Jump to content

Malwarebytes blocking Word.

eduardokbb
 Share

Recommended Posts

  • Staff
Malwarebytes

Malwarebytes

Posted
  • Staff
Posted

***This is an automated reply***

Hi,

Thanks for posting in the Malwarebytes 3 Help forum.

 

If you are having technical issues with our Windows product, please do the following: 

Spoiler

If you haven’t already done so, please run the Malwarebytes Support Tool and then attach the logs in your next reply:

NOTE: The tools and the information obtained is safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

  1. Download Malwarebytes Support Tool
  2. Once the file is downloaded, open your Downloads folder/location of the downloaded file
  3. Double-click mb-support-X.X.X.XXXX.exe to run the program
    • You may be prompted by User Account Control (UAC) to allow changes to be made to your computer. Click Yes to consent.
  4. Place a checkmark next to Accept License Agreement and click Next
  5. You will be presented with a page stating, "Get Started!"
  6. Click the Advanced tab
    Repair menu_arrows.png
     
  7. Click the Gather Logs button
    Advanced_arrows.png
     
  8. A progress bar will appear and the program will proceed with getting logs from your computer
    Advanced Gather Logs_arrows.png
     
  9. Upon completion, click a file named mbst-grab-results.zip will be saved to your Desktop. Click OK
    Advanced Gather Logs completed_arrows.png
     
  10. Please attach the file in your next reply. Before submitting your reply, be sure to enable "Notify me of replies" like so:
     notify me.jpeg  

Click "Reveal Hidden Contents" below for details on how to attach a file:
 

Spoiler

To save attachments, please click the link as shown below. You can click and drag the files to this bar or you can click the choose files, then browse to where your files are located, select them and click the Open button.

mb_attach.jpg.220985d559e943927cbe3c078b
 

One of our experts will be able to assist you shortly.

 

If you are having licensing issues, please do the following: 

Spoiler

For any of these issues:

  • Renewals
  • Refunds (including double billing)
  • Cancellations
  • Update Billing Info
  • Multiple Transactions
  • Consumer Purchases
  • Transaction Receipt

Please contact our support team at https://support.malwarebytes.com/community/consumer/pages/contact-us to get help

If you need help looking up your license details, please head here: https://support.malwarebytes.com/docs/DOC-1264 

 

Thanks in advance for your patience.

-The Malwarebytes Forum Team

Link to post
Share on other sites
Porthos

Porthos

Posted
Posted
25 minutes ago, eduardokbb said:

Restarted computer and it stopped detecting the exploit. Although I don't know what triggered that, it's not happening anymore.

 

1 hour ago, eduardokbb said:

so I had to disable BottomUP ASLR Enforcement for MS Office programs

This is why it does not happen anymore.

Link to post
Share on other sites
LiquidTension

LiquidTension

Posted
Posted

Hi @eduardokbb,

Thanks for reporting the issue.

Please do the following:
 

MgeHyNE.png Collect Malwarebytes Anti-Exploit Debugging Logs

  • Please download mbae_debugging.zip using the link below.
    https://malwarebytes.box.com/shared/static/qemghbd9e5794dc7pdhvnq2xpku6wo5z.zip
  • Open your Downloads folder.
  • Right-click 3YDDDvL.png mbae_debugging.zip and click Extract All.... Ensure Show extracted files when complete is checked and click Extract.
  • Double-click CX41PDv.png start_debugging.bat.
  • Note: If you are prompted by Windows SmartScreen, click More info followed by Run anyway. If you are prompted by AVOiBNU.jpg User Account Control, click Yes.
  • A blue console window will appear. Please be patient.
  • When prompted to reproduce your issue, please perform the action(s) that trigger the exploit block/issue with your installed Malwarebytes product.
  • If you are successful, press Y on your keyboard.
  • Upon completion, a file named 3YDDDvL.png mbae-logs.zip will be saved to your Desktop. Please attach the file in your next reply.
Link to post
Share on other sites
LiquidTension

LiquidTension

Posted
Posted

Thanks for letting me know. This appears to have been caused by the system's language being set to something other than English. I'm looking into how to address this.

In the meantime, we can proceed with obtaining the debug logs.

