Jump to content
AdamM

Winword process stays running after app-close

Recommended Posts

We're seeing an issue with Word documents opened from our document management system (Autonomy FileSite 8.5). The WINWORD.EXE process will remain open in the background after the application has closed. This occurs everytime a document from FileSite is opened and Word is closed, resulting in numerous dead Word instances (docs opened locally are unaffected). I suspect this has some relation with the FileSite COM add-in 'checking' the document back in during a close.

This only occurs if the 'MS Word Shield' is active. I have also tried unchecking all MS Office related advanced settings in MBAE during testing. Only deactivating the shield allows the app to close correctly.

This behavior appears to be present on all of our workstations which are also running MBAE v1.10.2.41, Office 2010, Windows 7 32-bit.

Log files are attached.

Thanks, Adam

Malwarebytes Anti-Exploit.zip

FRST.txt

Addition.txt

Share this post


Link to post
Share on other sites

Hello Adam,

 

Thank you for those initial logs. I am going to send you a Pm to collect me some debug logs so I can get this over to our team to examine the issue further. 

Share this post


Link to post
Share on other sites

I'm having the same issue where we are generating form letters with winword programatically.  This hanging winword can be duplicated by simply opening and closing word. The customer is using several addins. The problem goes away when we disable anti-exploit. This is not ideal. Is there any resolution for this? 

Craig Leach

Share this post


Link to post
Share on other sites

Hey Craig Leach,

 

I am going to send you a PM with a test build that should fix this issue. I want to get some feedback if it fixes it. You should be seeing it shortly. 

Share this post


Link to post
Share on other sites

This issue is occurring with all PCs in my office. We generate templates from GoldMine CRM. When Word is shutdown in multiple versions, winword.exe will not close in the processes and has to be killed by running end task. The fix is to turn of exploit protection in Malwarebytes 4.1.0 and winword.exe closes. Is there anyway to white label programs?

GM issue 4 fix.PNG

Share this post


Link to post
Share on other sites

Greetings,

Whitelisting Word will not help, instead you'll need to determine which component of Exploit Protection is affecting Word and disable just that setting.  To do so, open Malwarebytes and go to settings by clicking the small gear icon in the upper right then select the Security tab and under Exploit Protection click the Advanced settings button.

To troubleshoot, disable each individual setting under the list for MS Office in each of the tabs, one checkbox at a time, clicking Apply after then testing to see if it resolves the issue.  It would probably be best to disable the checkbox, click Apply, then restart the endpoint and test to see if Word still gets stuck or not and if it does, re-enable the previously disabled checkbox, uncheck the next checkbox then click Apply, then restart the endpoint and test again, continuing this way until you have found a single checkbox to disable to allow Word not to get hung up in memory.

Please let us know how it goes.

Thanks

Share this post


Link to post
Share on other sites

Thank you Exile360,

I went through your process as described yet no fix. I then turned off winword.exe in protected applications and this fixed the issue. Exploit protection is on for all applications except for winword.exe and it is working. I will leave it at that.

Regards,

Mark

Share this post


Link to post
Share on other sites

Thanks for the update.  It sounds as though one of the more generic application shields is causing it, otherwise it might be the DLL used to hook/inject into shielded processes preventing the process from terminating properly.  Hopefully the Developers will be able to get the issue corrected.  I will be reporting the issue to the Product team.

In the meantime, if you wouldn't mind, please do the following on one of the affected systems as it may aid them in diagnosing the issue:

  1. Download and run the Malwarebytes Support Tool
  2. Accept the EULA and click Advanced tab on the left (not Start Repair)
  3. Click the Gather Logs button, and once it completes, attach the zip file it creates on your desktop to your next reply

If you are not comfortable uploading logs to the forums you may instead create a support ticket by filling out the form on this page and explain the issue/link to this thread and attach the ZIP file from the Support Tool to your support ticket.  I understand if you don't have the time or are unable to provide the logs, however it would be appreciated if you could.

