Microsoft Defender for Endpoint began flagging yesterday’s Google Chrome update as malicious, alarming users and admins and creating confusion among them.

Hey @msftsecresponse – Seeing lots of Defender ATP alerts this morning on C:\Program Files (x86)\Google\Chrome\Application\88.0.4324.104\Locales\sl.pak detected as PHP/Funvalget.A. Can you confirm this is a false positive? SHA256 in reply.—

The software flags the ‘sl.pak’ file as a “Funvalget backdoor”,The file in question seems to be related to a language localization that is present in the installer for Chrome version 88.0.4324.104 that began rolling out to users yesterday.

It was not clear, at the time, if there was indeed a security risk with the file, or if the detection was falsely being made. The detection meant that the installer was automatically being blocked on many systems. However, the consumer version of the security software is currently not flagging the same install files as malicious.null

The Redmond firm has acknowledged the detection as being false positive, and that it has removed the detection. The user adds that the firm has provided steps for admins and users to clear cached detections and pull the latest malware definitions.

  1. Open command prompt as administrator and change directory to c:\Program Files\Windows Defender
  2. Run “MpCmdRun.exe -removedefinitions -dynamicsignatures”
  3. Run “MpCmdRun.exe -SignatureUpdate””