Anti-Exploit blocking object scanned "C:\Program".

[cgh]

Hi,

We have a user who's Malwarebytes Anti-Exploit keeps blocking an object scanned at "C:\Program" as it shows in the Malwarebytes Management Console. On his PC's Anti-Exploit logs, it shows that "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" is being blocked. His Excel opens up fine by itself but when he uses a program called "Cash Suite" which has a feature built into the program to use Excel, it doesn't successfully open Excel. Any ideas on what is causing this?

 

Thanks!

[cgh]

In case anyone else has the issue and/or if the admins here have looked at this post, I found a "fix" that allows the Insight feature of Cash Suite to work with Anti-Exploit without having to disable Anti-Exploit (this is with Malwarebytes Anti-Exploit for Business - version 1.09.2.1261): 

-Open Anti-Exploit
-Click on the "Settings" tab
-Click on "advanced settings"
-Click on the "Application Behavior Protection" tab
-Uncheck both "Protection for Office WMI abuse" and "Protection for Office VBA7 abuse"
-Restart Cash SUITE and launch Insight again

After doing this, the user was able to launch Cash SUITE's Insight again. I'm not sure how secure it is to have both of those two protections unchecked but this was the only workaround I found so far without completely disabling Anti-Exploit.

I attached a screenshot of the two protections I unchecked.

[cgh]

I should clarify that I unchecked both "Protection for Office WMI abuse" and "Protection for Office VBA7 abuse" under the "MS Office" column.

[Rsullinger]

Hello CGH,

 

It sounds like it may be due to one of the new protection layers we put in. I want to have you collect me the logs from the computer so I can confirm this and see about getting this fixed without you having to disable all of those settings. To collect these logs, use this link below. 

 

 

[cgh]

How do you want me to send you the logs? Also, this is for a business version. I noticed the link you sent me is for the free version. Not sure if that makes a difference.

[Rsullinger]

Hello CGH,

 

You can either attach them here or send me them in a PM if that is better for you. As for the log collection, the steps are the same. The logs for both versions are found in that C:\ProgramData directory so you can safely use those to get the logs. We don't have an easy 'sticky' for collecting the logs on this side of things so I linked that one for simplicity. 

[cgh]

I sent you the files though Private Message.

[Rsullinger]

Hello Cgh,

 

Thank you for the logs. Can you have the user try this build to see if they have the issue after that:

https://malwarebytes.box.com/s/5ej3sggeli8ut9hhktz51wkkzvdtbscl

 

Just install this build over the top and test it again. They should not have that issue after that. 

 

[cgh]

That build resolved the issue on one of the PCs. It didn't resolve the same issue on another PC but I noticed this time it was showing that it was blocking "C:\Program Files (x86)\CASH\FTIAgent.exe" this time in Anti-Exploit. I was able to add that to the Anti-Exploit Exclusion list and that resolved the issue.

[Rsullinger]

Hello CGH,

 

That is good to hear. That build fixes the C:\Program issue so it allows you to exclude the files that are now getting the block. I am glad to hear that fixed the issue on both of your computers. Please let me know if you have any other questions. 

[cgh]

Do you know when that build will be available to download through the Malwarebytes updater?

[Rsullinger]

Hello cgh,

 

Unfortunately I don't have a time-frame on that. We are hoping to release it soon, but we will have more information on that when we have a tangible date. 

[cgh]

Hi Rsullinger,

I want to report that this same issue was resolved on two other computers using the same Cash Suite programs by installing the newer Anti-Exploit version 1.09.2.1280 that I received from another staff member in another post with another issue.