Hello WithSecure Support,
We are facing a widespread false positive issue on multiple Windows endpoints in our organization, caused by DeepGuard's behavioral detection engine.
The component being blocked is the official Microsoft Office updater:
- File name:
OfficeClickToRun.exe - Version:
16.0.18827.20164 - SHA1 hash:
1138d69cdcc42f8305f695d7d40e820502d886a2ca773cb2773cb2d138dd5fdd - Path:
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\16.0.18827.20164\OfficeClickToRun.exe - Digital signature: Valid, signed by Microsoft Corporation
The DeepGuard verdict being triggered is:
Deep_guard.modifying_another_process.block
This alert repeats every 30–60 minutes on several machines (currently confirmed on at least 5 distinct hosts), despite the file being legitimate, unmodified, and correctly signed by Microsoft.
We have verified:
- No tampering of the file
- No polymorphism (hash is stable across all machines)
- No malicious behavior or lateral movement
- The activity matches expected behavior of Office ClickToRun update processes
We consider this to be a false positive based on heuristic detection, likely triggered by memory injection patterns during Office updates.
Could you please:
- Confirm that this SHA1 and behavior are safe and known to you
- Remove or adjust the behavioral signature if confirmed as benign
- Provide guidance if any exclusion is required on our side while awaiting a permanent fix
Please let us know if you require:
- The full binary for analysis
- Additional log samples from affected machines
- Exported detection events from our Elements EPP portal
This behavior started on June 17, 2025, and is affecting both laptops and desktops in our managed environment.
Thank you in advance for your assistance.
Best regards,
David
