Jump to content
mgard

Exploit code executing from stack blocked 

Recommended Posts

Good afternoon,

I am starting to see this "Exploit code executing from stack blocked" popping up more and with AcroBd32.exe. I am guessing this is a false/positive?  Thank you for help in understanding this security notification. We are running Malwarebytes Enterprise 1.80.2.1012, Anti-Exploit 1.12.2.81.

Mike 

 

 

Exploit code executing from stack blocked            BLOCK                   mmead Adobe Reader   C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe  Attacked application: C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe; Parent process name: OUTLOOK.EXE; Layer: Protection Against OS Security Bypass; API ID: 450; Address: 0x0029D010; Module: ; AddressType: ; StackTop: 0x002A0000; StackBottom: 0x0029C000; StackPointer: ; Extra:

Share this post


Link to post
Share on other sites

Hi,

I have the same reports being generated by Malwarebytes on several computers across our campus, is this a false positive or is it something to be suspicious about?

28/05/2018 17:54:36       Exploit code executing from stack blocked      BLOCK       Adobe Reader   C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe                Attacked application: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe; Parent process name: iexplore.exe; Layer: Protection Against OS Security Bypass; API ID: 450; Address: 0x005ED010; Module: ; AddressType: ; StackTop: 0x005F0000; StackBottom: 0x005EC000; StackPointer: ; Extra:

Thanks,

James

Share this post


Link to post
Share on other sites

We are also receiving this when opening pdf's.  Has there been any response on whether this is a false positive?

Share this post


Link to post
Share on other sites

We are also receiving this almost daily in the two forms below. It shows Internet explorer and Outlook triggering these.  Has there been any response on whether this is a false positive? We had 19 in one day and daily since then.

Exploit code executing from stack blocked BLOCK tlee Adobe Reader C:\Program Files\Adobe\Reader 10.0\Reader\AcroRd32.exe Attacked application: C:\Program Files\Adobe\Reader 10.0\Reader\AcroRd32.exe; Parent process name: OUTLOOK.EXE;

5/27/2018 2:03:07 AM W7682 10.60.11.4 Exploit code executing from stack blocked BLOCK Hotel_front_desk Adobe Reader C:\Program Files\Adobe\Reader 10.0\Reader\AcroRd32.exe Attacked application: C:\Program Files\Adobe\Reader 10.0\Reader\AcroRd32.exe; Parent process name: iexplore.exe; Layer: Protection Against OS Security Bypass; API ID: 450; Address: 0x033ACC4C; Module: ; AddressType: ; StackTop: 0x033B0000; StackBottom: 0x03394000; StackPointer: ; Extra:
 

Share this post


Link to post
Share on other sites

Most of our alerts have been from Outlook and Adobe Reader. This morning I received notices like others have been seeing. Its triggered with iexplore.exe and AcroRd32.exe.  I will be glad when we switch to the Malwarebytes Cloud version. That way I can call Malwarebytes support.

Mike

 

5/30/2018 8:19:46 AM                  Exploit code executing from stack blocked            BLOCK                                   Adobe Reader C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe               Attacked application: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe; Parent process name: iexplore.exe; Layer: Protection Against OS Security Bypass; API ID: 450; Address: 0x00BAE000; Module: ; AddressType: ; StackTop: 0x00BB0000; StackBottom: 0x00BAB000; StackPointer: ; Extra:

 

Total count: 1.

 

Share this post


Link to post
Share on other sites

Hi,

Thanks for reporting. We have a fix for this issue in the standalone Anti-Exploit module and will start rolling this out in Malwarebytes soon after adequate testing. Will keep you posted.

Share this post


Link to post
Share on other sites

So this is a false positive?  We're getting these alerts with certain users in our organization.

 

Edited by iambry

Share this post


Link to post
Share on other sites

Hey Arthi,

Any update on how close you are getting to rolling out the update to Anti-Exploit?

 

Thank you,

 

Mike 

 

Share this post


Link to post
Share on other sites

Hi All,

We are rolling out the fix in Malwarebytes Anti-Exploit (MBAE) starting next week and planning to push it out into Malwarebytes end of this month. Will keep you posted. Thanks.

Share this post


Link to post
Share on other sites

hello there, any updates on the fix rollout?

We are getting these messages few a day and not sure if we should threat them as something serious or false positives...

 

thanks

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.