Microsoft Defender for Endpoint has been blocking opening some Office documents since Tuesday because it gives a false positive for Emotet malware. The problem seems to occur since version 1.353.1874.0.
Several system administrators have been having problems with Windows Defender for Endpoint since Tuesday, BleepingComputer reports. The software believes it recognizes the payload of Emotet malware in Excel files or other Office apps that use MSIP.ExecutionHost.exe, one user reported. BleepingComputer was able to reproduce the false positive.
Microsoft Defender for Endpoint blocks opening a file if it is marked with a false positive. This prevents users from accessing their files if the software believes it recognizes the malware.
A Microsoft spokesperson has said it is working on a solution. Customers who are connected via the cloud should no longer have the problem. The company has not provided further details on how the problem was caused.
Emotet is a notorious type of malware that was spread via Word documents, among other things. The malware was offered by criminals as malware-as-a-service and as a result was widely used. Earlier this month, the malware became active again after months of silence.