitter about false positive alerts from the scanner, which reportedly tell admins that “Possible sensor tampering in memory was detected by Microsoft Defender for Endpoint.” Twitter users reported seeing the issue as far back as December 23.

The reports prompted a response on Twitter from Tomer Teller, an executive in Microsoft’s security business. “Thank you for reporting this. The team is looking into that,” Teller said in a tweet.

“The team is analyzing why it triggers the alert (it shouldn’t of course),” he said in a second tweet.

VentureBeat has reached out to Microsoft for comment.

On Monday, Microsoft announced it has rolled out new capabilities in its Defender for Containers and Microsoft 365 Defender offerings for addressing Log4j vulnerabilities.

The Defender for Containers solution is now enabled to discover container images that are vulnerable to the flaws in Log4j. Container images are scanned automatically for vulnerabilities when they are pushed to an Azure container registry, when pulled from an Azure container registry, and when running on a Kubernetes cluster, Microsoft’s threat intelligence team wrote in an update to its blog post about the Log4j vulnerability.

Defender updates

Meanwhile, for Microsoft 365 Defender, the company said it has introduced a consolidated dashboard for managing threats and vulnerabilities related to the Log4j flaws. The dashboard will “help customers identify and remediate files, software, and devices exposed to the Log4j vulnerabilities,” Microsoft’s threat intelligence team tweeted.

These capabilities are supported on Windows and Windows Server, as well as on Linux, Microsoft said. However, for Linux, the capabilities require an update to version 101.52.57 or later of the Microsoft Defender for Endpoint Linux client.

This “dedicated Log4j dashboard” provides a “consolidated view of various findings across vulnerable devices, vulnerable software, and vulnerable files,” the threat intelligence teams said in the blog post.

Additionally, Microsoft said it has launched a new schema in advanced hunting for Microsoft 365 Defender, “which surfaces file-level findings from the disk and provides the ability to correlate them with additional context in advanced hunting.”

Microsoft said it’s working to add support for the capabilities in Microsoft 365 Defender for Apple’s macOS, and said the capabilities for macOS devices “will roll out soon.”

Widespread vulnerabilities

Many enterprise applications and cloud services written in Java are potentially vulnerable to the flaws in Log4j prior to version 2.17.1, which was released Tuesday. The open source logging library is believed to be used in some form — either directly or indirectly by leveraging a Java framework — by the majority of large organizations.

Version 2.17.1 of Log4j addresses a newly discovered vulnerability (CVE-2021-44832), and is the fourth patch for flaws in the Log4j software since the initial discovery of a remote code execution (RCE) vulnerability on December 9.

However, the latest vulnerability in Log4j “doesn’t appear to increase the already elevated risk of compromise via Log4j,” as it requires a “fairly obscure set of conditions to trigger,” said Casey Ellis, founder and chief technology officer at Bugcrowd, in a statement shared with VentureBeat.