Behavior:Win32/Hive.ZY Detection & Removal

A recent Windows Defender detection caused a bit of a stir. There were multiple reports in early September 2022 about a detection that Defender identified as "Behavior:Win32/Hive.ZY" that caused some concern.

The good news is that the detection is a false positive that was introduced in a Defender update and has since been remedied.

The initial scare was triggered by a wave of detections bringing up Behavior:Win32/Hive.ZY, and flagging it as a "severe" threat. Users trying to use Defender to clean the discovered threat found that the same detection would crop up very soon after clearing it.

The false positive was "related to all Chromium-based web browsers and Electron-based apps like Whatsapp, Discord, Spotify", according to an independent advisor quoted by WindowsCentral.

The false positive detection has since been taken care of with the Windows Defender definition file updating from 1.373.1508.0 to 1.373.1537.0.

Similar false positive scares are not uncommon, but with the false detection tripping up because of something as common as Chromium and Electron-based implementations, it caused a much bigger stir than a random heuristic or behavior-based detection.

September 7, 2022