Jump to content
cgh

Anti-Exploit blocking object scanned "C:\Program".

Recommended Posts

Hi,

We have a user who's Malwarebytes Anti-Exploit keeps blocking an object scanned at "C:\Program" as it shows in the Malwarebytes Management Console. On his PC's Anti-Exploit logs, it shows that "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" is being blocked. His Excel opens up fine by itself but when he uses a program called "Cash Suite" which has a feature built into the program to use Excel, it doesn't successfully open Excel. Any ideas on what is causing this?

 

Thanks!

Share this post


Link to post
Share on other sites

In case anyone else has the issue and/or if the admins here have looked at this post, I found a "fix" that allows the Insight feature of Cash Suite to work with Anti-Exploit without having to disable Anti-Exploit (this is with Malwarebytes Anti-Exploit for Business - version 1.09.2.1261): 

-Open Anti-Exploit
-Click on the "Settings" tab
-Click on "advanced settings"
-Click on the "Application Behavior Protection" tab
-Uncheck both "Protection for Office WMI abuse" and "Protection for Office VBA7 abuse"
-Restart Cash SUITE and launch Insight again

After doing this, the user was able to launch Cash SUITE's Insight again. I'm not sure how secure it is to have both of those two protections unchecked but this was the only workaround I found so far without completely disabling Anti-Exploit.

I attached a screenshot of the two protections I unchecked.

malwarebytesantiexploit-cashsuitefix.png

Share this post


Link to post
Share on other sites

I should clarify that I unchecked both "Protection for Office WMI abuse" and "Protection for Office VBA7 abuse" under the "MS Office" column.

Share this post


Link to post
Share on other sites

Hello CGH,

 

It sounds like it may be due to one of the new protection layers we put in. I want to have you collect me the logs from the computer so I can confirm this and see about getting this fixed without you having to disable all of those settings. To collect these logs, use this link below. 

 

 

Share this post


Link to post
Share on other sites

How do you want me to send you the logs? Also, this is for a business version. I noticed the link you sent me is for the free version. Not sure if that makes a difference.

Share this post


Link to post
Share on other sites

Hello CGH,

 

You can either attach them here or send me them in a PM if that is better for you. As for the log collection, the steps are the same. The logs for both versions are found in that C:\ProgramData directory so you can safely use those to get the logs. We don't have an easy 'sticky' for collecting the logs on this side of things so I linked that one for simplicity. 

Share this post


Link to post
Share on other sites

That build resolved the issue on one of the PCs. It didn't resolve the same issue on another PC but I noticed this time it was showing that it was blocking "C:\Program Files (x86)\CASH\FTIAgent.exe" this time in Anti-Exploit. I was able to add that to the Anti-Exploit Exclusion list and that resolved the issue.

Share this post


Link to post
Share on other sites

Hello CGH,

 

That is good to hear. That build fixes the C:\Program issue so it allows you to exclude the files that are now getting the block. I am glad to hear that fixed the issue on both of your computers. Please let me know if you have any other questions. 

Share this post


Link to post
Share on other sites

Do you know when that build will be available to download through the Malwarebytes updater?

Share this post


Link to post
Share on other sites

Hello cgh,

 

Unfortunately I don't have a time-frame on that. We are hoping to release it soon, but we will have more information on that when we have a tangible date. 

Share this post


Link to post
Share on other sites

Hi Rsullinger,

I want to report that this same issue was resolved on two other computers using the same Cash Suite programs by installing the newer Anti-Exploit version 1.09.2.1280 that I received from another staff member in another post with another issue.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.