GregSevior

HI As suggested I went to the page. Search for Office on the entire page not just the last update notes, . 1 hit for Office and it had nothing to do with this topic ? If you have posted a response, fix for this issue, can you paste the URL to that page please. Cheers

It's been over 2 weeks since you proposed a temporary fix. Any idea on how long until there is a permanent correction.

Hi Okay, perhaps you did not read all the question I asked. There is likely no need for further logs. What is occurring is very clear by stepping through the code and seeing at what point MWB interjects. It is explained above. The 'Issue' that I am seeking clarity on is as follows: 1. In the VBA / VBE code of any office product, making a call to create a WScript.Shell object (i.e createobject WScript.Shell) causes MWB to identify that transaction as an exploit (regardless the reason for creating the WScript object). When this occurs a Exploit message is displayed to the user, and the Office Product is instantly (ie. access, outlook, PowerPoint outlook etc...) - not correctly shut down, but terminated. 2. Your recommended solution for this is that user's Disable 'Office VBE abuse protection' so it does not occur ????? Question: 1. Is the shutting down of Office products that employ code to create WScript.Shell object, the intended and expected behaviour of WMB 2. Is it your solutions that User's of Office product, because of this behaviour, should disable 'Office VBE abuse protection' and there by open them selves up to any number of other exploits.. This does not sound like a sane or logical solutions, to an issue which should not be occurring in the first place. Can you please confirm that MWB, in this case, is acting as intended, and your solution is to disable protect for any VBE abuse to resolve it. Cheers

Hi The attached file is a false positive. I am a developer the file is a simply CScript (converted to an exe) which copies a file from the network to local PC and then runs the database. Report below. Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 17/09/2021 Scan Time: 07:14 Log File: 1ee5caa8-1733-11ec-b80e-00155d3708d9.json -Software Information- Version: 4.4.6.132 Components Version: 1.0.1453 Update Package Version: 1.0.45000 Licence: Premium -System Information- OS: Windows 10 (Build 19042.1237) CPU: x64 File System: NTFS User: System -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Scheduler Result: Completed Objects Scanned: 316878 Threats Detected: 1 Threats Quarantined: 0 Time Elapsed: 4 min, 14 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 0 (No malicious items detected) File: 1 Malware.AI.4283971039, C:\USERS\GSEVI\DESKTOP\SCRIPTCONV\INSTALL ENTITYDB.EXE, No Action By User, 1000000, 0, 1.0.45000, 614A6B88B7B90016FF5835DF, dds, 01425064, EF3B431F4DE76D0E4045903160306B80, C4EFC1AA1E6A498D9869E9995546557E59C47598F64099A6E5168BD2E5DE920A Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) Install EntityDB.zip

HI Again Apologies. I spoke to soon. The behaviour still occurs when the software is operated in a folder which is not a designated Office Trusted Folder location. Obviously this will never be the case for newly installed software.. Can you confirm this is the intended behaviour of MWB, and will continue going forward..? Cheers Greg Sevior

Hi On further investigating today, I find that MWB is no longer detecting calls in VBA/VBE to create a Wscript.Shell object (i.e. 'CreateObject("wscript.shell")), as an Exploit (and terminating the software) even when the 'Office VBE abuse preventions' switch active (on). I assume this due to some change or update and your end. Can you please confirm? Cheers Greg Sevior

Hi Unchecking the "Office VBE7 abuse prevention" option under Application behavior protection Has resolved the immediate problem but whata headache, we have literally 1000s of users out there which contains this script as it checks their License key in the registry. This last update will now prevent any of them (Using Malwarebytes) from opening and running the software. Obviously this will be a support nightmare for awhile. Have you any objection to me using the images you posted in a FAQ I can point them to, to let them know how to resolve the issue, whilst we work through a solution to script call. Cheers

Hi I am an access database developer. As of the update yesterday, my databases (1000s of them out there in the wild) are being detected as exploits. The detection appears to be on a call to created a Create an object 'CreateObject("wscript.shell")' MWB throws up an exploit message and terminates (crashes) the database, and access program. The following is the report from MWB is below. After reading your forum I note you have an advanced setting for VB Script libraries which I have disable for sometime, but none for WScript library that I can find. I can resolve it on my development machine by disabling MWB and/or turning off protection for MS Access in advanced settings. I don't consider either of these options as alternatives for my client using our databases locally. What alternative solutions are there? Cheers Malwarebytes www.malwarebytes.com -Log Details- Protection Event Date: 14/09/2021 Protection Event Time: 13:19 Log File: 8eef8968-150a-11ec-84c9-00155d5d833c.json -Software Information- Version: 4.4.6.132 Components Version: 1.0.1453 Update Package Version: 1.0.44954 Licence: Premium -System Information- OS: Windows 10 (Build 19042.1165) CPU: x64 File System: NTFS User: System -Exploit Details- File: 0 (No malicious items detected) Exploit: 1 Malware.Exploit.Agent.Generic, C:\Users\gsevi\Documents\wscript.shell, Blocked, 0, 392684, 0.0.0, , -Exploit Data- Affected Application: Microsoft Access Protection Layer: Application Behavior Protection Protection Technique: Exploit Office VBE7 object abuse blocked File Name: C:\Users\gsevi\Documents\wscript.shell URL: (end)