A Microsoft official confirmed widespread reports of Google Chrome, Chromium Edge, Discord, and several other apps being marked as “Behavior: Win32/Hive.ZY” by Microsoft’s built-in antivirus ‘Windows Defender’. In a statement, the tech giant confirmed that it is working on a solution that will be rolled out to everyone in the next few hours.
So what exactly is “Behavior: Win32/Hive.ZY”? According to a document published on the Microsoft security portal, any file marked “Behavior:Win32/Hive.ZY” is a threat with suspicious designed behavior. It is used to flag potentially malicious files, especially those files downloaded via emails.
The notification appears to have been added with Defender version 1.373.1508.0. Your app could be flagged as malicious by the following apps:
- Microsoft Defender Antivirus for Windows 10, Windows 11, and Windows 8.1, or Microsoft Security Essentials for Windows 7 and Windows Vista.
- Microsoft Security Scanner.
We received confirmation from Microsoft that this activity is a false positive issue, but it’s another issue for companies like Google and Discord, as customers are apparently reaching out to their support.
Reports, seen by us, show that affected users are automatically shown the aforementioned error during regular Defender scans.
“Docker Desktop downloaded from their site or installed via WinGet reports “Behavior: Win32/Hive.ZY” as of this morning’s security update. This prevents Docker Desktop from updating via WinGet or the internal application update option, and results in many, many, many false warnings,” noted one of the affected users.
In our tests, we found that Windows Defender on both Windows 10 and Windows 11 flags Chromium-based apps and others like Discord as “Win32/Hive.ZY.” If you are affected, you can easily reproduce the error if you kill all processes for Edge, Chrome, or whatever triggers it and launch the app again.
If the app continues to run in the background, the error will reappear over time.
“The alert appears when opening a new page in Chrome, but not all. Even for microsoft.com when I click More info in protection history. It started happening today, probably after a Windows Defender update. The culprit is always one of Chrome’s PIDs,” another user noted.
Microsoft releases fix for Behavior:Win32/Hive.ZY
There is not much you can do to fix Windows Defender false positive errors as they can only be patched via a server-side update from Microsoft. Fortunately, Microsoft officials told us that they have already begun investigating the issue and a possible fix has been released.
The fix is being deployed with version: 1.373.1537.0. A fixes Behavior: Win32/Hive.ZYfollow these steps:
- Search for ‘Windows Security’ in Windows Search.
- Go to Protection against viruses and threats.
- Search for updates.
- Restart.
If you don’t see the update when you check for updates, you can also manually download the fix from the links provided:
This is the third such incident involving Windows Defender. Earlier this year, Microsoft flagged some Google Chrome updates as potentially harmful. A similar incident was reported in March when the company flagged its own Office updates as ransomware threats.
There have been similar incidents in 2021. In fact, Defender once prevented Office apps and apps due to Emotet malware.
Update: The article has been updated with Microsoft’s statement and details about the emergency patch.
