Casey

@djacobson thank you for the response. I had read about the vulnerability but wanted to confirm that was the case. For this specific situation, the user works in a news department and has to view/open/insert pictures into various types of documents and websites. It is a necessary function for this user, so what would you recommend for next steps?

I've been seeing exploit notifications at least once a day from the same machine over and over. We have scanned the machine and nothing has come up. We deleted Word/Excel documents that were reportedly causing problems, and we re-installed Office (2016/2013 32bit) on the machine. Is this a legit threat or do we need to add an exclusion? Quoted from Server Notification: "6/6/2017 8:22:04 AM XXXXXXX Exploit payload process blocked BLOCK C:\Program Files\Common Files\Microsoft Shared\OFFICE16\FLTLDR.EXE C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\PNG32.FLT XXXXX OUTLOOK.EXE C:\Program Files\Microsoft Office\Office16\OUTLOOK.EXE Attacked application: C:\Program Files\Microsoft Office\Office16\OUTLOOK.EXE; Parent process name: explorer.exe; Layer: Application Behavior Protection; API ID: 207; Address: ; Module: ; AddressType: ; StackTop: ; StackBottom: ; StackPointer: ; Extra: " Certain info has been removed for obvious reasons I have also attached a zip file of the AE folder and logs. Malwarebytes Anti-Exploit.zip

I have a GPO that I created which is almost exactly like the one described on this site: http://www.technig.com/enable-network-discovery-via-group-policy/. Didn't take very long to set up. File and Printer sharing GPO info can be found here: https://technet.microsoft.com/en-us/library/cc754359(v=ws.10).aspx

Are you talking push the installer with a GPO, or a GPO to allow for installs pushed over the network?