AE Exploit Threat Detected

[Casey]

I've been seeing exploit notifications at least once a day from the same machine over and over. We have scanned the machine and nothing has come up. We deleted Word/Excel documents that were reportedly causing problems, and we re-installed Office (2016/2013 32bit) on the machine. Is this a legit threat or do we need to add an exclusion?

Quoted from Server Notification: "6/6/2017 8:22:04 AM     XXXXXXX       Exploit payload process blocked BLOCK   C:\Program Files\Common Files\Microsoft Shared\OFFICE16\FLTLDR.EXE C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\PNG32.FLT               XXXXX    OUTLOOK.EXE   C:\Program Files\Microsoft Office\Office16\OUTLOOK.EXE           Attacked application: C:\Program Files\Microsoft Office\Office16\OUTLOOK.EXE; Parent process name: explorer.exe; Layer: Application Behavior Protection; API ID: 207; Address: ; Module: ; AddressType: ; StackTop: ; StackBottom: ; StackPointer: ; Extra: " Certain info has been removed for obvious reasons

I have also attached a zip file of the AE folder and logs.

Malwarebytes Anti-Exploit.zip

[djacobson]

Hi @Casey, this block event is due to a major vulnerability in encapsulated postscript usage with Microsoft Office products. We've made sure this vulnerability is protected for those running Anti-Exploit, it was introduced under version 1.09.2.1413. This attack vector is extremely dangerous and the decision was made to make these events a hardcoded block; no exclusions or disabling of any advanced settings will allow these events.

Here's an article by FireEye outlining this vulnerability and its implications: https://www.fireeye.com/blog/threat-research/2017/05/eps-processing-zero-days.html

Are the pictures being added vital for day to day operations?

[Casey]

@djacobson thank you for the response. I had read about the vulnerability but wanted to confirm that was the case.

 

For this specific situation, the user works in a news department and has to view/open/insert pictures into various types of documents and websites. It is a necessary function for this user, so what would you recommend for next steps? 

 

[djacobson]

There are no options currently, however, the MBAE team is looking to fine tune the detection for the future but we'll need examples. Copies of the pictures that trigger the block event and a ProcMon recording of that block event.

Procmon Log
Here's how to run the ProcMon:

1. Download ProcMon from this link: http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx
2. Extract ProcMon to the desktop
3. Turn off all other programs except mbae
4. Double-click ProcMon to run it
5. Once ProcMon begins running, reproduce your issue with the picture attacment, starting whatever program needed to do so
6. When you get the block, go to ProcMon and click File → Capture Events (this should be checked by default, we want to uncheck it to stop the capture)
7. Afterwards, still in ProcMon, click File → Save, leave the “Events” as default but you can change where the log goes at the bottom. Save the ProcMon log in default or somewhere you are familiar with, like the desktop.
8. Upload the ProcMon to https://www.malwarebytes.com/support/business/businessfileupload/

[IT_Guy]

Anything ever come from this? I have this popping up on my endpoints, it started at one computer but has slowly spread to about 6 computers as people share the same file. They can open the file no problem, view it, manipulate it etc. But as soon as they go to save the file Excel quits immediately and MWBEP pops up letting them know this has been blocked.

If the users copy/paste all the data from the file (original .xls file) into a new .xlsx file and save that it works no problem. I have instructed the users to do this in an attempt to rid myself of the old file type, but if there is a detection/cleaning program available for this that would be very helpful.