Thanks

Share this post


Link to post
Share on other sites
Posted (edited)

By the way, I forgot to ask; does the issue only/always occur when using the GoldMine CRM templates?  If so, that could be the actual cause/trigger for the issue.

edit: I also forgot to ask what version of MS Office/MS Word you're using as that too may be a factor.

Edited by exile360

Share this post


Link to post
Share on other sites

Well, for over 1 month, I've had end users in a pickle.  Malwarebytes, Windows 10, Office 365, and a vertical application called "Amicus Law" which provides an add-in for Word.  When the add-in is enabled, Word has multiple instances remaining upon each opening of the program. 2,3,4,8,9 or more, open and close, another "instance" of Word in memory, all having to be killed in Task Manager to regain control of the application as it becomes frozen and no longer responds to any intended action.  If I disable the specific add-in for Amicus, bingo, it all worked.  20+ hours of support with both Microsoft and Amicus developers, engineers, technical support staff and so forth, no conclusions other than each pointing fingers as to whose problem they told each other it's not theirs.

Well then I stumbled across this posting after Googling the term "WINWORD.EXE remains running when Word is closed" as well as "winword.exe is waiting to finish network i/o".  Also, analyzing wait chain in process manager helped understand what was going on.

Bottom line, I disable Winword.exe in protected applications and there were no longer any issues whatsoever!  I then thought to force a manual update of Malwarebytes.  BINGO!  It can now be turned back on and everything works.  No more multiple instances of Word regardless of add-in toolbars.

One might think that the Malwarebytes people would push those necessary updates more frequently and advise in some fashion the fixes that were part of its patching.

Hallelujah!

 

Share this post


Link to post
Share on other sites

Excellent, thank you for letting us know about your experience.  My suspicion is that they made some change/update to the protection in the recent patch that corrected your issue, however looking at the changelog I'm guessing it had to be the result of some change they made, not necessarily intentionally trying to fix this specific issue (though I could be wrong as I am not one of the Developers of course).  As for pushing out updates more frequently, it all depends on how long it takes the Developers to fix something and I am certain they do get fixes out as quickly as they can (there have been several releases over the past few months alone, most of which contained various fixes for many issues/bugs) however you may also check manually for new versions by launching Malwarebytes and accessing settings by clicking the small gear icon in the upper right and selecting the About tab and clicking the Check for updates link found there; that will force Malwarebytes to download any available patches/application updates rather than having to wait on them being rolled out gradually as they normally would be (patches are metered out gradually to users over time normally, not all at once, though using the aforementioned link overrides this behavior, forcing it to download any available patches immediately).

I will be sure to pass on your experience to the Product team to make them aware and if there is anything else we might assist you with please let us know.

Thanks

Share this post


Link to post
Share on other sites

@markjobr would you also please verify that you are running the latest version by checking for updates manually?  To do so, open Malwarebytes and navigate to settings by clicking the small gear icon in the upper right area of the application and select the About tab then click the Check for updates link located there and allow it to install any available updates, then restart your system and test to see if the issue has been resolved and that you may now re-enable shielding for MS Word.

Please let us know how it goes.

Thanks

Share this post


Link to post
Share on other sites

Thanks, that is the latest version.  Still no change, even after a system restart I take it?

Share this post


Link to post
Share on other sites

Oh wow, that's excellent news, I'm glad to hear it :) 

Please don't hesitate to let us know if you encounter any further issues.

Thanks

Share this post


Link to post
Share on other sites

Unfortunately the manual update didn't fix my WINWORD issue. I will continue to run Malwarebytes without WINWORD covered in exploit protection. Thank you to everyone for trying to resolve it and I am okay without finding a solution. 😐

Share this post


Link to post
Share on other sites

I am sorry to hear that, however I will be sure to report this to the Product team for further analysis and hopefully they will be able to get it fixed for good.  In the meantime, if you would please do the following it may help in troubleshooting the problem:

  1. Download and run the Malwarebytes Support Tool
  2. Accept the EULA and click Advanced tab on the left (not Start Repair)
  3. Click the Gather Logs button, and once it completes, attach the zip file it creates on your desktop to your next reply

