Jump to content
mglatfelter

Microsoft Office and Grammarly issues

Recommended Posts

I have been using Grammarly, and spelling and grammar checker in Windows 10, Office products, and email. It works fine. However, lately, Anti-exploit is shutting down my Microsoft Word stating that Grammarly is malware. I need help with this false positive. Thanks.

Error:

Application: Microsoft Office Word

Protection Lawyer: Application Behaviour Protection

Protection Technique: Exploit payload process blocked

File/Process blocked: C:\Users\Dad's Work\AppData\Roaming\Grammarly\Updates\GrammarlyAddInSetup6.5.57.exe C:\Users\Dad's Work\AppData\Roaming\Grammarly\Updates\GrammarlyAddInSetup6.5.57.exe \detectmode

Attacking URL: N/A

Share this post


Link to post
Share on other sites

I have the same problem. Is this really a threat or a false positive. Can I just allow it via the log files? 

Thanks.

Share this post


Link to post
Share on other sites

I contacted Grammarly about this issue. They say the problem is not at their end. MBAE has not yet responded so I assume they are working on the problem.

Share this post


Link to post
Share on other sites

Over the past couple of weeks, I have also come across this issue. Though I am unable to find the cause, I do have a workaround.

You will need to close your Microsoft programs and then download and install GrammarlyAddInSetup.exe program manually from the Grammarly website.

So far the issue has been corrected.  It seems like Malwarebytes Anti-exploit Premium has the problem when the program tries to automatically update.

Share this post


Link to post
Share on other sites

I've got same problem with Office Tabs addins. When start any offce application with installed office tabs MBAE kills this office app.

Share this post


Link to post
Share on other sites

Can you guys please post your MBAE logs? Once we have the logs we can fix this.

 

Share this post


Link to post
Share on other sites

I stated getting notifications about this program being blocked this morning after installing Anti-Exploit on the client:

1/13/2017 10:18:59 AM XXXHOSTNAME 10.2.X.X Exploit payload process blocked BLOCK C:\Users\XXXXX\AppData\Roaming\Grammarly\Updates\GrammarlyAddInSetup6.5.85.exe

Would love to post the logs, but not directly to this forum post as there is personally identifiable information in there. Is there an alternative way I can get the logs to you?

Thanks,

Harry

Share this post


Link to post
Share on other sites

Malwarebytes
www.malwarebytes.com

-Log Details-
Protection Event Date: 1/13/17
Protection Event Time: 3:58 PM
Logfile:
Administrator: Yes

-Software Information-
Version: 3.0.5.1299
Components Version: 1.0.43
Update Package Version: 1.0.1006
License: Premium

-System Information-
OS: Windows 10
CPU: x64
File System: NTFS
User: System

-Exploit Details-
File: 1
Malware.Exploit.Agent.Generic, C:\Users\pbutler\AppData\Roaming\Grammarly\Updates\GrammarlyAddInSetup6.5.85.exe, Quarantined, [0], [-1],0.0.0

Exploit: 0
(No malicious items detected)


(end)

Share this post


Link to post
Share on other sites

I wanted to follow up again that I would love to post the logs, but not directly to this forum post as there is personally identifiable information in there and I don't want to attempt to sanitize that many files.  Is there an alternative way I can get the logs to you? I've read the post you've linked to above. Should I just contact support directly?

Thanks,

-- 

Harry

Share this post


Link to post
Share on other sites

Global exclusion added. Reboot and try again.

For future reference you can also add your own local exclusions from your MBAE UI. Simply click on the LOGS tab. Then find the block event, click it once, and then click the Exclude button.

Share this post


Link to post
Share on other sites

Awesome! I did make a local exclusion, but will remove that here in the next few days. Thanks for the attention to this!

-- 

Harry

Share this post


Link to post
Share on other sites

How long does the global exclusion take to get out to the world? On 1/20 I took out the local exclusion, but saw reports of it again on 1/22. I've re-added the local exclusion for now.

