Microsoft Defender Mistakenly Flags a Plain Text File as Malicious Due to a Suspected Prank

On the social media platform X, user @rari_teh reported that Microsoft's antivirus software, Microsoft Defender, mistakenly flagged a plain text file as malicious. The content of the text file was simply: "This content is no longer available."

Over the past few years, Microsoft Defender has had numerous false positive issues, including mistakenly blocking installations of Chrome, Firefox, and even its own Edge, intercepting Office updates, and flagging some legitimate websites as threats.

However, flagging a plain text file as malicious is a new occurrence. After all, the content hardly constitutes a virus issue. Microsoft Defender identified the threat as the Casdet Trojan, classified as Trojan:Win32/Casdet!rfn.

This incident has been discussed on other platforms as well. Initially, some users speculated that the SHA256 hash of the text file containing this content clashed with the virus definitions database, with the beginning and ending values of the file's SHA256 hash coincidentally matching the hash of a known virus sample.

This theory was quickly abandoned when it was discovered that the file had been uploaded as a virus sample to a database, presumably also used by Microsoft.

A plain text file being uploaded as a virus sample could either be a prank or some form of testing by the uploader. The specifics remain unclear as the relevant discussion threads have been deleted.

To replicate this, one can create a new plain text document in the default ANSI encoding format and save it, which should trigger Microsoft Defender's detection. It's uncertain if Microsoft has updated its virus database since.