anti-exploit MBAE / Forcepoint DLP Endpoint Agent causing false positives

[VER1TAS]

Up until today, we were running both Forcepoint's Endpoint DLP agent and MBAE without issues.  Today the update of MBAE from 1.08.2.2572 to version 1.09.2.1261 caused a massive influx of false positives for:

• Exploit code executing from Heap memory blocked          BLOCK
• Exploit payload file blocked         BLOCK                C:\Windows\System32\QIPCAP64.dll

I have read about issues earlier this year with Websense's endpoint agent, but we did not have any issues prior today.  As of right now, MBAE is disabled across the network.

[Vimi13]

Any suggestions on how to resolve this issue? We are having the same issue.

 

[VER1TAS]

A ticket has also been opened up for MBAE and also with Forcepoint using the information provided under known issues.  What I don't understand, is how this was working before the update to MBAE.

[Rsullinger]

Hello All,

 

Can you you please collect the logs found here:

 

Thank you,

[chrispo]

Having the same issues as other. I sent you a PM with some details and a client log Rsullinger.

[Arthi]

Hi All,

Thanks for your patience. We are looking into it. Meanwhile, to stop MBAE from blocking, can you please disable the following advanced setting, and hit Apply. Let us know if that works.

 

[cgh]

Is there an update on this issue?

[Arthi]

Hi cgh,

We are looking into this, will have more information soon. Meanwhile, did the above workaround stop the MBAE blocks.

Thanks.

[chrispo]

Arthi the workaround stocked the AE blocks. Please post an update when you have one. Thanks

[cgh]

Updating this to let you know that unchecking "Malicious Return Address detection" under the MS Office column that Arthi suggested above has worked on one of the users' laptops.

[Arthi]

Hi All,

Can you try the below build and let us know if the issue has been fixed. Thanks for your patience.

https://malwarebytes.box.com/s/ryoxcxns1jyqksb93453jwtlxaixybog

[cgh]

Hi,

The build you posted the link to above (version 1.09.2.1280) resolved the issue on one of our laptops. I will see if it resolves the issue on the other computers and will report if it does.

[Arthi]

Thanks cgh. Appreciate your feedback.

[chrispo]

Confirming that the test build resolved the issue on the PCs I tested. Could you let us know when the new release is rolled out? Thanks

[Arthi]

Thanks chrispo. We are bunching up a few bug fixes and a new release will be rolled out sometime in the next 10 days. Will keep you all posted.