Where to start troubleshooting Exploit Attempt Blocked in Edge

[SandyWood]

Getting a few of these alerts in our environment. They are new Win 10 1607 machines and in each case, the user has several instances of microsoftedgecp.exe running in Task Manager. What can I check to verify that nothing is still lurking about?

Exploit threat detected, see details below:

 

4/20/2018 2:20:53 PM   10-87502               10.17.210.82     Exploit attempt blocked BLOCK                  jcool       microsoftedgecp.exe C:\windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\microsoftedgecp.exe               Attacked application: C:\windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\microsoftedgecp.exe; Parent process name: RuntimeBroker.exe; Layer: Application Behavior Protection; API ID: 900; Address: ; Module: ; AddressType: ; StackTop: ; StackBottom: ; StackPointer: ; Extra:

4/20/2018 2:22:12 PM   10-87502               10.17.210.82     Exploit attempt blocked BLOCK                  jcool        microsoftedgecp.exe C:\windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\microsoftedgecp.exe               Attacked application: C:\windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\microsoftedgecp.exe; Parent process name: RuntimeBroker.exe; Layer: Application Behavior Protection; API ID: 900; Address: ; Module: ; AddressType: ; StackTop: ; StackBottom: ; StackPointer: ; Extra:

 

[Rsullinger]

Hey Sandy,

 

I want to send you some instructions in a PM to collect me some debug logs. The block looks strange in that it shouldn't be blocking it in that way. We want to see exactly why that is occurring. 

[SandyWood]

How long should I let it run? Since we got the alert on this user, we haven't had any from them. (There have been a few others in our environment, however). If it takes weeks, will that affect the end-user? Will the debug logs grow very large?

[Rsullinger]

Hey Sandy,

 

It will not affect them. The log we write to will overwrite itself after a certain amount of data (this prevents it from being a huge file). It will not affect the user and they will never see it. Just need to make sure that when the alert happens, we collect the logs as it will overwrite if to much time has passed. 

Edited April 26, 2018 by Rsullinger
adding additional info

[Benzyl]

We are getting this error

5/15/2018 9:33:40 AM  COMPUTER NAME           IPADDRESS            Exploit attempt blocked BLOCK                   USERNAME           MicrosoftEdgeCP.exe                C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe        Attacked application: C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe; Parent process name: svchost.exe; Layer: Application Behavior Protection; API ID: 900; Address: ; Module: ; AddressType: ; StackTop: ; StackBottom: ; StackPointer: ; Extra:

5/15/2018 9:33:40 AM  COMPUTER NAME             IPADDRESS           Exploit attempt blocked BLOCK                   USERNAME               MicrosoftEdgeCP.exe                C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe        Attacked application: C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe; Parent process name: svchost.exe; Layer: Application Behavior Protection; API ID: 900; Address: ; Module: ; AddressType: ; StackTop: ; StackBottom: ; StackPointer: ; Extra:

5/15/2018 9:33:41 AM  COMPUTER NAME              IPADDRESS           Exploit attempt blocked BLOCK                  USERNAME                MicrosoftEdge.exe                C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe             Attacked application: C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe; Parent process name: svchost.exe; Layer: Application Behavior Protection; API ID: 900; Address: ; Module: ; AddressType: ; StackTop: ; StackBottom: ; StackPointer: ; Extra:

we are using Malwarebytes Management Server and we would like to gather logs too

[torrey]

We have also been getting this error from different machines over the last week:

5/16/2018 3:38:39 AM  MACHINENAME       IPADDRESS            Exploit attempt blocked BLOCK                   USERNAME               microsoftedgecp.exe                C:\WINDOWS\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\microsoftedgecp.exe      Attacked application: C:\WINDOWS\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\microsoftedgecp.exe; Parent process name: RuntimeBroker.exe; Layer: Application Behavior Protection; API ID: 900; Address: ; Module: ; AddressType: ; StackTop: ; StackBottom: ; StackPointer: ; Extra:

[Rsullinger]

Hello Everyone,

 

Can you please try the version that is posted here:

 

Want to make sure the newest version is tried to ensure this is not due to a fix we made currently. 

 

[Benzyl]

Already on that version

[Hendyman]

Hi we are starting to see several instances of this :

  

The client is using this version

Any advise ?

Regards

[Rsullinger]

I am going to send you a PM to collect some debug information for the team so we can get this fixed. 

[JeffreyB]

We've had two instances in the past 24 hours of this. On version 1.12.2.90. Same exact message as Hendyman.

It appears to happen when they open Edge is my guess, or close to that timeframe.

Was there any further information from Malwarebytes? It looked benign but since it has happened twice wanted to make sure there were no concerns.

[Rsullinger]

Hey JeffreyB,

 

Can you collect these logs for me so I can confirm if it is the same issue as above: