VBscript.dll

[MSV]

Near 4:00 est exploit detection began blocking a number of vbscript tools we use within Word as part of our document processing add-ins. Unfortunately we have had to disable exploit detection as it prevented Word from launching. I assume this was part of a definition update. Can anyone provides any details about the update that was released near this time? 

[Arthi]

Hi MSV,

Thanks for your post. Yes, it looks like this is due to the update we pushed out yesterday. Can you disable the following setting and see if that resolves your issue? 

Thanks.

 

Edited August 27, 2019 by Arthi

[scoutt]

We appear to be getting these too, but from IE.

Exploit attempt blocked BLOCK   C:\WINDOWS\system32\VBScript.dll

We also do not have any of the boxes checked for VB scripting. So why is it still blocking it?

[Rsullinger]

Hey Scoutt,

 

Can you please collect the logs further for this. We want to see what is happening since those two have been disabled for you:

 

 

[scoutt]

Sure thing Ron, FYI: your post about collecting logs doesn't work anymore. The location is wrong and the link to current versions is broke :)

 

 

Malwarebytes Anti-Exploit.zip

[JohnnieSko]

I just installed the program on a production server. We use vbscript.dll routines in our code and they are being blocked.

We have a trial version. Need to allow vbscript.dll to run.
Can you please address this issue.

Error was: 
 

-Log Details-
Protection Event Date: 4/24/20
Protection Event Time: 8:30 AM
Log File: 5eafa602-8627-11ea-b6eb-001cc0922661.json

-Software Information-
Version: 4.1.0.56
Components Version: 1.0.875
Update Package Version: 1.0.22872
License: Trial

-System Information-
OS: Windows 10 (Build 18362.778)
CPU: x86
File System: NTFS
User: System

-Exploit Details-
File: 0
(No malicious items detected)

Exploit: 1
Malware.Exploit.Agent.Generic, C:\Windows\System32\vbscript.dll, Blocked, 0, 392684, 0.0.0

-Exploit Data-
Affected Application: Microsoft Access
Protection Layer: Application Hardening
Protection Technique: Attempt to execute VBScript blocked
File Name: C:\Windows\System32\vbscript.dll
URL: 
 

[Arthi]

Hi JohnnieSko,

Can you please disable the setting marked in red. That should stop the blocks. Thanks.

[JohnnieSko]

I actually saw that info posted earlier in this thread, but I figured you would have fixed the issue by now so it wouldn't occur. The app is digitally signed. So, why are you still tagging this and blocking it?

I have a few hundred PC's out there using my program. I expect I will eventually have to deal with this as my product is deployed to more PC. This may become quite a problem for me.

[exile360]

I suspect the block has more to do with blocking VBScript in general as it is a very common attack vector for exploits and a home to numerous past vulnerabilities.  Scripting behavior in document file types (MS Office documents, PDFs etc.) is unfortunately one of the most frequently used means of deploying malicious code, through exploits, to unsuspecting victims, usually through email attachments and the like and I believe it is due to this fact that they have chosen to just outright block certain scripting behaviors to harden the OS and Office applications, though unfortunately this also means that any legitimate document/plugin/application attempting to use any of those blocked scripting behaviors will trigger a block and a detection, thus the only workaround would be to disable that aspect of OS/application hardening (unless of course this is some sort of FP and the VB Script library is not being loaded).

[JohnnieSko]

Oh well, will just have to add the fix to my support documentation. Thanks for the prompt follow up.

 

John