mgard Posted May 24, 2018 ID:1245909 Share Posted May 24, 2018 Good afternoon, I am starting to see this "Exploit code executing from stack blocked" popping up more and with AcroBd32.exe. I am guessing this is a false/positive? Thank you for help in understanding this security notification. We are running Malwarebytes Enterprise 1.80.2.1012, Anti-Exploit 1.12.2.81. Mike Exploit code executing from stack blocked BLOCK mmead Adobe Reader C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe Attacked application: C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe; Parent process name: OUTLOOK.EXE; Layer: Protection Against OS Security Bypass; API ID: 450; Address: 0x0029D010; Module: ; AddressType: ; StackTop: 0x002A0000; StackBottom: 0x0029C000; StackPointer: ; Extra: Link to post Share on other sites More sharing options...
JAWS98 Posted May 29, 2018 ID:1246591 Share Posted May 29, 2018 Hi, I have the same reports being generated by Malwarebytes on several computers across our campus, is this a false positive or is it something to be suspicious about? 28/05/2018 17:54:36 Exploit code executing from stack blocked BLOCK Adobe Reader C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe Attacked application: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe; Parent process name: iexplore.exe; Layer: Protection Against OS Security Bypass; API ID: 450; Address: 0x005ED010; Module: ; AddressType: ; StackTop: 0x005F0000; StackBottom: 0x005EC000; StackPointer: ; Extra: Thanks, James Link to post Share on other sites More sharing options...
cfor1747 Posted May 29, 2018 ID:1246645 Share Posted May 29, 2018 We are also receiving this when opening pdf's. Has there been any response on whether this is a false positive? Link to post Share on other sites More sharing options...
CM03 Posted May 30, 2018 ID:1246811 Share Posted May 30, 2018 We are also receiving this almost daily in the two forms below. It shows Internet explorer and Outlook triggering these. Has there been any response on whether this is a false positive? We had 19 in one day and daily since then. Exploit code executing from stack blocked BLOCK tlee Adobe Reader C:\Program Files\Adobe\Reader 10.0\Reader\AcroRd32.exe Attacked application: C:\Program Files\Adobe\Reader 10.0\Reader\AcroRd32.exe; Parent process name: OUTLOOK.EXE; 5/27/2018 2:03:07 AM W7682 10.60.11.4 Exploit code executing from stack blocked BLOCK Hotel_front_desk Adobe Reader C:\Program Files\Adobe\Reader 10.0\Reader\AcroRd32.exe Attacked application: C:\Program Files\Adobe\Reader 10.0\Reader\AcroRd32.exe; Parent process name: iexplore.exe; Layer: Protection Against OS Security Bypass; API ID: 450; Address: 0x033ACC4C; Module: ; AddressType: ; StackTop: 0x033B0000; StackBottom: 0x03394000; StackPointer: ; Extra: Link to post Share on other sites More sharing options...
mgard Posted May 30, 2018 Author ID:1246819 Share Posted May 30, 2018 Most of our alerts have been from Outlook and Adobe Reader. This morning I received notices like others have been seeing. Its triggered with iexplore.exe and AcroRd32.exe. I will be glad when we switch to the Malwarebytes Cloud version. That way I can call Malwarebytes support. Mike 5/30/2018 8:19:46 AM Exploit code executing from stack blocked BLOCK Adobe Reader C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe Attacked application: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe; Parent process name: iexplore.exe; Layer: Protection Against OS Security Bypass; API ID: 450; Address: 0x00BAE000; Module: ; AddressType: ; StackTop: 0x00BB0000; StackBottom: 0x00BAB000; StackPointer: ; Extra: Total count: 1. Link to post Share on other sites More sharing options...
Sean Ohlrich Posted May 30, 2018 ID:1246870 Share Posted May 30, 2018 Same here. getting the exact same message one computer here or there at a time. No response from support as of yet. Link to post Share on other sites More sharing options...
Staff Arthi Posted June 1, 2018 Staff ID:1247421 Share Posted June 1, 2018 Hi, Thanks for reporting. We have a fix for this issue in the standalone Anti-Exploit module and will start rolling this out in Malwarebytes soon after adequate testing. Will keep you posted. Link to post Share on other sites More sharing options...
iambry Posted June 5, 2018 ID:1248178 Share Posted June 5, 2018 (edited) So this is a false positive? We're getting these alerts with certain users in our organization. Edited June 5, 2018 by iambry Link to post Share on other sites More sharing options...
mgard Posted June 14, 2018 Author ID:1250189 Share Posted June 14, 2018 Hey Arthi, Any update on how close you are getting to rolling out the update to Anti-Exploit? Thank you, Mike Link to post Share on other sites More sharing options...
Staff Arthi Posted June 15, 2018 Staff ID:1250438 Share Posted June 15, 2018 Hi All, We are rolling out the fix in Malwarebytes Anti-Exploit (MBAE) starting next week and planning to push it out into Malwarebytes end of this month. Will keep you posted. Thanks. Link to post Share on other sites More sharing options...
ITSUP Posted June 23, 2018 ID:1252059 Share Posted June 23, 2018 hello there, any updates on the fix rollout? We are getting these messages few a day and not sure if we should threat them as something serious or false positives... thanks Link to post Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now