Microsoft provides measures for false positives/negatives in Microsoft Defender for Endpoint

Microsoft Defender for Endpoint mistakenly flagged Microsoft Office as malware, when Microsoft Endpoint Security identified OfficeSvcMgr.exe as a program with ransomware behavior. With Office installed on most computers in the enterprise, IT administrators’ consoles are bombarded with false alarms from Microsoft Defender for Endpoint.

After urgent feedback, Microsoft acknowledged the problem and quickly released a cloud strategy to resolve false positives. At the same time, a large number of false positives in the IT administrator console are cleaned up through cloud policies, and administrators do not need to view and clean up one by one.

Microsoft explains false positives due to code changes to Endpoint Security. Although the problem has been solved, it is difficult for IT administrators to stop complaining if Microsoft does not give a clear statement. After all, such false positives can cause widespread outages, so Microsoft released a new document to provide guidance for IT administrators.

In the guide, Microsoft says that IT admins can now log in to the Microsoft 365 Defender portal to manually disable those unimportant warnings, of course, if the administrator thinks that there is a false positive, the corresponding content can also be disabled. After disabling, at least it will not be bombed and will not work properly. At the same time, Microsoft said that administrators can also remediate false positives, including batch undoing operations, restoring falsely reported files from the Action Center, and deleting or restoring files from quarantine across devices. An administrator can also use custom exclusions to include certain items in the exclusion list if the administrator confirms that there are false positives.
Microsoft hopes to use these functions to allow IT administrators to self-help when encountering such urgent problems, instead of waiting for Microsoft to release an update, after all, feedback and troubleshooting take time, and it takes time for the update to be synchronized to the enterprise terminal.