Not able to add application to Exclusions list

[Polleke]

MBAE Version 1.08.1.1189

OS: Windows 7 64bits

I created a Excel VBA macro. In this macro, I copy a specific file to another location. MBAE will kick in and I can not add this to the exclusions list. No add button and no menu appearing on a mouse right-click.

 

[pbust]

Welcome to the forum!

It depends on how the macro is coded. Feel free to attach or PM me your MBAE logs and I'll be able to tell you what happened and potential workarounds.

 

[Polleke]

The excelsheet totaal.xls consists of a macro which is executing: Shell "c:\windows\system32\cmd.exe /c copy c:\WORK\totaal.htm c:\data\totaal.htm"
The log is stating: totaal.htm blocked from executing thrugh Microsoft Office Excel
Now I can deactivate the shield for excel.exe, but I would prefer that the totaal.xls could be excluded.

Is that possible?

 

[pbust]

Excel (or any other shielded app) executing system commands is a big security hole. This is abused in the wild by malicious exploits. If you want to allow this security risk the only workaround is to disable the Excel shield.

Note: moving to Questions sub-forum.

 

[nick-d]

Hi pbust,

I am having a similar problem, that only starting happening today (I presume as a result of an update).

I cannot add the relevant Excel file to the exclusions list.

Disabling the Excel shield completely seems a bit heavy-handed. Can it not be that we simply exclude the relevant XLS file?

Cheers,

Nick

[Arthi]

Hi nick-d,

Please follow the instructions here to collect the logs. We will need to see the logs to suggest a workaround for you. Thanks.

https://forums.malwarebytes.org/topic/144403-readme-first-posts-here-need-to-include-mbae-logs/

[nick-d]

Hi Arthi,

Thanks for jumping in to help.

I decided to clear the logs, reset the settings to defaults and then run the Excel file again and create the fault log for you to see.

The odd things is that it no longer triggers the error!

Specifically, my VBA code launches explorer.exe and it opens and shows a directory.

This used to work until the day I posted my message (last Sunday), when it started getting caught by MBAM-AE.

 

I can only assume that between then and now, an update has come through that stopped it from happening.

My VBA code is still there and it now runs without triggering a reaction from MBAM-AE.

 

I set everything to defaults under Settings/Advanced settings,   specifically "Application behaviour/VBA7 abuse" (on)

Do you know if any updates were issued since last Sunday?

Cheers,

Nick

 

[Arthi]

We did release a build on Friday (10/28). It has a new feature to protect against VBA abuse. If the block gets triggered again, please do send us the logs following the instructions in the below link. Have a nice day !!

https://forums.malwarebytes.org/topic/144403-readme-first-posts-here-need-to-include-mbae-logs/

[TNGinAK]

All our computers are not able to exclude a new AE block after the update to 1.09.1235, prior to the update we did not have this problem.  By design we are to open a program, used heavily in our office, via the 3rd party's ribbon in Word.  Though listed in the log the exclude button remains greyed out so right now we can only stop protection.  I have cleared the logs and reset the default but this did not resolve like it did with nick-d.  Please find zip directory Malwarebytes Anti-Exploit with all files.  Should note this is a trial version to see if I could replicate the problem which I could, all affected 10 systems are paid versions.

Malwarebytes Anti-Exploit.zip

[Arthi]

Thanks for the logs, TNGinAK. We are looking into it and will get back to you soon.

Edited November 5, 2016 by Arthi

[TNGinAK]

Thanks Arthi - just checking in.  I don't suppose there is a way to rollback a version?  We were not having this problem until the newest update got installed.  Or do you anticipate an update that will resolve the "falsecatch" soon?  Or allow us to add as an exclusion?

Edited November 7, 2016 by TNGinAK

[Arthi]

Hi TNGinAK,

We are looking to fix this as soon as we can. Meanwhile, Can you disable the following setting, and hit Apply and let us know if that worked for you. Thanks.

 

[TNGinAK]

Yes that did allow the program to come up.  Sorry for delayed response the "notify me of replies" I did not get.  Will see if I have to whitelist.  Thanks Arthi.  Is the fixable in the program or will it be?

[Arthi]

Hi TNGinAK,

 

I have shared a link below of our test build post. Can you please try the new 1243 test build and confirm if that enables you to add the exclusion with vba7 setting checked. Thanks.

 

[TNGinAK]

I did install the new build 1.09.1.1254 it now allows me to exclude this item from the log list.  But the file path/process blocked in the blocked exploit attempt window is incorrect.  The path is also wrong in the Exclusions tab.  I added the exe to the Shields list but did not resolve either, so I am having to deselect the VBA7 abuse again in the configurations.  Thx Arthi

[Arthi]

Thanks TNGinAK for your response. Someone from our team will get in touch with you soon to get some logs form you.