Jump to content

Anti Exploit 1.13.2.164 MS Office Bug?


Recommended Posts

I'm starting to see a lot of Anti-Exploit blocks on Excel (and to a lesser degree Word). 

All clients are on the latest version of AntiExploit (that was JUST released today). 

The Security Logs don't indicate anything beyond 'exploit attempt blocked' - though I do see a stop/start for AntiExploit under System Logs.. 

 

 

 

 

 

Link to post
Share on other sites
  • Staff
Posted (edited)

Hi All,

Can you please post logs?

ZIP the entire contents (ALL the files, not just .LOG) of the following directory

C:\ProgramData\Malwarebytes Anti-Exploit

Thanks.

Edited by Arthi
Link to post
Share on other sites

I had one PC throw multiple alerts whereas several other PCs threw a single alert. 

It seemed to roughly correlate withe the log entry of AntiExploit doing a stop/start for the most part - though ONE PC bucked the trend.

 

 

Link to post
Share on other sites
  • Staff

We do have a known unresolved issue of many (not all) machines throwing up a single alert during or shortly after an upgrade to a latest version.

But multiple alerts is the concern, the logs you sent as a PM are from this multiple alerts machine?

Link to post
Share on other sites

Yep.  That was the odd duck. 

I kinda figured the other PCs might have just crashed/triggered on the update - but since I did see a 'noisier' alert  - I decided to make a post. 

To be honest - I haven't seen a single alert since then.  So maybe that was just an anomaly...

 

Link to post
Share on other sites
4 minutes ago, Arthi said:

We do have a known unresolved issue of many (not all) machines throwing up a single alert during or shortly after an upgrade to a latest version.

But multiple alerts is the concern, the logs you sent as a PM are from this multiple alerts machine?

Multiple alerts, usually a machine will flag 2-3 programs (word, excel, acrobat, foxit) then after those 2-3 alerts nothing else. 

Application behavior protection: Unauthorized attempt to unload protection detected.

Link to post
Share on other sites
  • Staff

The alerts that you saw are one-time alerts from a known, unresolved bug. The blocks stop automatically once the upgrade process completes.

This is a known issue that we are taking a look at, but unfortunately, it is not reproducible, happens only on few machines and then goes away once the upgrade is done - all in all making it very difficult for us to debug internally. Hence the delay in fixing it.

I will keep you posted on its resolution.

Thanks for reporting and apologize for the inconvenience caused.

Link to post
Share on other sites

Hi Arthi,

We had issues yesterday as well.  We had a flurry of anti-exploit popups from users who we saw were primarily remote.  The team is looking for more reassurance and specifics.  This happened even on machines that had not gone through an update in a long time.  Our guys pushed out another update.  Can you please tell us specifically what update this bug relates to?  Is it happening across the board with all of your recent update versions?

We had users on multiple different anti-Exploit versions tat were experiencing this.  What guidance would you recommend?  What are we looking for in the end user logs ( or malware bytes server logs?) to determine if this is a false positive vs a real incident?  This is very important to organizations or we could become complacent when there is really an issue going on.  

Best Regards,

MultiThreadedEndlessLoop

 

 

Link to post
Share on other sites

Hi Arthi,

We had issues yesterday as well.  We had a flurry of anti-exploit popups from users who we saw were primarily remote.  The team is looking for more reassurance and specifics.  This happened even on machines that had not gone through an update in a long time.  Our guys pushed out another update.  Can you please tell us specifically what update this bug relates to?  Is it happening across the board with all of your recent update versions?

We had users on multiple different anti-Exploit versions tat were experiencing this.  What guidance would you recommend?  What are we looking for in the end user logs ( or malware bytes server logs?) to determine if this is a false positive vs a real incident?  This is very important to organizations or we could become complacent when there is really an issue going on.  

Best Regards,

MultiThreadedEndlessLoop

 

 

Link to post
Share on other sites

Hi Arthi,

We had issues yesterday as well.  We had a flurry of anti-exploit popups from users who we saw were primarily remote.  The team is looking for more reassurance and specifics.  This happened even on machines that had not gone through an update in a long time.  Our guys pushed out another update.  Can you please tell us specifically what update this bug relates to?  Is it happening across the board with all of your recent update versions?

We had users on multiple different anti-Exploit versions tat were experiencing this.  What guidance would you recommend?  What are we looking for in the end user logs ( or malware bytes server logs?) to determine if this is a false positive vs a real incident?  This is very important to organizations or we could become complacent when there is really an issue going on.  

Best Regards,

MultiThreadedEndlessLoop

 

 

Link to post
Share on other sites

Hi Arthi,

We had issues yesterday as well.  We had a flurry of anti-exploit popups from users who we saw were primarily remote.  The team is looking for more reassurance and specifics.  This happened even on machines that had not gone through an update in a long time.  Our guys pushed out another update.  Can you please tell us specifically what update this bug relates to?  Is it happening across the board with all of your recent update versions?

We had users on multiple different anti-Exploit versions tat were experiencing this.  What guidance would you recommend?  What are we looking for in the end user logs ( or malware bytes server logs?) to determine if this is a false positive vs a real incident?  This is very important to organizations or we could become complacent when there is really an issue going on.  

Best Regards,

MultiThreadedEndlessLoop

 

 

Link to post
Share on other sites
  • Staff

Hi

The block related to the "known unresolved issue" that I mention above is when Malwarebytes Anti-Exploit updates from an older version to a newer version. Yesterday we released a newer version and machines that are set up to auto-upgrade, would have faced this block during/immediately after upgrade.

Again, not all the machines that upgraded get these blocks, only a few are affected. 

The new version that we released is 1.13.2.164. If you are still concerned, please zip the folder C:\ProgramData\Malwarebytes Anti-Exploit from an affected machine and send it. I will take a look and confirm if indeed it was this false positive block.

Thank you.

 

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.