Jump to content

Exploit Blocking Office


Recommended Posts

Hi All, 

Over the last few days we have experienced several issue with exploit blocking office from doing a multitude of safe activities. For example clicking on an email in excel, one made internally, would get caught as an exploit. Viewing/checking updates in office get's caught as an exploit. Clicking the manage account button gets caught as an exploit. This doesn't appear on every PC and OS doesn't seem to matter (both win7 and win10 have this issue occur).

Has anyone else experienced this? I have a ticket open with malwarebytes and am collecting logs. 

 

Link to post
Share on other sites

Good to know I'm not the only one, could you possibly open an office application and try to view updates and see if that triggers the same issue?  File>Account>Update Options>  View Updates.

Thanks in advance to anyone who checks this out. 

Attached the entire exploit folder in ProgramData as requested in the first post.

Exploitdata.zip

Link to post
Share on other sites

Any update from MB Support?   In the last 24hrs or so we too started seeing anti-exploit alerts for Word, Excel, Powerpoint, and even Acrobat.  Haven't yet confirmed what the users were doing when it happened.  Some have MBAE ver.1.13.2.99, and others 1.13.2.117.  Thanks.

Link to post
Share on other sites

No fix so far. They responded twice, first they assumed I was using cloud version of malwarebytes which I am not, and they should have known since they asked me for specific logs from my management console. Then they asked me to add an exception in the form of an MD5 hash to one of my policies, and that did not work. Haven't heard back since. =/

 

Link to post
Share on other sites

Tested, did not resolve the issue. Check off both of those settings locally on my machine, opened an excel docuement went to view updates and exploit immediately closed the program and sent out an alert. 

The only positive from all of this is I know my Malwarebyte alert settings are on point. 

Link to post
Share on other sites

  • Staff
9 minutes ago, Lesyk009 said:

Tested, did not resolve the issue. Check off both of those settings locally on my machine, opened an excel docuement went to view updates and exploit immediately closed the program and sent out an alert. 

The only positive from all of this is I know my Malwarebyte alert settings are on point. 

Thanks for testing this. Can I please request you to try this.

Turn off those settings-> restart your machine or Malwarebytes Anti-Exploit service, make sure those settings are still turned off, and try to reproduce the issue. If you can reproduce it, gets us the logs, please.

Link to post
Share on other sites

  • Staff
9 minutes ago, JesseSunday said:

Here's what our setting are - would you tell the users what exactly "Protection for MessageBox Payload" does AND is it safe to turn those off?

 

Annotation 2019-10-11 144021.jpg

Yes, it is safe to turn them off. Our recommended default settings do not have these turned ON. There is a very thin line between protection and triggering false positives. 

We often keep looking out for exploit attacks "In the wild" and set our default protection settings to the optimum level considering false positives especially in our business customer environments. 

You can rest assured that we are always looking out for attack scenarios in the wild and tweak our protection settings all the time. If we do not see a certain attack vector "in the wild" for a a few years, we typically turn that setting OFF by default.

In short, our default settings are what we recommend our customers to use to avoid false positives.

Thank you.

Link to post
Share on other sites

  • Staff

Thanks for confirming. Appreciate the quick response. 

Can everyone facing this issue please turn off the settings I mentioned above, restart machine/Malwarebytes Anti-Exploit service. This should resolve it. If not, please get back to us with logs. 

Thank you all for your patience.

Link to post
Share on other sites

  • 2 weeks later...
  • 1 year later...

Please inform me when this issue gets resolved. I have many people waiting to use Office in tandem with Malwarebytes, but we are having to turn off the MalwareBytes completely to work with Office files now. If it goes on much longer I will have to request a refund on Malwarebytes.

Link to post
Share on other sites

Have you tried the fix above? You may want to start a new thread or contact support, as this was resolved for us over a year ago. Also last I checked I thought the on prem solution was getting dropped. We've switched to the cloud platform and their most recent update broke a ton of stuff.

Good luck! 

Link to post
Share on other sites

I have tried the advice above, as it exists in the current product, However, even excluding the winword & excel exe's does not fix it. If files are saved while Malwarebytes is turned off, those files scan fine once Malwarebytes is turned back on.

 

Link to post
Share on other sites

18 minutes ago, FMC said:

Please inform me when this issue gets resolved. I have many people waiting to use Office in tandem with Malwarebytes, but we are having to turn off the MalwareBytes completely to work with Office files now. If it goes on much longer I will have to request a refund on Malwarebytes.

A new build has just been released, so if you have not installed it already, please open Malwarebytes and check for updates and install it, then restart the system once it finishes and see if the issue has been resolved or not.

If it still persists, open Malwarebytes and navigate to settings by clicking the small gear icon in the upper right, then select the Security sub-tab and scroll down to the Exploit Protection section and make sure the option to block penetration testing attacks is set to Off (it should be by default, however it's a known issue that some defaults are not configured properly on some installations), then click the Advanced settings button and click on the Restore Defaults button at the bottom of the advanced settings window.  Once that's done, wait approximately 30 seconds to allow the protection to refresh itself, then test to see if the issue still occurs or not.

Please let us know how it goes.

Thanks

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.