I would also recommend doing the following if possible as this information may help the Developers to fix the issue:

Create a Process Monitor Log:

  • Download Process Monitor from here and save it to a convenient location such as your desktop or your Downloads folder
  • Create a new folder on your desktop called MB by right-clicking the desktop background and hovering your mouse over New Folder and entering a name for the folder
  • Double-click on Procmon.exe to run it and click Yes when prompted by User Account Control
  • Agree to the terms of use to allow Process Monitor to run
  • Once Process Monitor opens, click on File at the top menu and select Backing Files... and select the MB folder you created on your desktop
  • Replicate the issue with Malwarebytes blocking MS Word
  • Close Process Monitor
  • Right-click the MB folder on your desktop containing the Process Monitor logs and hover your mouse over Send to and select Compressed (zipped) folder
  • Attach the resulting ZIP file to your next reply, or if it is too large, upload it to WeTransfer.com using the option to send a file as a link and then post the link to the download in your next reply

Please provide the data above if you are able as it should prove most helpful to the Developers in fixing this issue.

Thanks

Share this post


Link to post
Share on other sites
Posted (edited)

Well, here we go again, and again, and again.  This thread, started way back when with it being re-awoken recently with the "fix" has now reverted back.

So, sure, run the tools, submit, or in the meantime de-activate the Word checkbox, all over again?

Come on Malwarebytes are you kidding?

Microsoft pushed out .NET and other "updates" last evening, who is in charge at Malwarebytes or do you just wait for the complaints to act on compatability?

Edited by AdvancedSetup
corrected font issue

Share this post


Link to post
Share on other sites

I'm sorry to hear that the issue has returned.  I am not aware of any changes recently that might have impacted this issue, however I will be sure to report it to the Product team once again and hopefully whatever fixed it last time will be put back in place if possible.

Share this post


Link to post
Share on other sites

I have this same problem as well. It is very frustrating. I had to spend a ton of time running this down. The problem manifested itself by multiple instances of Word opening on reboot. Very frustrating. After searching for an answer, I thought I had found it in a potential add-in problem. But then by testing add-ins, I noticed that multiple add-ins caused winword.exe not to terminate on closing Word.

So more searching brought me to this thread. I tested having all add-ins enabled and disabling winword.exe as a protected application. Immediate fix! So the problem is definitely Malwarebytes. I am running the latest version - 4.1.0.56

Share this post


Link to post
Share on other sites
Posted (edited)

The entire point of a 'community'. or forum is to share suggestions, discuss problems and issues as well as having an inside track to communicate at whatever level with the "mother ship" (as in Malwarebytes)

Heeeeellllllllllooooooooo, who is asleep at the wheel?  Heeeellllllllooooooo, who is in charge?  Hellllllloooooooo how many time will end uses need to open tickets, send logs, jump through hoops to get acknowledgement and resolve?

Possibly the next round of conversations regarding these types of problems should be directed to Social Media, Facebook, Twitter, YouTube, and then maybe action will occur.

Edited by AdvancedSetup
corrected font issue

Share this post


Link to post
Share on other sites

Please refer to my instructions in this post if you wish to help provide data for the Developers to troubleshoot this issue.

Thanks

Share this post


Link to post
Share on other sites
Posted (edited)

Hi All,

Thanks for posting. We are sorry that it was not addressed earlier.

We do need some logs here:

For those using Malwarebytes Endpoint security, Please zip the entire contents of this folder C:\ProgramData\Malwarebytes Anti-Exploit and send to us.

For those using Malwarebytes 4 and above, Please grab these files and send it to us. C:\ProgramData\Malwarebytes\MBAMService\logs\MBAMSERVICE.log

C:\ProgramData\Malwarebytes\MBAMService\logs\mbae-default.log

Once again apologize for the delay, we will look into it as soon as we get the required logs. 

Thanks. 

Edited by Arthi
corrected font issue

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.