Anti-Exploit 1.10.2.41

[johnnyjr]

Been getting a ton of Exploit Threats Detected from users. Below is the Threat we been getting for users. Any ideas?

 

10/4/2017 4:06:11 PM     ************    ********             Exploit code executing from Heap memory blocked       BLOCK                   ******  Microsoft Office Word  C:\Program Files (x86)\Microsoft Office\Office14\Winword.exe              Attacked application: C:\Program Files (x86)\Microsoft Office\Office14\Winword.exe; Parent process name: OUTLOOK.EXE; Layer: Malicious Memory Protection; API ID: 104; Address: 0x07EFA251; Module: ; AddressType: 0x00020000; StackTop: 0x00210000; StackBottom: 0x001CB000; StackPointer: 0x0020BE10; Extra:

[Rsullinger]

Hey Johnnyjr,

I am going to reach out to you in a PM to collect some additional logs. Go ahead and reply to that with the logs and I will get this to our team to look into further! 

[QasimAzam]

Dear Rsullinger,

Since the release of anti-exploit verison 1.10.2.41. Our customer are facing issues with word, excel , powerpoint and pdf reader, they are not able to open any document. So i just stop protection with anti-exploit and it seems like everything is working fine again. It is a bug in this release 1.10.2.41. Please find the log files attached with this post and suggest for the solution. Thanks   

Malwarebytes Anti-Exploit.rar

[Rsullinger]

Hey QasimAzam,

On one of the machines having the issue, can you try removing anti-exploit with this tool:

 

https://malwarebytes.box.com/s/6oqwak9n6m85ps2ccou2lfhxtsfwphbo

 

and try re-installing 1.10 on the machine again with this link:

https://malwarebytes.box.com/s/r90csauab5broqn7ngnr8nh77knl5m90

 

I want to confirm if this is something that occurred from an upgrade/install issue since no alerts are being generated. 

 

[johnnyjr]

Rsullinger,

 

It has happened once for the user- but different users. It hard to do this to 200+ users.

[johnnyjr]

Also, anyone else experiencing memory leakage issues with 1.10.2.41? Doing the normal things I sometimes have my ram maxed out. 6+ gb just of internet explorer when anti-exploit is enabled. Its fine when I disable antiexploit.

[Rsullinger]

Hey Johnny,

 

I have not heard of any memory leakage issues like that with the latest build. When it happens, do you mind collecting these logs:

 

 

[CConner]

We started have the same issue today across multiple clients.  Seems to be isolated to Win 8.1.  The faulting module is ntdll.dll.  Won't allow IE, Chrome, DisplaySoft, Excel, Word, Powerpoint to open.  Outlook, however, seems to work just fine.  Stop Protection on MBAE or uninstalling it, resolves the issue.  Believe we are going to call in tomorrow to Support to see if we can get this resolved.

[ABaker]

We've been having similar issues with adobe reader getting hit with "Exploit code executing from Heap memory blocked"

This is in a windows 10 vmware environment with MBAE 1.10.2.41. I've just stopped protection for adobe until I can get a support session setup.

edit: It looks like this was covered in the known issues section.

Quote

 VMWARE Horizon: Untick Malicious address return protection for all the affected applications in the Advanced Memory Protection tab.

 

Edited December 2, 2017 by ABaker
Found a possible fix