Jump to content

MBAE 1.12.1.42/1.12.1.43 Process Hollowing Protection Office false positive


ForrestR
 Share

Recommended Posts

Logs of one of our employees computers attached.

Microsoft Office Professional Plus 2013, Word and Excel known for sure, but suspect all office application affected.

Update Office with latest updates from Microsoft.

Update Anti-Exploit to 1.12.1.42/1.12.1.42

Open Microsoft office program of your choice. Write whatever data fancies you. I've been just opening Word and typing 'test.'

Attempt to Save As

Anti-Exploit triggers a Process Hollowing Protection attack prevention, closing Office and losing all data.

 

Individual machines can be fixed via turning off memory hijack protection for Microsoft Office, however we are a moderate sized organization with a large amount of computers, we would prefer a solution we could mass patch, either through our Malwarebytes Management Console or through our Group Policy.

 

Thank you,

ForrestR

 

Malwarebytes Anti-Exploit.zip

Link to post
Share on other sites

  • 2 weeks later...

I'm having almost the same issue, except every time I want to insert a picture from my PC into a blank Word document, MBAE triggers a false alarm and shuts down Word.

Windows 7 SP1 all updates applied. The false alarm appeared with 1.12.1.43. I uninstalled it and installed your latest beta 1.12.1.57; same false alarm.

screenshot.jpg

Link to post
Share on other sites

  • 4 months later...

Hello @dsanchez,

We are also facing the same issue with some of our client systems, whenever they try to save some MS Word files or do some editing then anti-exploit closes the file and display the above mentioned message(Process Hollowing Protection). So I just unchecked Memory Patch Hijacking Protection for MS Office of these clients and it seems to solve the issue but I do not think it is the safe solution. Could you just suggest some safe solution for this issue.

We are currently using Malwarebytes Anti-Exploit for Business version 1.12.2.109.

 

Regards Zubair

Link to post
Share on other sites

  • Staff

Hi  @RuitBier @Skunk1966 @zubairahmed

It seems that Microsoft might have updated something in their Office apps (or Windows) that makes this issue. We are working to fix it as soon as possible. Actually, we do have a new release that gets some extra info from the false positive  but nothing related to the user nor to his/her machine. We created this version because we are not able to reproduce the same issue in our lab so far.

If you are willing to try this version on your machine and send me back the logs, please drop me an email to dsanchez@malwarebytes.com

Thank you
David Sánchez

Link to post
Share on other sites

4 minutes ago, dsanchez said:

Hi  @RuitBier @Skunk1966 @zubairahmed

It seems that Microsoft might have updated something in their Office apps (or Windows) that makes this issue. We are working to fix it as soon as possible. Actually, we do have a new release that gets some extra info from the false positive  but nothing related to the user nor to his/her machine. We created this version because we are not able to reproduce the same issue in our lab so far.

If you are willing to try this version on your machine and send me back the logs, please drop me an email to dsanchez@malwarebytes.com 

Thank you
David Sánchez

email sent

Link to post
Share on other sites

On 8/16/2018 at 5:08 PM, Arthi said:

Hi All,

We have pushed out a silent config update which should disable the conflicting setting. Please restart your Malwarebytes Anti-Exploit service. Let us know if it has not resolved your issues yet. Thanks.

We've had two more computers with the same error after the update.  Can you tell me how to tell if the config update has occurred?

Link to post
Share on other sites

  • 2 weeks later...

We are also running version 1.12.2.109 and experiencing the same false positive on some of our endpoints. I have unchecked that box in our policy, yet the endpoint clients still report that false positive even though they have the updated policy on their endpoints. When is a permanent solution going to be released, please?

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.