Windows Defender Behavior Win32 Hive.ZY

A Microsoft official confirmed widespread reports of Google Chrome, Chromium Edge, Discord and several other apps getting flagged as “Behavior:Win32/Hive.ZY” by Microsoft’s in-built antivirus ‘Windows Defender’. In a statement, the tech giant confirmed that it’s working on a fix which will be rolled out to everyone in the next few hours.

So what exactly is “Behavior:Win32/Hive.ZY”? According to a document published on Microsoft’s security portal, any file flagged as “Behavior:Win32/Hive.ZY” is a threat with suspicious behaviour designed. It is used to flag potentially malicious files, especially those files downloaded through emails.

The notification seems to have been added with Defender version 1.373.1508.0. Your app could be flagged as malicious by the following apps:

  • Microsoft Defender Antivirus for Windows 10, Windows 11 and Windows 8.1, or Microsoft Security Essentials for Windows 7 and Windows Vista.
  • Microsoft Safety Scanner.

Behavior Win32 Hive.ZY error

We’ve received confirmation from Microsoft that this activity is a false positive issue, but it’s another problem for companies like Google and Discord as customers are apparently reaching out to their support.

VirTool Win32 DefenderTamperingRestore

The reports, seen by us, show that affected users are automatically shown the aforementioned error during the regular scans of Defender.

“Docker Desktop downloaded from their site or installed via WinGet is reporting “Behavior:Win32/Hive.ZY” as of this morning’s security update. This prevents Docker Desktop from being upgraded via WinGet or the internal application update option, and results in many, many, many spurious warnings,” one of the affected users noted.

In our tests, we observed that Windows Defender on both Windows 10 and Windows 11 is flagging Chromium-based and other apps like Discord as “Win32/Hive.ZY”. If you’re affected, you can easily reproduce the error if you kill all processes for Edge, Chrome or whatever that triggers it and launch the app again.

If the app keeps running in the background, the error will over time pop up again.

“The alert comes up when opening a new page in Chrome, but not all of them. Even for microsoft.com when I click Learn more under protection history. Started happennig today, probably after a Windows Defender update. The culprit is always one of the PIDs of Chrome,” another user noted.

Microsoft releases fix for Behavior:Win32/Hive.ZY

There’s not much you can do to fix Windows Defender’s false positive errors as they can only be patched through a server-side update from Microsoft.¬†Thankfully, Microsoft officials told us that they’ve already started investigating the issue and a potential fix has been published.

The fix is rolling out with version: 1.373.1537.0. To fix Behavior:Win32/Hive.ZY, follow these steps:

  1. Search for ‘Windows Security’ in Windows Search.
  2. Navigate to Virus & Threat protection.
    Detected Behavior Win32 Hive.ZY
  3. Check for updates.
  4. Reboot.

If you do not see the update when you check for updates, you can also manually download the fix from the given links:

This is the third such incident involving Windows Defender. Earlier this year, some Google Chrome updates were flagged as potentially harmful by Microsoft. A similar incident was reported in March when the company flagged its own Office updates as ransomware threats.

There have been similar incidents in 2021. In fact, Defender once prevented Office apps and apps due to Emotet malware.

Update: The article has been updated with Microsoft’s statement and details on the emergency patch.