Hear from CIOs, CTOs, and other C-level and senior execs on data and AI strategies at the Future of Work Summit this January 12, 2022. Learn more
Microsoft is investigating reports that the Apache Log4j vulnerability scanner in Defender for Endpoint is triggering erroneous alerts.
The company released the scanner with the aim of assisting with the identification and remediation of the flaws in Log4j, a popular logging software component. Microsoft disclosed an expansion of the Log4j scanning capabilities in Defender on Monday evening.
Today, reports emerged on Twitter about false positive alerts from the scanner, which reportedly tell admins that “Possible sensor tampering in memory was detected by Microsoft Defender for Endpoint.” Twitter users reported seeing the issue as far back as December 23.
The reports prompted a response on Twitter from Tomer Teller, an executive in Microsoft’s security business. “Thank you for reporting this. The team is looking into that,” Teller said in a tweet.
“The team is analyzing why it triggers the alert (it shouldn’t, of course),” he wrote in a second tweet.
VentureBeat has reached out to Microsoft for comment.
On Monday, Microsoft announced it has rolled out new capabilities in its Defender for Containers and Microsoft 365 Defender offerings for addressing Log4j vulnerabilities.
The Defender for Containers solution is now enabled to discover container images that are vulnerable to the flaws in Log4j. Container images are scanned automatically for vulnerabilities when they are pushed to an Azure container registry, when pulled from an Azure container registry, and when running on a Kubernetes cluster, Microsoft’s threat intelligence team wrote in an update to its blog post about the Log4j vulnerability.
Meanwhile, for Microsoft 365 Defender, the company said it has introduced a consolidated dashboard for managing threats and vulnerabilities related to the Log4j flaws. The dashboard will “help customers identify and remediate files, software, and devices exposed to the Log4j vulnerabilities,” Microsoft’s threat intelligence team tweeted.
These capabilities are supported on Windows and Windows Server, as well as on Linux, Microsoft said. However, for Linux, the capabilities require an update to version 101.52.57 or later of the Microsoft Defender for Endpoint Linux client.
This “dedicated Log4j dashboard” provides a “consolidated view of various findings across vulnerable devices, vulnerable software, and vulnerable files,” the threat intelligence teams wrote in the blog post.
Additionally, Microsoft said it has launched a new schema in advanced hunting for Microsoft 365 Defender, “which surfaces file-level findings from the disk and provides the ability to correlate them with additional context in advanced hunting.”
Microsoft said it’s working to add support for the capabilities in Microsoft 365 Defender for Apple’s macOS, and said the capabilities for macOS devices “will roll out soon.”
Many enterprise applications and cloud services written in Java are potentially vulnerable to the flaws in Log4j prior to version 2.17.1, which was released Tuesday. The open source logging library is believed to be used in some form — either directly or indirectly by leveraging a Java framework — by the majority of large organizations.
Version 2.17.1 of Log4j addresses a newly discovered vulnerability (CVE-2021-44832) and is the fourth patch for flaws in the Log4j software since the initial discovery of a remote code execution (RCE) vulnerability on December 9.
However, the latest vulnerability in Log4j “doesn’t appear to increase the already elevated risk of compromise via Log4j,” as it requires a “fairly obscure set of conditions to trigger,” according to Casey Ellis, founder, and chief technology officer of the crowdsourced security platform, Bugcrowd.