Win32/PowEmotet.SB + Win32/PowEmotet.SC (Emotet Trojan)

by Brendan Smith
December 1, 2021

Microsoft Defender for Endpoint is suddenly blocking Office, preventing users from opening documents. Moreover, a number of executable files have also come under the hot hand. It turned out that the false positive detection of the Emotet malware was to blame.

Administrators of Windows computers complained about the problem. Judging by numerous reports, the bug appeared after the “Defender” was updated to version 1.353.1874.0. Thus, Microsoft Defender blocks the opening of files and issues a warning about suspicious activity related to Win32/PowEmotet.SB or Win32/PowEmotet.SC. Some administrators were unable to open Excel documents and cited the upgrade to version 1.353.1874.0 as the reason:

https://twitter.com/SydeEyeDotCom/status/1465800720821727235

Emotet false positive

False-positive on a Windows 10 with a fresh Microsoft Defender signature database

While Microsoft hasn’t yet shared any info on what causes this situation, the most likely reason is that the company has increased the sensitivity for detecting Emotet-like behavior in updates released today, which makes Defender’s generic behavioral detection engine too sensitive prone to false positives.

Microsoft representatives have already responded to complaints from administrators and said that the corporation is working to fix the problem.

🤔 How do I know if PowEmotet is actually installed on my computer??
This is most likely a false positive at this time. To be 100% sure of this, scan your computer using
🤔 How to scan my PC with Microsoft Defender?
Most of the time, Microsoft Defender will neutralize threats before they ever become a problem. If this is the case, you can see past threat reports in the Windows Security app. Open Windows Settings. The easiest way is to click the start button and then the gear icon. Alternately, you can press the Windows key + i on your keyboard.
Microsoft suppressed the detection to prevent future spikes in alerts for customers connected to the cloud. A new security intelligence build to fix the issue is expected to be released soon.

⚡ Microsoft reported: Definition update 1888 resolved Win32/PowEmotet.SB & Win32/PowEmotet.SC issue.

Brendan Smith
Brendan Smith
IT Security Expert
It is better to prevent, than repair and repent!
When we talk about the intrusion of unfamiliar programs into your computer's work, the proverb "Forewarned is forearmed" describes the situation as accurately as possible. Gridinsoft Anti-Malware is exactly the tool that is always useful to have in your armory: fast, efficient, up-to-date. It is appropriate to use it as an emergency help at the slightest suspicion of infection.
GridinSoft logo
DOWNLOAD NOW
Gridinsoft Anti-Malware 6-day trial available.
EULA | Privacy Policy | 10% Off Coupon
Subscribe to our Telegram channel to be the first to know about news and our exclusive materials on information security.

I need your help to share this article.

It is your turn to help other people with PowEmotet detection. You can use buttons below to share this on your favorite social media Facebook, Twitter, or Reddit.
Brendan Smith

German

About the author

Brendan Smith

Cybersecurity analyst covering malware families, suspicious files, and detection alerts. Brendan focuses on clear explanations of what a warning means, when it may be a false positive, and which cleanup steps are appropriate.

View all posts

Leave a Comment