[Update: Fix is live] Windows Defender is reporting a false-positive threat 'Behavior:Win32/Hive.ZY'; it's nothing to be worried about

Microsoft Defender
(Image credit: Daniel Rubino)
  • Windows Defender is alerting people of a "threat detected" for "Behavior:Win32/Hive.ZY"
  • The issue is tied to a recent listing in Microsoft's Defender update file, which is making a wrong detection
  • The trigger seems tied to Defender detecting "Electron-based or Chromium-based applications as malware"
  • Microsoft is expected to patch/update Microsoft Defender to alleviate the issue

Update #1 (1:50 PM ET): According to the Microsoft support forums, the Defender Team indicated they are investigating this and will hopefully release a patch for this soon.

Update #2: (7:50 PM ET): According to Microsoft support forums, "indications from a Microsoft Agent is a fix has been released (Version: 1.373.1537.0)"

In Windows 10/11, select Check for updates in the Windows Security Virus & threat protection screen to check for the latest updates.

Offline installers are available from these links:

64bit downloads


32bit Download:


This morning, a listing in Microsoft Defender's database (or even Windows Update) is causing havoc on people's Windows PCs. 

People on Reddit are "freaking out" over not just a reported threat from Microsoft Defender but one that keeps popping up and recurring despite the alleged threat being blocked.

The threat is revealed in a pop-up message noting that "Behavior:Win32/Hive.ZY" has been detected and is listed as "severe." However, after taking action to rectify the issue, it does not go away, and the user will keep receiving the same prompt. The reminder may return after 20 seconds, with the cycle repeating endlessly.

We experienced the issue on one PC; see the screenshots below.

The actual threat is only noted as "This generic detection for suspicious behaviors is designed to catch potentially malicious files."

The good news is that your computer, should you be experiencing this problem, is not infected with any virus or malware. This detection appears to be a false positive, according to a Microsoft Support forum, where a listing in Microsoft Defender's database incorrectly reports activity as dangerous. 

From DaveM121, an Independent Advisor:

"This does seem to be a false positive, it is a bug currently being reported by hundreds of people at the moment, it seems to be related to all Chromium based web browsers and Electron based apps like Whatsapp, Discord, Spotify...etc."

"This is an evolving situation with no official word from Microsoft yet, but seems to be caused by Security Intelligence Update for Microsoft Defender Antivirus - KB2267602 (Version 1.373.1508.0)"

The common thread among users experiencing this problem is the usage of "Electron-based or Chromium-based applications," including Google Chrome, Microsoft Edge, and anything that runs Visual Studio Code.

The problem seems to originate from Defender's Definition/Update Version 1.373.1508.0, meaning Microsoft needs to update that file, and the issue should be resolved.

So far, Microsoft has not publicly commented on the problem as it is a holiday weekend in the United States. There could be an extended delay in getting the update pushed out to millions of likely affected computers.

We'll update this article accordingly if there are any new solutions or comments from Microsoft.

Daniel Rubino

Daniel Rubino is the Editor-in-chief of Windows Central. He is also the head reviewer, podcast co-host, and analyst. He has been covering Microsoft since 2007, when this site was called WMExperts (and later Windows Phone Central). His interests include Windows, laptops, next-gen computing, and watches. He has been reviewing laptops since 2015 and is particularly fond of 2-in-1 convertibles, ARM processors, new form factors, and thin-and-light PCs. Before all this tech stuff, he worked on a Ph.D. in linguistics, watched people sleep (for medical purposes!), and ran the projectors at movie theaters because it was fun.