Jump to content
Polleke

Not able to add application to Exclusions list

Recommended Posts

MBAE Version 1.08.1.1189

OS: Windows 7 64bits

I created a Excel VBA macro. In this macro, I copy a specific file to another location. MBAE will kick in and I can not add this to the exclusions list. No add button and no menu appearing on a mouse right-click.

 

Share this post


Link to post
Share on other sites

Welcome to the forum!

It depends on how the macro is coded. Feel free to attach or PM me your MBAE logs and I'll be able to tell you what happened and potential workarounds.

 

Share this post


Link to post
Share on other sites

The excelsheet totaal.xls consists of a macro which is executing: Shell "c:\windows\system32\cmd.exe /c copy c:\WORK\totaal.htm c:\data\totaal.htm"
The log is stating: totaal.htm blocked from executing thrugh Microsoft Office Excel
Now I can deactivate the shield for excel.exe, but I would prefer that the totaal.xls could be excluded.

Is that possible?

 

Share this post


Link to post
Share on other sites

Excel (or any other shielded app) executing system commands is a big security hole. This is abused in the wild by malicious exploits. If you want to allow this security risk the only workaround is to disable the Excel shield.

Note: moving to Questions sub-forum.

 

Share this post


Link to post
Share on other sites

Hi pbust,

I am having a similar problem, that only starting happening today (I presume as a result of an update).

I cannot add the relevant Excel file to the exclusions list.

Disabling the Excel shield completely seems a bit heavy-handed. Can it not be that we simply exclude the relevant XLS file?

Cheers,

Nick

Share this post


Link to post
Share on other sites

Hi Arthi,

Thanks for jumping in to help.

I decided to clear the logs, reset the settings to defaults and then run the Excel file again and create the fault log for you to see.

The odd things is that it no longer triggers the error!

Specifically, my VBA code launches explorer.exe and it opens and shows a directory.

This used to work until the day I posted my message (last Sunday), when it started getting caught by MBAM-AE.

 

I can only assume that between then and now, an update has come through that stopped it from happening.

My VBA code is still there and it now runs without triggering a reaction from MBAM-AE.

 

I set everything to defaults under Settings/Advanced settings,   specifically "Application behaviour/VBA7 abuse" (on)

Do you know if any updates were issued since last Sunday?

Cheers,

Nick

 

Share this post


Link to post
Share on other sites

All our computers are not able to exclude a new AE block after the update to 1.09.1235, prior to the update we did not have this problem.  By design we are to open a program, used heavily in our office, via the 3rd party's ribbon in Word.  Though listed in the log the exclude button remains greyed out so right now we can only stop protection.  I have cleared the logs and reset the default but this did not resolve like it did with nick-d.  Please find zip directory Malwarebytes Anti-Exploit with all files.  Should note this is a trial version to see if I could replicate the problem which I could, all affected 10 systems are paid versions.

Malwarebytes Anti-Exploit.zip

Share this post


Link to post
Share on other sites

Thanks for the logs, TNGinAK. We are looking into it and will get back to you soon.

Edited by Arthi

Share this post


Link to post
Share on other sites

Thanks Arthi - just checking in.  I don't suppose there is a way to rollback a version?  We were not having this problem until the newest update got installed.  Or do you anticipate an update that will resolve the "falsecatch" soon?  Or allow us to add as an exclusion?

Edited by TNGinAK

Share this post


Link to post
Share on other sites

Hi TNGinAK,

We are looking to fix this as soon as we can. Meanwhile, Can you disable the following setting, and hit Apply and let us know if that worked for you. Thanks.

 

screenshot.png

Share this post


Link to post
Share on other sites

Yes that did allow the program to come up.  Sorry for delayed response the "notify me of replies" I did not get.  Will see if I have to whitelist.  Thanks Arthi.  Is the fixable in the program or will it be?

Share this post


Link to post
Share on other sites

Hi TNGinAK,

 

I have shared a link below of our test build post. Can you please try the new 1243 test build and confirm if that enables you to add the exclusion with vba7 setting checked. Thanks.

 

Share this post


Link to post
Share on other sites

I did install the new build 1.09.1.1254 it now allows me to exclude this item from the log list.  But the file path/process blocked in the blocked exploit attempt window is incorrect.  The path is also wrong in the Exclusions tab.  I added the exe to the Shields list but did not resolve either, so I am having to deselect the VBA7 abuse again in the configurations.  Thx Arthi

Share this post


Link to post
Share on other sites

Thanks TNGinAK for your response. Someone from our team will get in touch with you soon to get some logs form you. 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.