Jump to content
JeffIT

Anti Exploit Flagging Office 365 Programs

Recommended Posts

Hi,

Today I had a user have an issue with using Office 365 applications and accessing Windows Explorer. The issue was noticed when the end user was trying to insert an image to a Word document. As soon as the folder was selected from Windows Explorer the program would shut down and the Anti Exploit would popup with a warning of an exploit attack. I ran a full scan on Malwarebytes AntiMalware 1.80.2.1012 and also on Microsoft Security Essentials. Both came up clean. 

After looking for possible causes I noticed the computer updated to the new versions of .Net framework while off the premises yesterday.

How do I confirm the computer is clean and also get the end user back operational. I know I can turn off Anti Exploit for particular programs but is this safe to do in this situation?

Share this post


Link to post
Share on other sites

Per Malwarebytes support:
We are currently getting reports of this block and our development is currently working on a resolution.
“Block”/Error Message: Protection against OS Security Bypass/Process hollowing protection. 

When I chatted w/ Malwarebytes support they indicated that a recent update to Anti-Exploit has been causing false positives, specifically w/ Office programs. 
The temporary workaround is to disable memory patch hijacking protection on the agent(s) (server-side).
I have not been updated on a resolution since. 

Hope it helps! 
 

Share this post


Link to post
Share on other sites

We're also getting this with Excel 2013.  I haven't seen this mentioned anywhere else.  I felt that this would be resolved quickly, but it doesn't seem so.

MBAE.png

Share this post


Link to post
Share on other sites
11 hours ago, Rbuck117 said:

Per Malwarebytes support:
We are currently getting reports of this block and our development is currently working on a resolution.
“Block”/Error Message: Protection against OS Security Bypass/Process hollowing protection. 

When I chatted w/ Malwarebytes support they indicated that a recent update to Anti-Exploit has been causing false positives, specifically w/ Office programs. 
The temporary workaround is to disable memory patch hijacking protection on the agent(s) (server-side).
I have not been updated on a resolution since. 

Hope it helps! 
 

OK so only disabled the memory patch hijack selection. I better re-enable the others that I had disabled yesterday. Thanks Rbuck117. 

Share this post


Link to post
Share on other sites
10 hours ago, HarleyHutchins said:

We also have this issue

Does anyone have an update on this issue?

I have been disabling memory patch hijacking protection on my endpoints on a per case basis. As of this morning, I'm still receiving alerts. I have E-mailed Malwarebytes support for an update this morning, keep you guys posted if I hear anything back.

Share this post


Link to post
Share on other sites

We are having the same issue, has there been any update? 

I know, it's only been an hour since the last post but just in case. (fingers crossed)

Share this post


Link to post
Share on other sites
8 minutes ago, Harold_Finch said:

We are having the same issue, has there been any update? 

I know, it's only been an hour since the last post but just in case. (fingers crossed)

 

UPDATE:
Per Malwarebytes Support - We apologize the inconvenience caused. You can disable the "Memory patch hijacking protection" from PDF Readers as you did for the MS Office from the management console. Policy-> Edit-> Anti-Exploit-> Advanced. See screenshot attached
Also, ultimately, you can disable the shield for those applications completely from the Anti-Exploit tab within the Edit Policy window. You can uncheck the box for the appropriate Profile/Application Name. See screenshot attached.
Also, we appreciate you taking the time to collect the debug logs and request that you please provide us with FRST ( https://support.malwarebytes.com/docs/DOC-1318 ) logs as they are necessary to carry out the investigation to the root cause of this issue.  

Still no resolution at this time. Also, sounds like there are some issues w/ PDF readers in addition to MS Office.
I'll keep everyone posted as soon as I hear anything else. 
 

Edit Policy AE Shield.PNG

Memory patch hijacking protection.PNG

Share this post


Link to post
Share on other sites

Thanks Rbuck117.

Quick question, are you looking for logs of this issue or was that text directly from support to you? 

image.thumb.png.f50c330b789e0696a9d27e10bced8368.png

Share this post


Link to post
Share on other sites
2 minutes ago, JeffIT said:

Thanks Rbuck117.

Quick question, are you looking for logs of this issue or was that text directly from support to you? 

image.thumb.png.f50c330b789e0696a9d27e10bced8368.png

Directly from support to me. I've sent them over what I had already. If I had to take a guess I would say this isn't affecting a large number of Malwarebyte's customers as they usually have these types of issues resolved rather quickly. (We may be in for the long haul on this one)

Share this post


Link to post
Share on other sites

We are seeing this too. It is affecting about 200 of our endpoints and we have been unsuccessful in pushing a new policy to our endpoints via the MBAM console to affect that change. We are having to manually touch each computer to work around this issue. We have 20+ man hours into dealing with this so far. I'm attempting to escalate this issue with support.

Share this post


Link to post
Share on other sites

Hey guys,

I just wanted to let you know that I've documented this issue and will be submitting it to the team to attempt to escalate it so hopefully that will help to speed up the process of getting a fix out to you.

Share this post


Link to post
Share on other sites

Any updates on this? We are also seeing this in our environment. It's not affecting all of our endpoints at this time, but the number of reports is growing.

 

Share this post


Link to post
Share on other sites

The fix that Rbuck117 posted appears to be the official fix. Support reported back to us that the issue was resolved, but no details on what that resolution/fix was. On the new installs of Anti-Exploit that we have done, the Memory patch hijack protection setting for Microsoft Office is unchecked by default. So we have disabled that setting in our MBAM Console. Our issue with applying the policy to our endpoints via the MBAM Console appears to have been us making too many policy changes in a short period of time.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.