Jump to content
ForrestR

MBAE 1.12.1.42/1.12.1.43 Process Hollowing Protection Office false positive

Recommended Posts

Logs of one of our employees computers attached.

Microsoft Office Professional Plus 2013, Word and Excel known for sure, but suspect all office application affected.

Update Office with latest updates from Microsoft.

Update Anti-Exploit to 1.12.1.42/1.12.1.42

Open Microsoft office program of your choice. Write whatever data fancies you. I've been just opening Word and typing 'test.'

Attempt to Save As

Anti-Exploit triggers a Process Hollowing Protection attack prevention, closing Office and losing all data.

 

Individual machines can be fixed via turning off memory hijack protection for Microsoft Office, however we are a moderate sized organization with a large amount of computers, we would prefer a solution we could mass patch, either through our Malwarebytes Management Console or through our Group Policy.

 

Thank you,

ForrestR

 

Malwarebytes Anti-Exploit.zip

Share this post


Link to post
Share on other sites

Hi Forrest.

Thank you for letting use know. 

I'm personally looking at the issue but please could you tell me the version of Windows too?

Best Regards

Share this post


Link to post
Share on other sites

I'm having almost the same issue, except every time I want to insert a picture from my PC into a blank Word document, MBAE triggers a false alarm and shuts down Word.

Windows 7 SP1 all updates applied. The false alarm appeared with 1.12.1.43. I uninstalled it and installed your latest beta 1.12.1.57; same false alarm.

screenshot.jpg

Share this post


Link to post
Share on other sites

Hi @motjr

During this month we will release a new version that already fixes that issue. Sorry for any inconveniences.

 

Best regards

Share this post


Link to post
Share on other sites

Hello @dsanchez,

We are also facing the same issue with some of our client systems, whenever they try to save some MS Word files or do some editing then anti-exploit closes the file and display the above mentioned message(Process Hollowing Protection). So I just unchecked Memory Patch Hijacking Protection for MS Office of these clients and it seems to solve the issue but I do not think it is the safe solution. Could you just suggest some safe solution for this issue.

We are currently using Malwarebytes Anti-Exploit for Business version 1.12.2.109.

 

Regards Zubair

Share this post


Link to post
Share on other sites

Hi @zubairahmed

Thank you for letting use know. 
We are currently working on it. However, could you tell me which Office version you are working with? so, we will be able to check your case closely.

Best regards
Thank you.

Share this post


Link to post
Share on other sites

Same issue here with MS Word and Excel 2010.  Started yesterday on one machine.  Any resolution?

MalwarebytesError.jpg

Share this post


Link to post
Share on other sites

Hi  @RuitBier @Skunk1966 @zubairahmed

It seems that Microsoft might have updated something in their Office apps (or Windows) that makes this issue. We are working to fix it as soon as possible. Actually, we do have a new release that gets some extra info from the false positive  but nothing related to the user nor to his/her machine. We created this version because we are not able to reproduce the same issue in our lab so far.

If you are willing to try this version on your machine and send me back the logs, please drop me an email to dsanchez@malwarebytes.com

Thank you
David Sánchez

Share this post


Link to post
Share on other sites
4 minutes ago, dsanchez said:

Hi  @RuitBier @Skunk1966 @zubairahmed

It seems that Microsoft might have updated something in their Office apps (or Windows) that makes this issue. We are working to fix it as soon as possible. Actually, we do have a new release that gets some extra info from the false positive  but nothing related to the user nor to his/her machine. We created this version because we are not able to reproduce the same issue in our lab so far.

If you are willing to try this version on your machine and send me back the logs, please drop me an email to dsanchez@malwarebytes.com 

Thank you
David Sánchez

email sent

Share this post


Link to post
Share on other sites
Posted (edited)

@dsanchez Replied to your email and added full content from AppData folder after installing  your version + undoing the workaround first before reproducing the problem

Edited by Skunk1966

Share this post


Link to post
Share on other sites

@dsanchez I forgot to mention 1 detail in my email to you with content of AppData folder; this version of MBAE didn't show the warning window when blocking Word

Share this post


Link to post
Share on other sites

Hi all, 

@Skunk1966 helped us to fix the issue, so as soon as possible the new version will be released for all of you.

We really appreciate the kind help offered by @Skunk1966 to solve this issue.

Best regards
 

Share this post


Link to post
Share on other sites
7 hours ago, Skunk1966 said:

email sent

I've checked two of the four users that are experiencing this issue.  There have been no windows updates on one.  Auto update is disabled.  

Share this post


Link to post
Share on other sites

Hi All,

We have pushed out a silent config update which should disable the conflicting setting. Please restart your Malwarebytes Anti-Exploit service. Let us know if it has not resolved your issues yet. Thanks.

Share this post


Link to post
Share on other sites
On 8/16/2018 at 5:08 PM, Arthi said:

Hi All,

We have pushed out a silent config update which should disable the conflicting setting. Please restart your Malwarebytes Anti-Exploit service. Let us know if it has not resolved your issues yet. Thanks.

We've had two more computers with the same error after the update.  Can you tell me how to tell if the config update has occurred?

Share this post


Link to post
Share on other sites

Hi,

This silent config update has been pushed to the MBAE Business product as well. You can tell if you got it if you see the following setting disabled. Thanks.

 

screenshot.png

Share this post


Link to post
Share on other sites

Can you tell me how this update would have been sent.  The only devices that have been changed are those eight that I changed manually.  The update may have been stopped by our SonicWall.  

Thanks.  

 

Share this post


Link to post
Share on other sites

We are also running version 1.12.2.109 and experiencing the same false positive on some of our endpoints. I have unchecked that box in our policy, yet the endpoint clients still report that false positive even though they have the updated policy on their endpoints. When is a permanent solution going to be released, please?

Share this post


Link to post
Share on other sites

Hi @CKMorgus and @hatesallbugs

Process Hollowing is already fixed in 1.12.X.124. Could you update to that version?

Best regards
David Sánchez

Edited by Arthi

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.