Jump to content

Recommended Posts

Our Windows 7 workstations suddenly began flagging some MS Office 2010 applications with an exploit attempt, preventing them from opening at all. Specifically affected appears to be Excel, Word, and Powerpoint 2010. No recent policy changes have occurred. Windows 10 workstations with the same policy don't seem to be affected as far as I can tell.

The exploit being flagged is 'Process Hollowing Protection'. Aside from disabling the specific application shields, where in the Anti-Exploit config can this particular protection layer be turned off? I am concerned that other applications could be affected by this particular setting.

Thanks,
Adam

aeword.png

Share this post


Link to post
Share on other sites

Hi @AdamM

Thank you for letting us know. I will fix it as soon as posible. Instead of disabling the whole protections you might only want to turn the "Memory Patch Hijacking Protection" off in the meantime. Please, let me know if it works for you while we are fixing it.

Best regards
David Sánchez

 

Share this post


Link to post
Share on other sites

HI AdamM,

As dsanchez suggests,  Please turn off the following protection and let us know if that helps. We apologize for the inconvenience caused. Thank you.

 

screenshot1.png

Share this post


Link to post
Share on other sites

Not sure what changed between then and now, but I cannot seem to reproduce the issue now on my test machines with AE fully enabled. But I did go ahead and alter the memory protection settings in my main policy and also re-enabled the office shields. I will let you know if this happens again.

Thank you both for the quick response, I do appreciate it.

Adam

Share this post


Link to post
Share on other sites

Thanks Adam for getting back to us. Can you confirm if you are unable to reproduce the issue using the test build that I sent to you or the official build itself?

Share this post


Link to post
Share on other sites

I was referring to the official build.

But, I just received a call from a user with this issue. The test build that you provided resolved the problem immediately after installing.

Adam

Share this post


Link to post
Share on other sites

We're also running into this issue. I tried updating to the 1.12.1.43 Beta after reading this topic to see if that was the build referred to that solved AdamM's issue, but it seems that its still happening.

Any help would be appreciated,

Forrest Reed

Share this post


Link to post
Share on other sites

Hi ForrestR,

Thanks for reporting. Can you please follow the below instructions and get us some logs. Thank you.

 

Share this post


Link to post
Share on other sites
Posted (edited)
32 minutes ago, Arthi said:

Hi ForrestR,

Thanks for reporting. Can you please follow the below instructions and get us some logs. Thank you.

Logs of one of our employees computers attached.

Microsoft Office Professional Plus 2013, Word and Excel known for sure, but suspect all office application affected.

Update Office with latest updates from Microsoft.

Update Anti-Exploit to 1.12.1.42/1.12.1.42

Open Microsoft office program of your choice. Write whatever data fancies you. I've been just opening Word and typing 'test.'

Attempt to Save As

Anti-Exploit triggers a Process Hollowing Protection attack prevention, closing Office and losing all data.

 

Individual machines can be fixed via turning off memory hijack protection for Microsoft Office, however we are a moderate sized organization with a large amount of computers, we would prefer a solution we could mass patch, either through our Malwarebytes Management Console or through our Group Policy.

 

Thank you,

ForrestR

Malwarebytes Anti-Exploit.zip

Edited by ForrestR

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.