[Update: The fix is now available] Windows Defender has detected a false-positive threat called ‘Behavior:Win32/Hive.ZY’; this is not cause for concern.
Many people around the world were alerted this morning by Microsoft Defender to a recurring virus threat. It’s a false alarm, and your computer is fine.
Windows Defender has detected a “threat” for “Behavior:Win32/Hive.ZY.”
The problem is caused by a recent listing in Microsoft’s Defender update file, which performs an incorrect detection.
The trigger appears to be associated with Defender identifying “Electron-based or Chromium-based applications as malware.”
Microsoft Defender will be patched/updated to address the issue.
First update (1:50 p.m. ET): According to the Microsoft support forums, the Defender Team is looking into it and will hopefully release a patch soon.
Update #2: (7:50 PM ET): “Indications from a Microsoft Agent are that a fix has been released (Version: 1.373.1537.0),” according to Microsoft support forums.
To check for the most recent updates in Windows 10/11, go to the Windows Security Virus & Threat Protection screen and select Check for updates.
Downloads for 64-bit systems
(Opens in a new window)
(Opens in a new window)
A listing in Microsoft Defender’s database (or even Windows Update) is wreaking havoc on people’s Windows PCs this morning.
People on Reddit are “freaking out” over not just a reported threat from Microsoft Defender, but one that keeps appearing and recurring even after the alleged threat has been blocked.
The threat is revealed in a pop-up message in which it is noted that “Behavior:Win32/Hive.ZY” has been detected and is classified as “severe.” However, even after taking action to resolve the issue, the user continues to receive the same prompt. The reminder may reappear after 20 seconds, and the cycle may continue indefinitely.
“This generic detection for suspicious behaviours is designed to catch potentially malicious files,” says the threat description.
The good news is that if you are experiencing this issue, your computer is not infected with any virus or malware. According to a Microsoft Support forum (opens in new tab), this detection appears to be a false positive, where a listing in Microsoft Defender’s database incorrectly reports activity as dangerous.
Independent Advisor DaveM121 says:
“This appears to be a false positive; it is a bug that is currently being reported by hundreds of people; it appears to be related to all Chromium-based web browsers and Electron-based apps such as Whatsapp, Discord, Spotify, and so on.”
“This is a developing situation with no official word from Microsoft yet, but it appears to be caused by the Security Intelligence Update for Microsoft Defender Antivirus – KB2267602 (Version 1.373.1508.0).”
The use of “Electron-based or Chromium-based applications,” such as Google Chrome, Microsoft Edge, and anything that runs Visual Studio Code, is a common thread among users experiencing this problem.
The issue appears to be caused by Defender’s Definition/Update Version 1.373.1508.0, which means Microsoft needs to update that file and the problem should be resolved.
Because it is a holiday weekend in the United States, Microsoft has not yet publicly commented on the issue. There could be a lengthy delay in getting the update to millions of potentially affected computers.
If Microsoft provides any new solutions or comments, we will update this article.