Microsoft Defender Flagging Your SQL Server? Here’s What’s Happening
Have you recently seen a startling security alert from Microsoft Defender for Endpoint claiming your fully-patched SQL Server is running an outdated, vulnerable version? If so, take a deep breath—you are not alone, and your server is likely not at risk.
A recent issue has caused Microsoft Defender to generate a wave of false positive alerts, specifically targeting the core SQL Server executable, sqlservr.exe. Security administrators and IT teams are reporting widespread alerts that, upon investigation, are proving to be incorrect. This can cause unnecessary alarm and waste valuable time chasing down a non-existent threat.
Here’s a breakdown of what’s happening, why it’s occurring, and what you should do about it.
Understanding the False Positive: Version Numbers vs. Patches
The heart of the problem lies in how SQL Server updates are versioned versus how Defender is performing its check.
When Microsoft releases a security patch for SQL Server, known as a General Distribution Release (GDR), it updates the necessary components to protect the system. However, the version number of the main sqlservr.exe file itself does not always change with every single security update.
Microsoft Defender for Endpoint appears to be checking the version number of the sqlservr.exe file directly, rather than cross-referencing the installed GDR patch. As a result, even if your server has the latest security update installed, Defender may see the older file version number and incorrectly flag it as outdated and vulnerable.
The Real-World Impact of False Alarms
This constant stream of incorrect alerts can lead to “alert fatigue,” a significant problem for security teams. When security tools generate too many false positives, there’s a risk that real, actionable threats could be overlooked amidst the noise. It also consumes critical resources as administrators spend time verifying patch levels on servers that are, in fact, secure.
Which SQL Server Versions Are Affected?
This issue has been reported across multiple versions of SQL Server. If you are running any of the following, you may encounter these false positive alerts:
- SQL Server 2019
- SQL Server 2017
- SQL Server 2016
- SQL Server 2014
- SQL Server 2012
Microsoft has acknowledged the issue and is actively working on a resolution to correct the detection logic within Defender for Endpoint.
Your Action Plan: How to Respond to the Alert
If you receive one of these vulnerability alerts, don’t panic. Follow these steps to verify your system’s security and manage the situation until a permanent fix is rolled out.
1. First, Verify Your Actual Patch Level
Before taking any other action, confirm that your SQL Server instance is truly up to date. The most reliable way to do this is to run a simple T-SQL query.
Connect to your SQL Server instance using SQL Server Management Studio (SSMS) or Azure Data Studio and run the following command:
SELECT @@VERSION;
This query will return the precise version, build number, and cumulative update (CU) or GDR patch level installed on your server. Cross-reference this output with Microsoft’s official SQL Server build number documentation to confirm you are running a supported and fully patched version.
2. Manage the Alert Within Defender
Once you have confirmed your server is secure, you can manage the false positive within the Microsoft 365 Defender portal. You may consider creating a suppression rule for the specific alert related to sqlservr.exe. This should be done with caution and only after you have confirmed that your systems are patched, as you don’t want to accidentally suppress a legitimate future threat.
3. Monitor for an Official Fix
Since this is a known issue, a permanent fix from Microsoft is expected. Keep an eye on official Microsoft channels and the Microsoft 365 admin center for service health notifications regarding this specific problem. Once the detection logic is fixed, the false positive alerts should cease automatically.
In summary, while the alerts from Microsoft Defender are concerning, they are currently linked to flawed detection logic. The key takeaway is to always verify before acting. By confirming your server’s true patch level, you can confidently manage these false positives and ensure your security team focuses on genuine threats.
Source: https://www.bleepingcomputer.com/news/microsoft/microsoft-defender-mistakenly-flags-sql-server-as-end-of-life/
