Jump to content

Recommended Posts

Near 4:00 est exploit detection began blocking a number of vbscript tools we use within Word as part of our document processing add-ins. Unfortunately we have had to disable exploit detection as it prevented Word from launching. I assume this was part of a definition update. Can anyone provides any details about the update that was released near this time? 

Share this post


Link to post
Share on other sites

Hi MSV,

Thanks for your post. Yes, it looks like this is due to the update we pushed out yesterday. Can you disable the following setting and see if that resolves your issue? 

Thanks.

image.png.01dd498403bfdc1ac6e711abc984e935.png

 

Edited by Arthi

Share this post


Link to post
Share on other sites

We appear to be getting these too, but from IE.

Exploit attempt blocked BLOCK   C:\WINDOWS\system32\VBScript.dll

We also do not have any of the boxes checked for VB scripting. So why is it still blocking it?

AntiExploit.jpg

Share this post


Link to post
Share on other sites

Hey Scoutt,

 

Can you please collect the logs further for this. We want to see what is happening since those two have been disabled for you:

 

 

Share this post


Link to post
Share on other sites

I just installed the program on a production server. We use vbscript.dll routines in our code and they are being blocked.

We have a trial version. Need to allow vbscript.dll to run.
Can you please address this issue.

Error was: 
 

-Log Details-
Protection Event Date: 4/24/20
Protection Event Time: 8:30 AM
Log File: 5eafa602-8627-11ea-b6eb-001cc0922661.json

-Software Information-
Version: 4.1.0.56
Components Version: 1.0.875
Update Package Version: 1.0.22872
License: Trial

-System Information-
OS: Windows 10 (Build 18362.778)
CPU: x86
File System: NTFS
User: System

-Exploit Details-
File: 0
(No malicious items detected)

Exploit: 1
Malware.Exploit.Agent.Generic, C:\Windows\System32\vbscript.dll, Blocked, 0, 392684, 0.0.0

-Exploit Data-
Affected Application: Microsoft Access
Protection Layer: Application Hardening
Protection Technique: Attempt to execute VBScript blocked
File Name: C:\Windows\System32\vbscript.dll
URL: 
 

Share this post


Link to post
Share on other sites

Hi JohnnieSko,

Can you please disable the setting marked in red. That should stop the blocks. Thanks.

image.png.01dd498403bfdc1ac6e711abc984e935.png

Share this post


Link to post
Share on other sites

I actually saw that info posted earlier in this thread, but I figured you would have fixed the issue by now so it wouldn't occur. The app is digitally signed. So, why are you still tagging this and blocking it?

I have a few hundred PC's out there using my program. I expect I will eventually have to deal with this as my product is deployed to more PC. This may become quite a problem for me.

Share this post


Link to post
Share on other sites

I suspect the block has more to do with blocking VBScript in general as it is a very common attack vector for exploits and a home to numerous past vulnerabilities.  Scripting behavior in document file types (MS Office documents, PDFs etc.) is unfortunately one of the most frequently used means of deploying malicious code, through exploits, to unsuspecting victims, usually through email attachments and the like and I believe it is due to this fact that they have chosen to just outright block certain scripting behaviors to harden the OS and Office applications, though unfortunately this also means that any legitimate document/plugin/application attempting to use any of those blocked scripting behaviors will trigger a block and a detection, thus the only workaround would be to disable that aspect of OS/application hardening (unless of course this is some sort of FP and the VB Script library is not being loaded).

Share this post


Link to post
Share on other sites

Oh well, will just have to add the fix to my support documentation. Thanks for the prompt follow up.

 

John

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.