Jump to content

Exploit Protection Blocking Office 2003


Recommended Posts

Win 7 Pro x64; MB 3.3.1 x64

MB 3.3.1 Exploit Protection blocks Office 2003 components (Word, Excel) from opening.  If Exploit Protection is turned off, Office 2003 Word, Excel work just fine.  Once Word and/or Excel are open, EP can be turned on and Word and/or Excel will open files just fine from within the apps.

Note 1: I have two Win 7 Pro X86 platforms with MB 3.3.1 x86 and Office 2003 that do not have this problem. only the x64 platform has this problem.

Note 2: A short while ago today, I used MBClean successfully to remove and re-install MB 3.3.1 x64 after experiencing the "Web protection will not turn on" problem for the first time this morning when the x64 platform first booted up. The driver file mwac.sys was mysteriously missing, presumably causing the web protection would not turn on issue. The successful MBClean exercise resolved this issue.

Upon working on unrelated task, I then ran into the Exploit Protection blocking Office 2003 issue. I remembered running into this issue a few weeks back on this same x64 platform but, being otherwise preoccupied at the time I did not follow up on it, and subsequently forgot about it - until today. Sigh.

And, yes, I searched the forum but could not find anything. Presumably this issue has been seen before and resolved?

Link to post
Share on other sites

12 minutes ago, DanR77 said:

Exploit Protection blocks Office 2003 components (

Let's try and get some logs first so the team can review them and see if they can tell what may be causing your issues....

  1. FIRST: Create and obtain Farbar Recovery Scan Tool (FRST) logs
  2. Download FRST and save it to your desktop. Tell any program that blocks it to ignore or allow. It IS SAFE. It contains no info that can identify or harm you.
  3. NOTE: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit
  4. Double-click to run FRST and when the tool opens click "Yes" to the disclaimer
  5. Press the "Scan" button
  6. This will produce two files in the same location (directory) as FRST: FRST.txt and Addition.txt
    NOTE: These two files will be collected by the MB-Check Tool and added to the zip file for you
  7. NEXT: Create and obtain an mb-check log
  8. Download MB-Check and save to your desktop
  9. Double-click to run MB-Check and within a few second the command window will open, then click "OK"
  10. This will produce one log file on your desktop: mb-check-results.zip
  11. Attach this file to your forum post by clicking on the "Drag files here to attach, or choose files..." or simply drag the file to the attachment area
Link to post
Share on other sites

36 minutes ago, DanR77 said:

Attached are the requested log filed.  Hope they contain something useful.

First never change either the compatibility or the Run as Admin flags to Malwarebytes.

Quote

C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe    REG_SZ        ELEVATECREATEPROCESS

I don't remember if EMET has issues with MB and I also see there are some bit defender drivers loaded as well

Quote

S3 avc3; C:\Windows\System32\DRIVERS\avc3.sys [1605376 2016-11-18] (BitDefender)
R3 avchv; C:\Windows\System32\DRIVERS\avchv.sys [285240 2016-08-29] (BitDefender)
S3 avckf; C:\Windows\System32\DRIVERS\avckf.sys [878072 2016-11-18] (BitDefender)

 

I will let @dcollins look this over.

Link to post
Share on other sites

46 minutes ago, Porthos said:

S3 avc3; C:\Windows\System32\DRIVERS\avc3.sys [1605376 2016-11-18] (BitDefender)
R3 avchv; C:\Windows\System32\DRIVERS\avchv.sys [285240 2016-08-29] (BitDefender)
S3 avckf; C:\Windows\System32\DRIVERS\avckf.sys [878072 2016-11-18] (BitDefender)

Interesting, Porthos.

I have never had BitDefender installed on this system, so those drivers should not be there?

Link to post
Share on other sites

7 minutes ago, DanR77 said:

I have never had BitDefender installed on this system, so those drivers should not be there?

After some research, I see that viper uses their engine.

Have you added exclusions for MB in Viper?

