Unable to add to Anti-Exploit Exclusion List

[AR_RCG]

We have two users that need to use an Excel Add-in that triggers the Threat:  "Exploit code executing from Heap memory blocked".

 

From the management console, I found the log, right clicked and selected "add to Anti-Exploit Exclusion List"

 

This gives me the error: "Selected threat does not contain a valid payload checksum, it cannot be added into exclusion list."

 

Is there another way to add this as an exclusion?  

 

I disabled the excel shield for now - which is not a good long term solution to say the least.

 

console version: 1.5.0.2701

[pbust]

Welcome to the forum and thanks for posting.

 

I'll send you a Private Message with the MBAE 1.06 build so that you can verify if the issue is fixed with a simple ugprade to the latest version.

[RexReason]

I am also having the same issue. We have recently added the enterprise versions of anti exploit and malware bytes. I have 3 users that are being blocked by anti-exploit. When trying to add an exception I get the message : Select threat does not contain valid payload checksum, it cannot be added into exclusion list.

[pbust]

Welcome to the forum RexReason.

 

This is likely because the detection is with the memory mitigation techniques, which means it gets blocked before the payload enters into the picture.

 

Please send me a ZIP archive with the contents of "C:\ProgramData\Malwarebytes Anti-Exploit" directory and I'll be able to troubleshoot further.

 

If you prefer to send it by email, it's pbustamante at malwarebytes org.

[RexReason]

I have emailed you the requested file.

[astarr]

Any solutions for this?  This only appeared after loading the latest software on the host, and client update.  I can't imaging it would be that hard to make an exclusion list based on file/folder location? Still awaiting response from support on this issue, as I can't update clients until this issue is resolved.

 

Cheers!

[pbust]

Welcome to the forum astarr.

 

The Anti-Exploit exclusions are only for detections of exploit techniques in Layer3 (Application Behavior Protection). If the block happens in any of the other 3 layers which deal with memory based exploit mitigations, there is no file or folder to exclude as the block happens earlier in the chain.

 

If you PM me your MBAE logs I will be able to tell what is going on and how to fix it. Instructions can be found in the "readme first" link in my signature.

[astarr]

Pbust,

 

PM has been sent.

 

Cheers,

Astarr

[VER1TAS]

Guys, make sure that your Anti-Exploit version is the most up-to-date version 1.07.2.1020.  Some of this stuff has been fixed, though I have run into some the same issues.

[tumasgts]

Hi there I have the same issue. my Anti Exploit is the latest version.

[pbust]

Hi @tumasgts, responded to your PM.

[VinceBlade]

I am having the exact same issue. My current work around is to disable the protection for MS Word and Excel, but I would like to find a was to add the needed exception instead of turn protection off completely.  I believe it is somehow related to an UNC call for the MS word Add-in being used:

"\\(Server Name)\company\wincsi\cabinet\cab_addin_shunt.dll"

But I can't put an exception to this, I just get:

Selected threat does not contain a valid payload checksum, it cannot be added into the exclusion list.

[pbust]

Payload exceptions cannot be done for UNC paths.

There might be another way to work around this. Can you please post the MBAE logs from the affected machine?

 

[Kurmann]

Hello

i have the same Problem. Cannot add Payload URL to Exclusion List. I have the following entries in the Log:

Exploit payload URL 28.09.2016 14:33:55 BLOCK  Anti-Exploit Internet Explorer /RadOffice/office/scheduling/middletier/UsersGet.asp?DirectAccess=True 

Exploit code executing from Heap memory blocked 28.09.2016 14:33:55 BLOCK  Anti-Exploit Internet Explorer  

Any posibilities to exclude this. i don't want to disable the Anti-Expoit for Internet Explorer at all.

Thankx!

Threats_20160929_01.csv

[bocualain]

Hi,

I have the same problem with the Excel for Apps (GL Wand) add-in. Users log into Oracle and then export to Excel from there, or the Add-in creates connections to Oracle or Network Shares so the anti-exploit affects both browser and Excel. When I try to add it as an exception on the MBMC Client list I get "Selected threat does not contain a valid payload checksum". When I go into the Anti-Exploit client and highlight the entry in the log the "Exclude" button is greyed out. The log entry for the alert in question is 

"2016-11-17T09:51:06.814+00:00";"username";"14860";"C:\Program Files\Microsoft Office\Office15\EXCEL.EXE";"5796";"explorer.exe";"2";"502";"104";"0x0ACDC162";"";"0x00020000";"0x00170000";"0x0012D000";"0x00169578";"";"";"";"";""

Thanks,

 

[MKBistro]

Hello,

We recently started having this same issue with Vivid Reports Excel Add-in blocked as Exploit code executing from Heap memory blocked.  Was there ever a fix or solution for this?

Thank you,

[pbust]

This should have been fixed a while back. Please update your MBAE version to the latest available to verify the fix.

 

[MKBistro]

Agents are updated from the Malwarebytes management console.  The option to automatically upgrade Anti-Exploit on clients is enabled.

Do I need to enable this someplace else to be sure clients have the latest version?

[MKBistro]

I see there is a newer version of the management console.  I will update to that to see if that resolves our issue.

[MKBistro]

upgraded management console and pushed new client.  Currently, on version 1.09.2.1291 Anti-Exploit and the Excel add-in continues to be blocked as an exploit

[MKBistro]

I opened a ticket with corporate support.

 

[pbust]

The latest is 1.10.

Go to the Management Console -> Policies -> Anti-Exploit -> enable the checkbox "automatically upgrade MBAE agents". The agents will then upgrade themselves from the Internet to the latest version.