Jump to content
AdamM

Heap memory exploit false positive

Recommended Posts

After recently deploying MB Endpoint Security, we're seeing a ton of false positives in our logs from MBAE. Every 10 minutes, a log entry is recorded of "Exploit code executing from Heap memory blocked" and another entry containing a payload url of "/workshare/swupdatercheck". 

 

The source appears to be the automatic software update function in Workshare Protect 7 (MS office doc comparison, metadata removal, etc), which is using Internet Explorer to check for a software update.

 

Although the end user is oblivious to the BLOCK, it's making it difficult to decipher real exploits due to the large number of false positives with a deployment of 300+ users.

 

What setting in MBAE can we tweak to avoid this particular detection? There does not seem to be a way to whitelist this function because of how it is being detected.

 

Thanks,

Adam M.

post-197571-0-11523800-1452348880_thumb.

Share this post


Link to post
Share on other sites

Hello Adam,

 

what version of Anti-Exploit are you running? If it is 1.06 or 1.07, then upgrade to the latest 1.08 as it has a couple of fixes for these problems.

 

Simply go to MBMC -> Policy -> Edit -> Anti-Exploit -> automatically upgrade anti-exploit clients.

 

Feel free to do this on a Policy with a few machines first to verify the fix before applying to all Policies.

Share this post


Link to post
Share on other sites

MBAE v1.08.2.1045 is what it deployed currently. I believe this is the latest available version.

 

Thanks,

Adam

Share this post


Link to post
Share on other sites

Go to MBMC -> Policies -> Anti-Exploit -> Advanced settings -> Advanced Memory protection -> uncheck the technique for Browsers and click OK -> OK.

 

Let me know if that solves the problem.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.