Jump to content

Recommended Posts

Hi All, 

Over the last few days we have experienced several issue with exploit blocking office from doing a multitude of safe activities. For example clicking on an email in excel, one made internally, would get caught as an exploit. Viewing/checking updates in office get's caught as an exploit. Clicking the manage account button gets caught as an exploit. This doesn't appear on every PC and OS doesn't seem to matter (both win7 and win10 have this issue occur).

Has anyone else experienced this? I have a ticket open with malwarebytes and am collecting logs. 

 

Share this post


Link to post
Share on other sites

Hi Lesyk009,

Thank you for reporting the issue. We will be able to further assist you after looking at the logs.

Here are the steps for taking logs. After you take them, kindly post them here.

Thanks.

 

Share this post


Link to post
Share on other sites

Yes, having the same issue here.  This happens for us, multiple computers, when in Excel and clicking a link that opens in Chrome. 

image002.png

Share this post


Link to post
Share on other sites

Good to know I'm not the only one, could you possibly open an office application and try to view updates and see if that triggers the same issue?  File>Account>Update Options>  View Updates.

Thanks in advance to anyone who checks this out. 

Attached the entire exploit folder in ProgramData as requested in the first post.

Exploitdata.zip

Share this post


Link to post
Share on other sites

Yes, it blocks the "View Update" as well.  :(

 

ver=16&app=winword.exe&clid=1033&lidhelp=0409&liduser=0409&lidui=0409

Share this post


Link to post
Share on other sites

Any update from MB Support?   In the last 24hrs or so we too started seeing anti-exploit alerts for Word, Excel, Powerpoint, and even Acrobat.  Haven't yet confirmed what the users were doing when it happened.  Some have MBAE ver.1.13.2.99, and others 1.13.2.117.  Thanks.

Share this post


Link to post
Share on other sites

Sent them logs yesterday haven't heard back yet. We got an alert from Acrobat this morning, exploit just out right blocked acrobat's main process - AcroRd32.exe. 

Share this post


Link to post
Share on other sites

No fix so far. They responded twice, first they assumed I was using cloud version of malwarebytes which I am not, and they should have known since they asked me for specific logs from my management console. Then they asked me to add an exception in the form of an MD5 hash to one of my policies, and that did not work. Haven't heard back since. =/

 

Share this post


Link to post
Share on other sites

Response from support this morning- 

"I am just follow up with you to let you know that our team is working to fix this issue on our end. I will keep you update soon I have any update from our development team."


 

Share this post


Link to post
Share on other sites

As @Lesyk009 mentioned, we are still looking in to the issue and should have an update soon. Apologies for the inconvenience, we'll update you all here as soon as we have more information.

Share this post


Link to post
Share on other sites

Hi All,

Thanks for your patience with the issue. Can you please check if the following settings are turned ON in the affected machines, if so please turn it off and let me know if that resolved it. Thanks again.

 

screenshot.png

Share this post


Link to post
Share on other sites

Tested, did not resolve the issue. Check off both of those settings locally on my machine, opened an excel docuement went to view updates and exploit immediately closed the program and sent out an alert. 

The only positive from all of this is I know my Malwarebyte alert settings are on point. 

Share this post


Link to post
Share on other sites

Here's what our setting are - would you tell the users what exactly "Protection for MessageBox Payload" does AND is it safe to turn those off?

 

Annotation 2019-10-11 144021.jpg

Share this post


Link to post
Share on other sites
9 minutes ago, Lesyk009 said:

Tested, did not resolve the issue. Check off both of those settings locally on my machine, opened an excel docuement went to view updates and exploit immediately closed the program and sent out an alert. 

The only positive from all of this is I know my Malwarebyte alert settings are on point. 

Thanks for testing this. Can I please request you to try this.

Turn off those settings-> restart your machine or Malwarebytes Anti-Exploit service, make sure those settings are still turned off, and try to reproduce the issue. If you can reproduce it, gets us the logs, please.

Share this post


Link to post
Share on other sites
9 minutes ago, JesseSunday said:

Here's what our setting are - would you tell the users what exactly "Protection for MessageBox Payload" does AND is it safe to turn those off?

 

Annotation 2019-10-11 144021.jpg

Yes, it is safe to turn them off. Our recommended default settings do not have these turned ON. There is a very thin line between protection and triggering false positives. 

We often keep looking out for exploit attacks "In the wild" and set our default protection settings to the optimum level considering false positives especially in our business customer environments. 

You can rest assured that we are always looking out for attack scenarios in the wild and tweak our protection settings all the time. If we do not see a certain attack vector "in the wild" for a a few years, we typically turn that setting OFF by default.

In short, our default settings are what we recommend our customers to use to avoid false positives.

Thank you.

Share this post


Link to post
Share on other sites

That has resolved the issue. After turning off those triggers, then restarting the exploit service and then testing with excel the issue did not occur. 

Share this post


Link to post
Share on other sites

Thanks for confirming. Appreciate the quick response. 

Can everyone facing this issue please turn off the settings I mentioned above, restart machine/Malwarebytes Anti-Exploit service. This should resolve it. If not, please get back to us with logs. 

Thank you all for your patience.

Share this post


Link to post
Share on other sites

We are getting a rash of these today. Its all IE, Office and Adobe. Many users. I have those settings unchecked in Policy but users still getting the block

AntiExploitHeap.png

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.