Jump to content

Office false positive

Recommended Posts

Our Windows 7 workstations suddenly began flagging some MS Office 2010 applications with an exploit attempt, preventing them from opening at all. Specifically affected appears to be Excel, Word, and Powerpoint 2010. No recent policy changes have occurred. Windows 10 workstations with the same policy don't seem to be affected as far as I can tell.

The exploit being flagged is 'Process Hollowing Protection'. Aside from disabling the specific application shields, where in the Anti-Exploit config can this particular protection layer be turned off? I am concerned that other applications could be affected by this particular setting.



Link to post
Share on other sites

  • Staff

Hi @AdamM

Thank you for letting us know. I will fix it as soon as posible. Instead of disabling the whole protections you might only want to turn the "Memory Patch Hijacking Protection" off in the meantime. Please, let me know if it works for you while we are fixing it.

Best regards
David Sánchez


Link to post
Share on other sites

Not sure what changed between then and now, but I cannot seem to reproduce the issue now on my test machines with AE fully enabled. But I did go ahead and alter the memory protection settings in my main policy and also re-enabled the office shields. I will let you know if this happens again.

Thank you both for the quick response, I do appreciate it.


Link to post
Share on other sites

32 minutes ago, Arthi said:

Hi ForrestR,

Thanks for reporting. Can you please follow the below instructions and get us some logs. Thank you.

Logs of one of our employees computers attached.

Microsoft Office Professional Plus 2013, Word and Excel known for sure, but suspect all office application affected.

Update Office with latest updates from Microsoft.

Update Anti-Exploit to

Open Microsoft office program of your choice. Write whatever data fancies you. I've been just opening Word and typing 'test.'

Attempt to Save As

Anti-Exploit triggers a Process Hollowing Protection attack prevention, closing Office and losing all data.


Individual machines can be fixed via turning off memory hijack protection for Microsoft Office, however we are a moderate sized organization with a large amount of computers, we would prefer a solution we could mass patch, either through our Malwarebytes Management Console or through our Group Policy.


Thank you,


Malwarebytes Anti-Exploit.zip

Edited by ForrestR
Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.