No Info on Blocked Exploit Attempt

[DBADoug]

This morning I received an anti-exploit alert with "File/Process Blocked" and "Attacking URL" both saying  "N/A."  

Specifically, the alert says it's "Internet Explorer (and add-ons)," Protection Layer: "Application Hardening," and Protection Technique: "Exploit blocked by Anti-HeapSpray Enforcement".

I would like to know the root cause, as I have not recently updated any software on the computer (at least knowingly) and was running standard tests mostly against internal (intranet) sites, so I am posting my MBAE logs as recommended.

Thanks in advance for your help.

Malwarebytes Anti-Exploit.zip

[DBADoug]

This is the MBAE popup:

[DBADoug]

Kept getting "upload failed" when trying to attach the screens shot of the MBAE popup (png format), so will abandon that effort.  All the relevant details are described in the text of the original post anyway.

[David H. Lipman]

Convert the PNG to JPG or place the PNG in a ZIP and attach the ZIP.

[DBADoug]

Uploading image as JPG instead of PNG as Dave suggests (although the file attachment tool says says PNG files are an accepted file type).

Thanks Dave

[Rsullinger]

Hello DBADoug,

 

This looks like a conflict with some program on the computer. This looks eerily similar to an issue in the past with Comodo. Can you go to this link and collect the logs for FRST:

https://forums.malwarebytes.org/topic/144403-readme-first-posts-here-need-to-include-mbae-logs/

I want to confirm if there is any known conflicts. You can also check them out by looking at this link:

https://forums.malwarebytes.org/topic/151933-known-issues-conflicts/

 

Also, are you able to reproduce this alert or was it a one time thing during the startup? I may need to have you collect another set of logs for more troubleshooting but we will need to reproduce the issue. 

[DBADoug]

Hi Ron,

From taking a look at the Known Issues & Conflicts page, I'm now fairly well convinced that the likely cause of the alert is related to the known issue having to do with Silverlight upgrades.  Although I wasn't accessing Netflix, I was accessing a custom web site we developed that just underwent an Silverlight upgrade.  I have not been able to reproduce the alert - it happened just the one time and I've accessed the same site multiple times since then.

Unless I get more alerts, I am going to assume this was the cause.

I do appreciate your response and the help of others on the forum.

Thanks,

Doug

[Rsullinger]

Hello Doug,

 

No problem! Let us know if you run into any other issues.

 

Thank you,

[ExpertNovice]

I know this is "old" but I just received the same error.

Silverlight is not installed on my computer.  There were only three webpages being accessed.  (links broken)

• Tab 1: www,google,com,
• Tab 2: forums,androidcentral,com,
• Tab 3: www,pcworld,com  (active tab)

As with the OP there is no information so I have no idea how dangerous the PC World website should be considered or even what the exploit is.  The logs are encrypted so they are of no help.

It is my suggestion this keeps us from making reasonable determinations.  In this case, I have simply crossed off PC World as being too dangerous.  That seems unreasonable but MBAE says it is dangerous.

Another thread suggests we have to send logs to Malwarebytes to find out what is going on which could keep Malwarebytes very busy if we all did that!

PS.  I'm using a trial version to determine if it should be added to my other security layers.  My inclination is yes but lack of information is a drawback.

[ExpertNovice]

Can't figure out how to edit the previous post.  I now see how difficult, and dangerous, it would be to be more explicit in the information given about a blocked attempt.  Also, I have an ASUS which seems to have been involved with many issues.

[DBADoug]

ExpertNovice - I just wanted to point out that the suspected Silverlight issue did no have to do with it being installed on my computer but rather that a Silverlight upgrade had been performed on the site I was accessing.

That said, I'm no longer convinced that was the true (or only) cause.  One would expect the Silverlight upgrade to produce the Anti-Exploit alert once, the first time the upgraded site was accessed.  However, I continue to have intermittent occurrences of the Anit-Exploit alert.  My network admin and I are now beginning to think it is a conflict with other security packages, namely System Center Endpoint Protection (SCEP) in our case.  The Anti-Exploit alerts only occur when I'm running my automated tests (which access mostly internal intranet web sites) AND when a SCEP security scan is running at the same time.  Yet it doesn't happen every time, so we're thinking it must also have to do with the timing of which local cache files are being accessed by SCEP and/or Internet Explorer, potentially causing a conflict and triggering the Anti-Exploit alert.

At any rate, the behavior is seemingly inconsistent, but we are confident there is no true exploit occurring and believe it is likely just a conflict between security products.  Just wanted to mention that since you said you are evaluating MWB to see if it should be added to already-existing security layers.