I would like you to add these files to your Anti-Virus exclusions list as mentioned in this FAQ HERE (my list below includes the exe files as well)
 

  • C:\Program Files\Malwarebytes\Anti-Malware\assistant.exe
  • C:\Program Files\Malwarebytes\Anti-Malware\malwarebytes_assistant.exe
  • C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe
  • C:\Program Files\Malwarebytes\Anti-Malware\MbamPt.exe
  • C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe
  • C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe
  • C:\Program Files\Malwarebytes\Anti-Malware\MBAMWsc.exe
  • C:\Program Files\Malwarebytes\Anti-Malware\malwarebytes_assistant
  • C:\Program Files\Malwarebytes\Anti-Malware\mbamwow.exe
  • C:\Windows\system32\Drivers\farflt.sys
  • C:\Windows\System32\drivers\mbae64.sys
  • C:\Windows\System32\drivers\mbam.sys
  • C:\Windows\System32\drivers\MBAMChameleon.sys
  • C:\Windows\System32\drivers\MBAMSwissArmy.sys
  • C:\Windows\System32\drivers\mwac.sys

 

Also please exclude the following folders too: (The complete folder)

  • C:\Program Files\Malwarebytes\Anti-Malware
  • C:\ProgramData\Malwarebytes\MBAMService
Link to post
Share on other sites

Ah, Viper uses the BitDefender drivers? That explains why they are present on all systems, with the same time stamp, and loaded at start-up per Sysintermals' Auto Runs. Learned something today. Thank you!

Yes, I have the 6 MB driver files excluded with Vipre, along with C:\Programs Files\Malwarebytes and C:\ProgramData\Malwarebytes folders, on all systems.  I will add the exclusions for the MB exe files also.

Am I correct in  thinking that these exclusions will prevent Vipre from interfering with these processes running in memory?

Link to post
Share on other sites

Is there a specific reason you are pointing at Vipre?  I did completely shut down Vipre (easy to do). It made no difference -  Excel and Word are still blocked.

I have been able to capture images of the popups that MB generates to inform me it is blocking Word 204 and Excel 300s ad "exploits"

image.png.cb0f33c992a632b22c10d6a966f31768.png

 

It seem rather clear to me that MB is doling the deed, for whatever reason.

Link to post
Share on other sites

I'm targeting VIPRE because we aren't seeing this issue being reported by others, which means it's most likely a software compatibility issue on your machine. The biggest cause of those issues is generally other security software.

That being said, can you try the following:

  1. Press Windows Key + R to open the Run dialog
  2. Type winword /safe and click Ok

Does the issue still happen?

Link to post
Share on other sites

Update:  I did a full clean uninstall of Vipre AS and rebooted.  MB 3.3.1 is still blocking Word and Excel, 2003.

I tried clicking on an RTF, a Word, and on an Excel file.  In all cases, this message popped up in the center of the screen (referencing the appropriate file), in addition to the MB Block Popup in the UL corner of the screen.

image.png.042b9799d9d70dfffe0e494dfe602e6e.png

Hope this may help.

image.png

Link to post
Share on other sites

I think the problem is solved.

The mbae installer flagged EMET as an incompatible application that must be uninstalled before installing mbae. I exited the mbae install as I could not proceed with it.

I found an old out of date EMET version 4.x present. After uninstalling EMET, I resurrected MB 3.3.1 and tried Excel and Word. They now open and run flawlessly!

Just to be sure, I rebooted the system, verified MB and Viper running smoothly side by side, and and tried Excel and Word 2003 again. Flawless start and run.

I think this case can be closed. Note: I never did install mbae. I believe it's functionality is present in MB 3.3.1.

I have newer versions of EMET on some of my other systems. I'm thinking now would be a good time to remove them.

Link to post
Share on other sites

You're welcome, dcollins. And thank you for bearing with me. I learned a few things and have, I think, better systems as a result.

I found and removed EMET from two other x86 systems it was installed on. It did not appear to be conflicting with MB 3.3.1 on either of those systems. However, I swear that all 3 systems are now running a little bit smoother and faster with EMET gone.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.