Word process to PDF

[scoutt]

I have a user that takes a word document and runs a add-in that creates a PDF. While this runs it creates a cmd.exe file on the users network drive and Anti-Exploit comes up and says Exploit payload process blocked. I don't want to exclude cmd.exe especially from a users network drive. How would one exclude a process like this?

[scoutt]

Sorry, i thought i was under Anti-Exploit for business. Can somebody please move this.

[scoutt]

Nobody has any clue on this?

[pbust]

Hi Scoutt.

 

Please attach your MBAE logs. Instructions can be found in the readme first link in my signature.

 

Thanks!

[scoutt]

Here are the logs

RLW-Malwarebytes Anti-Exploit.zip

[pbust]

Thanks for the logs.

 

It seems the process flow is Winword.exe -> javaw.exe -> cmd.exe.

 

Try temporarily disabling the Java shield on one machine to see if it keeps alerting.

[scoutt]

I let the user know what to do and I will let you know what the outcome is.

[scoutt]

Once the client turns off javaw.exe it turns all three. But with it turned off it does work as expected

[pbust]

Thanks for confirming scoutt.

 

Allowing Java unrestricted access to issue system commands is not a good idea from a security perspective. Yet many third-party applications use this insecure approach. If you want to continue using this insecure application to rely on printing to PDF simply keep the Java shield turned off.

 

Alternatively you can use other print-to-PDF products that don't make use of insecure practices. For ex Pdf995 will do the same thing without exposing the user to Java exploits.

[scoutt]

Thanks Pedro,

 

PDF995 won't work in this situation, we have to wait for Oracle to update the software. Appreciate you looking into this.