[Update: Fix is live] Windows Defender reports false positive threat “Behavior:Win32/Hive.ZY”; there is nothing to worry about

  • Windows Defender alerts users to “threat detected” for “Behavior:Win32/Hive.ZY”
  • The issue is related to a recent listing in Microsoft’s Defender update file, which misdetects
  • The trigger appears to be related to Defender detecting “electron or chromium-based apps as malware”
  • Microsoft should patch/update Microsoft Defender to resolve the issue

Update #1 (1:50 p.m. ET): According to the Microsoft support forums, the Defender team has indicated that they are investigating this issue and will release a fix for it soon.

Update #2: (7:50 p.m. ET): According to the Microsoft support forums, “Indications from a Microsoft agent indicate that a patch has been released (version: 1.373.1537.0)”

In Windows 10/11, select Check for updates in the Windows Security Virus & threat protection screen to check for the latest updates.

Offline installers are available from these links:

64 bit downloads

https://go.microsoft.com/fwlink/?LinkID=121721&arch=x64 (opens in a new tab)

32 bit download:

https://go.microsoft.com/fwlink/?LinkID=121721&arch=x86 (opens in a new tab)


This morning, a listing in Microsoft Defender’s database (or even Windows Update) is wreaking havoc on people’s Windows PCs.

The people on Reddit are “freaked out” not only by a threat reported by Microsoft Defender, but also by a threat that continues to appear and recur despite the suspected threat being blocked.

The threat is revealed in a pop-up message noting that “Behavior: Win32/Hive.ZY” has been detected and is listed as “serious”. However, after taking steps to correct the problem, it does not go away and the user will continue to receive the same prompt. The reminder may return after 20 seconds, the cycle will constantly repeating.

We encountered the problem on a PC; see screenshots below.

The actual threat is only noted as “This generic Suspicious Behavior Detection is designed to detect potentially malicious files”.

The good news is that your computer, if you are experiencing this problem, is not infected with any viruses or malware. This detection appears to be a false positive, according to a Microsoft support forum (opens in a new tab)where a listing in Microsoft Defender’s database incorrectly flags an activity as dangerous.

From DaveM121, an Independent Advisor:

“This appears to be a false positive, this is a bug being reported by hundreds of people right now, it appears to be related to all Chromium based web browsers and Electron based apps like Whatsapp, Discord, Spotify.. . etc. .”

“This is an evolving situation with no official word from Microsoft at this time, but appears to be caused by the security advisory update for Microsoft Defender Antivirus – KB2267602 (version 1.373.1508.0)”

The common thread among users experiencing this issue is using “Electron or Chromium-based apps” including Google Chrome, Microsoft Edge, and anything that runs Visual Studio Code.

The problem seems to come from Defender Definition/Update Version 1.373.1508.0which means that Microsoft needs to update this file and the problem should be fixed.

So far, Microsoft has not publicly commented on the issue as it is a US holiday weekend. There could be an extended delay in rolling out the update to millions of potentially affected computers.

We will update this article accordingly if there are new solutions or comments from Microsoft.

Comments are closed.