Jump to content
SandyWood

Where to start troubleshooting Exploit Attempt Blocked in Edge

Recommended Posts

Getting a few of these alerts in our environment. They are new Win 10 1607 machines and in each case, the user has several instances of microsoftedgecp.exe running in Task Manager. What can I check to verify that nothing is still lurking about?

Exploit threat detected, see details below:

 

4/20/2018 2:20:53 PM   10-87502               10.17.210.82     Exploit attempt blocked BLOCK                  jcool       microsoftedgecp.exe C:\windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\microsoftedgecp.exe               Attacked application: C:\windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\microsoftedgecp.exe; Parent process name: RuntimeBroker.exe; Layer: Application Behavior Protection; API ID: 900; Address: ; Module: ; AddressType: ; StackTop: ; StackBottom: ; StackPointer: ; Extra:

4/20/2018 2:22:12 PM   10-87502               10.17.210.82     Exploit attempt blocked BLOCK                  jcool        microsoftedgecp.exe C:\windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\microsoftedgecp.exe               Attacked application: C:\windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\microsoftedgecp.exe; Parent process name: RuntimeBroker.exe; Layer: Application Behavior Protection; API ID: 900; Address: ; Module: ; AddressType: ; StackTop: ; StackBottom: ; StackPointer: ; Extra:

 

Share this post


Link to post
Share on other sites

Hey Sandy,

 

I want to send you some instructions in a PM to collect me some debug logs. The block looks strange in that it shouldn't be blocking it in that way. We want to see exactly why that is occurring. 

Share this post


Link to post
Share on other sites

How long should I let it run? Since we got the alert on this user, we haven't had any from them. (There have been a few others in our environment, however). If it takes weeks, will that affect the end-user? Will the debug logs grow very large?

Share this post


Link to post
Share on other sites
Posted (edited)

Hey Sandy,

 

It will not affect them. The log we write to will overwrite itself after a certain amount of data (this prevents it from being a huge file). It will not affect the user and they will never see it. Just need to make sure that when the alert happens, we collect the logs as it will overwrite if to much time has passed. 

Edited by Rsullinger
adding additional info

Share this post


Link to post
Share on other sites

We are getting this error

5/15/2018 9:33:40 AM  COMPUTER NAME           IPADDRESS            Exploit attempt blocked BLOCK                   USERNAME           MicrosoftEdgeCP.exe                C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe        Attacked application: C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe; Parent process name: svchost.exe; Layer: Application Behavior Protection; API ID: 900; Address: ; Module: ; AddressType: ; StackTop: ; StackBottom: ; StackPointer: ; Extra:

5/15/2018 9:33:40 AM  COMPUTER NAME             IPADDRESS           Exploit attempt blocked BLOCK                   USERNAME               MicrosoftEdgeCP.exe                C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe        Attacked application: C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe; Parent process name: svchost.exe; Layer: Application Behavior Protection; API ID: 900; Address: ; Module: ; AddressType: ; StackTop: ; StackBottom: ; StackPointer: ; Extra:

5/15/2018 9:33:41 AM  COMPUTER NAME              IPADDRESS           Exploit attempt blocked BLOCK                  USERNAME                MicrosoftEdge.exe                C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe             Attacked application: C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe; Parent process name: svchost.exe; Layer: Application Behavior Protection; API ID: 900; Address: ; Module: ; AddressType: ; StackTop: ; StackBottom: ; StackPointer: ; Extra:

we are using Malwarebytes Management Server and we would like to gather logs too

Share this post


Link to post
Share on other sites

We have also been getting this error from different machines over the last week:

5/16/2018 3:38:39 AM  MACHINENAME       IPADDRESS            Exploit attempt blocked BLOCK                   USERNAME               microsoftedgecp.exe                C:\WINDOWS\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\microsoftedgecp.exe      Attacked application: C:\WINDOWS\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\microsoftedgecp.exe; Parent process name: RuntimeBroker.exe; Layer: Application Behavior Protection; API ID: 900; Address: ; Module: ; AddressType: ; StackTop: ; StackBottom: ; StackPointer: ; Extra:

Share this post


Link to post
Share on other sites

Hello Everyone,

 

Can you please try the version that is posted here:

 

Want to make sure the newest version is tried to ensure this is not due to a fix we made currently. 

 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.