Jump to content
StroTech

Anti-Exploit Detection during Office 365 Update

Recommended Posts

Posted (edited)

Hello, had two exploit notifications after I updated Office 365, wanted to check and make sure they were false positives:

"2018-07-12T10:00:51.226-05:00";"usernameh";"11412";"C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE";"9948";"explorer.exe";"2";"502";"301";"0x18061784";"";"0x00020000";"0x18230000";"0x18134000";"0x1822F308";"";"";"";"";""

 

"2018-07-12T10:01:17.062-05:00";"username";"2300";"C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE";"9948";"explorer.exe";"2";"502";"301";"0x1B8B1784";"";"0x00020000";"0x1BA70000";"0x1B974000";"0x1BA6F1F8";"";"";"";"";""

 


We also had an exploit detection with adobe reader dc and pdfcreator:


7/11/2018 1:02:51 PM  Exploit code executing from stack blocked BLOCK username Adobe Reader C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe Attacked application: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe; Parent process name: PDFCreator.exe; Layer: Protection Against OS Security Bypass; API ID: 450; Address: 0x00C6D000; Module: ; AddressType: ; StackTop: 0x00C70000; StackBottom: 0x00C6B000; StackPointer: ; Extra: 
Total count: 1.

 

Please let me know what else you need.

Edited by StroTech

Share this post


Link to post
Share on other sites

Greetings,

Until a member of the staff responds, I would like to offer the suggestion that you check the version of Anti-Exploit you have deployed as I saw that false positives related to both Office 365 and Adobe Reader are mentioned as items addressed in the most recent release, version 1.12.2.90 as documented here.

The download link for the latest build is in that post as well and I've also included it here for your convenience.

Please let us know if that resolves the issues or not, and if not, I will advise a member of the staff to take a look and assist you further as I'm no expert when it comes to the Anti-Exploit component, but I do hope this information was helpful.

Share this post


Link to post
Share on other sites

All of the computers are getting updated to that version, so will have to wait and see if the issue persists.

I do have another question. Should the Malwarebytes Management Server automatically update its Package Template folder? Currently it still has version 1.11.2.55 of Anti Exploit. I know after it is installed that it will automatically update to the latest on the client, but is the package template folder version not supposed to get auto updated for future installation packages?

Share this post


Link to post
Share on other sites

Also, is it ok to take a recent version of the anti exploit installer and put it into the package template folder on the malwarebytes management server? Then create an installation package.

Share this post


Link to post
Share on other sites
3 hours ago, StroTech said:

Also, is it ok to take a recent version of the anti exploit installer and put it into the package template folder on the malwarebytes management server? Then create an installation package.

Hi Strotech, the MBAE build that is within the MBMC package template will be out of date compared to what's out there latest over the air update. We do not recommend changing the package out, if you try to do this to upgrade the MBAE build on the endpoints, it can break the push. It can work for new installs though. The best way to do it without affecting your console is to install the MBAE standalone exe or msi (from the unmanaged folder of the MBMC package) over the top of the existing version using some other means; local install, scripted or through some other deployment tool like GPO or SCCM.

Share this post


Link to post
Share on other sites

k, how long should it usually take for a fresh install with an older version of anti exploit to get updated to the current version of anti exploit? Right now A computer we reinstalled the endpoint security on has version 1.11.2.55. Just reinstalled it yesterday.

Share this post


Link to post
Share on other sites

It should be an instant after checking in; as long as the endpoint can access https://data-cdn.mbamupdates.com and https://sirius.mwbsys.com, and is allowed to download an exe direct through firewalls. Some machines will need to restart for the new version to present in the client view. You can also avoid having to go through the MBAE downgrade / upgrade process on agent upgrade or reinstall; the agent can be deployed without including the MBAE portion of the install, then the existing newer MBAE will reintegrate with the MBMC client software after it is reinstalled. The MBAE standalone installer can also upgrade the version on your machine if you do not wish to wait for the machine to pick it up itself.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.