Jump to content
AR_RCG

Unable to add to Anti-Exploit Exclusion List

Recommended Posts

We have two users that need to use an Excel Add-in that triggers the Threat:  "Exploit code executing from Heap memory blocked".

 

From the management console, I found the log, right clicked and selected "add to Anti-Exploit Exclusion List"

 

This gives me the error: "Selected threat does not contain a valid payload checksum, it cannot be added into exclusion list."

 

Is there another way to add this as an exclusion?  

 

I disabled the excel shield for now - which is not a good long term solution to say the least.

 

console version: 1.5.0.2701

Share this post


Link to post
Share on other sites

Welcome to the forum and thanks for posting.

 

I'll send you a Private Message with the MBAE 1.06 build so that you can verify if the issue is fixed with a simple ugprade to the latest version.

Share this post


Link to post
Share on other sites

I am also having the same issue. We have recently added the enterprise versions of anti exploit and malware bytes. I have 3 users that are being blocked by anti-exploit. When trying to add an exception I get the message : Select threat does not contain valid payload checksum, it cannot be added into exclusion list.

Share this post


Link to post
Share on other sites

Welcome to the forum RexReason.

 

This is likely because the detection is with the memory mitigation techniques, which means it gets blocked before the payload enters into the picture.

 

Please send me a ZIP archive with the contents of "C:\ProgramData\Malwarebytes Anti-Exploit" directory and I'll be able to troubleshoot further.

 

If you prefer to send it by email, it's pbustamante at malwarebytes org.

Share this post


Link to post
Share on other sites

Any solutions for this?  This only appeared after loading the latest software on the host, and client update.  I can't imaging it would be that hard to make an exclusion list based on file/folder location? Still awaiting response from support on this issue, as I can't update clients until this issue is resolved.

 

Cheers!

Share this post


Link to post
Share on other sites

Welcome to the forum astarr.

 

The Anti-Exploit exclusions are only for detections of exploit techniques in Layer3 (Application Behavior Protection). If the block happens in any of the other 3 layers which deal with memory based exploit mitigations, there is no file or folder to exclude as the block happens earlier in the chain.

 

If you PM me your MBAE logs I will be able to tell what is going on and how to fix it. Instructions can be found in the "readme first" link in my signature.

Share this post


Link to post
Share on other sites

Guys, make sure that your Anti-Exploit version is the most up-to-date version 1.07.2.1020.  Some of this stuff has been fixed, though I have run into some the same issues.

Share this post


Link to post
Share on other sites

I am having the exact same issue. My current work around is to disable the protection for MS Word and Excel, but I would like to find a was to add the needed exception instead of turn protection off completely.  I believe it is somehow related to an UNC call for the MS word Add-in being used:

"\\(Server Name)\company\wincsi\cabinet\cab_addin_shunt.dll"

But I can't put an exception to this, I just get:

Selected threat does not contain a valid payload checksum, it cannot be added into the exclusion list.

Share this post


Link to post
Share on other sites

Payload exceptions cannot be done for UNC paths.

There might be another way to work around this. Can you please post the MBAE logs from the affected machine?

 

Share this post


Link to post
Share on other sites

Hello

i have the same Problem. Cannot add Payload URL to Exclusion List. I have the following entries in the Log:

Exploit payload URL 28.09.2016 14:33:55 BLOCK  Anti-Exploit Internet Explorer /RadOffice/office/scheduling/middletier/UsersGet.asp?DirectAccess=True 

Exploit code executing from Heap memory blocked 28.09.2016 14:33:55 BLOCK  Anti-Exploit Internet Explorer  

Any posibilities to exclude this. i don't want to disable the Anti-Expoit for Internet Explorer at all.

Thankx!

Threats_20160929_01.csv

Share this post


Link to post
Share on other sites

Hi,

I have the same problem with the Excel for Apps (GL Wand) add-in. Users log into Oracle and then export to Excel from there, or the Add-in creates connections to Oracle or Network Shares so the anti-exploit affects both browser and Excel. When I try to add it as an exception on the MBMC Client list I get "Selected threat does not contain a valid payload checksum". When I go into the Anti-Exploit client and highlight the entry in the log the "Exclude" button is greyed out. The log entry for the alert in question is 

"2016-11-17T09:51:06.814+00:00";"username";"14860";"C:\Program Files\Microsoft Office\Office15\EXCEL.EXE";"5796";"explorer.exe";"2";"502";"104";"0x0ACDC162";"";"0x00020000";"0x00170000";"0x0012D000";"0x00169578";"";"";"";"";""

Thanks,

 

Share this post


Link to post
Share on other sites

Hello,

We recently started having this same issue with Vivid Reports Excel Add-in blocked as Exploit code executing from Heap memory blocked.  Was there ever a fix or solution for this?

Thank you,

Share this post


Link to post
Share on other sites

This should have been fixed a while back. Please update your MBAE version to the latest available to verify the fix.

 

Share this post


Link to post
Share on other sites

Agents are updated from the Malwarebytes management console.  The option to automatically upgrade Anti-Exploit on clients is enabled.

Do I need to enable this someplace else to be sure clients have the latest version?

Share this post


Link to post
Share on other sites

upgraded management console and pushed new client.  Currently, on version 1.09.2.1291 Anti-Exploit and the Excel add-in continues to be blocked as an exploit

Share this post


Link to post
Share on other sites

The latest is 1.10.

Go to the Management Console -> Policies -> Anti-Exploit -> enable the checkbox "automatically upgrade MBAE agents". The agents will then upgrade themselves from the Internet to the latest version.

 

 

 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.