Thanks,

-- 

Harry

Share this post


Link to post
Share on other sites

It could be that Grammarly pushed out a new version and it is being blocked again. Can you post the latest entry from your mbae-alert.log?

 

Share this post


Link to post
Share on other sites

Same update:

"2017-01-22T14:13:36.342-05:00";"user";"5924";"C:\Program Files (x86)\Microsoft Office\Office15\WINWORD.EXE";"6872";"OUTLOOK.EXE";"3";"701";"207";"";"";"";"";"";"";"C:\Users\user\AppData\Roaming\Grammarly\Updates\GrammarlyAddInSetup6.5.85.exe C:\Users\user\AppData\Roaming\Grammarly\Updates\GrammarlyAddInSetup6.5.85.exe \detectmode";"";"";"";""
"2017-01-22T14:13:36.546-05:00";"user";"5924";"C:\Program Files (x86)\Microsoft Office\Office15\WINWORD.EXE";"6872";"OUTLOOK.EXE";"3";"601";"207";"";"";"";"";"";"";"C:\Users\user\AppData\Roaming\Grammarly\Updates\GrammarlyAddInSetup6.5.85.exe";"1C5B6815372D0D0EBA9CE18EC2FA9D73";"";"";""
 

Here is the line I have been putting in the Anti-Exploit Exclusion List that has been working:

1C5B6815372D0D0EBA9CE18EC2FA9D73; GrammarlyAddInSetup6.5.85.exe

 

Thanks,
-- 
Harry

Share this post


Link to post
Share on other sites

If you remove the exclusion and reboot, does it still get blocked? (don't worry, you can add it again later).

Share this post


Link to post
Share on other sites

I don't have easy access to the user's PC, however, I'll see if I can reproduce it in a VM.

Thanks,
--
Harry

Share this post


Link to post
Share on other sites

Well ... it just happened to me now. Sorry no log files right now. Just thought I should flag this again. I have been working with Grammarly for about a year.

Thanks

Andrew

Share this post


Link to post
Share on other sites

Yep, I noticed it as well. Appears to be a new version of Grammarly:

3/10/2017 11:36:58 AM XXXXXX 10.2.X.X Exploit payload file blocked BLOCK C:\Users\xxxx\AppData\Roaming\Grammarly\Updates\GrammarlyAddInSetup6.5.87.exe

3/10/2017 11:36:59 AM XXXXX10.2.X.X Exploit payload process blocked BLOCK C:\Users\xxxxx\AppData\Roaming\Grammarly\Updates\GrammarlyAddInSetup6.5.87.exe C:\Users\xxxxxx\AppData\Roaming\Grammarly\Updates\GrammarlyAddInSetup6.5.87.exe \detectmode

3/10/2017 11:37:03 AM XXXXXX 10.2.X.X Exploit payload process blocked BLOCK C:\Users\xxxxxxx\AppData\Roaming\Grammarly\Updates\GrammarlyAddInSetup6.5.87.exe C:\Users\xxxxxxx\AppData\Roaming\Grammarly\Updates\GrammarlyAddInSetup6.5.87.exe \detectmode

3/10/2017 11:37:03 AM XXXXXX 10.2.X.X Exploit payload file blocked BLOCK C:\Users\xxxxxxx\AppData\Roaming\Grammarly\Updates\GrammarlyAddInSetup6.5.87.exe

 

-- 
Harry

Share this post


Link to post
Share on other sites

Can you please post the C:\ProgramData\Malwarebytes\MBAMService\logs\mbae-default.log and mbae-default.log.bak?

 

Share this post


Link to post
Share on other sites

PM sent with requested files. I've added this line to my exclusion list: 4BD792D4A6B757C133502938C06CAF49; GrammarlyAddInSetup6.5.87.exe

 

Thanks,

Harry

Share this post


Link to post
Share on other sites

Thanks! I was not able to reproduce this before, I guess due to how it updates itself and I was already on the current version. I'll follow up with the user and test removing the exclusions I've made in our local policy.

Thanks,

Harry

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.