The necessary changes were made by the script, so please do the following:

  • Reproduce the Exploit Protection block with Malwarebytes.
  • Afterwards, rerun the Malwarebytes Support Tool. Click Advanced followed by Gather Logs and attach the newly created mbst-grab-results.zip (saved to your Desktop).
  • Press the Windows Key + R on your keyboard at the same time. Type %programdata% and click OK.
  • A folder will open. Inside, look for a folder named MBAE_minidumps. If you see this folder, copy it to your Desktop. Right-click the copied folder and click Send to followed by Compressed (Zipped) folder. Attach the new Zip file as well.
Link to post
Share on other sites
LiquidTension

LiquidTension

Posted
Posted

Thanks a lot. We're taking a look at the data and will provide an update shortly.

In the meantime, please revert the debug changes that were made. This would have been done by the batch file, but due to the issues with your system language, it will need to be done manually. To do so:

  • Right-click the Malwarebytes icon in your notification area/system tray. Click Quit Malwarebytes.
  • Locate the C:\Users\srbar\Desktop\Backup folder. Copy the two files inside.
  • Open the C:\Program Files\Malwarebytes\Anti-Malware folder.
  • Paste the two copied files inside. When prompted, click Replace the file in the destination.
  • Relaunch Malwarebytes by double-clicking the Desktop shortcut.
Link to post
Share on other sites
eduardokbb

eduardokbb

Posted
  • Author
Posted

I could reproduce the error again. I just reinstalled MB and Office. When I opened Word the anti-exploit blocked it again. I tried to run the Anti-Exploit debugging but it closes itself before finishing (I changed Windows to english to avoid the problem I had earlier).

The Anti-Exploit debugging swapped the DLLs and backed up the non-debugging in my Desktop. After that I tried to open Word again (to reproduce the exploit) and Word got closed again. So I ran the support tools to gather logs and I'm uploading it here for you.

This time there's not a minidump at %programdata%, but inside %Programdata%/Malwarebytes theres an AeDetections containing 2 .json files I'm uploading too.

Hope this can help with something.

mbst-grab-results.zip

AeDetections.zip

Link to post
Share on other sites
LiquidTension

LiquidTension

Posted
Posted

Thanks for the update. The AeDetections folder contains the report files generated when an Exploit Protection block occurs.

We're still reviewing the data. I'll get back with an update shortly.
 

15 hours ago, eduardokbb said:

I tried to run the Anti-Exploit debugging but it closes itself before finishing (I changed Windows to english to avoid the problem I had earlier).

Which stage did it close at? Can you check the %temp% folder for a folder named mbae-debugging. Inside you should find a file named mbae-debugging.txt. Please attach this.

Link to post
Share on other sites
LiquidTension

LiquidTension

Posted
Posted

Hi @eduardokbb,

Thanks again for the data.

We're now in the process of working on a fix. In the meantime, you can do the following as a workaround:

  • Open Malwarebytes.
  • Click Settings.
  • Click Protection.
  • Click Advanced Settings under Exploit Protection.
  • Ensure the Application Hardening tab is selected.
  • For BottomUp ASLR Enforcement, uncheck MS Office.
  • Click Apply.
Link to post
Share on other sites
eduardokbb

eduardokbb

Posted
  • Author
Posted
5 hours ago, LiquidTension said:

Thanks for the update. The AeDetections folder contains the report files generated when an Exploit Protection block occurs.

We're still reviewing the data. I'll get back with an update shortly.
 

Which stage did it close at? Can you check the %temp% folder for a folder named mbae-debugging. Inside you should find a file named mbae-debugging.txt. Please attach this.

I figured the problem, debugging the batch I find that some system variables were missing. It's fixed now.

4 hours ago, LiquidTension said:

Hi @eduardokbb,

Thanks again for the data.

We're now in the process of working on a fix. In the meantime, you can do the following as a workaround:

  • Open Malwarebytes.
  • Click Settings.
  • Click Protection.
  • Click Advanced Settings under Exploit Protection.
  • Ensure the Application Hardening tab is selected.
  • For BottomUp ASLR Enforcement, uncheck MS Office.
  • Click Apply.

Thank you.

Link to post
Share on other sites
LiquidTension

LiquidTension

Posted
Posted

Thanks @eduardokbb. I'll provide an update once we have further information on the availability of a permanent fix.
 

On 3/1/2019 at 8:06 PM, eduardokbb said:

I figured the problem, debugging the batch I find that some system variables were missing. It's fixed now.

Thanks for letting me know. Out of interest, which system variables were missing?

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.