Jump to content
GDN

Anti Exploit 1.13.2.164 MS Office Bug?

Recommended Posts

I'm starting to see a lot of Anti-Exploit blocks on Excel (and to a lesser degree Word). 

All clients are on the latest version of AntiExploit (that was JUST released today). 

The Security Logs don't indicate anything beyond 'exploit attempt blocked' - though I do see a stop/start for AntiExploit under System Logs.. 

 

 

 

 

 

Share this post


Link to post
Share on other sites

Seeing the same thing with Word, Excel and Adobe. Just started flooding in an hour ago.

Share this post


Link to post
Share on other sites

Yes we have started seeing the same thing in the past 2 hours with about 40 alerts coming in for mainly office products word, excel been the main ones.

Share this post


Link to post
Share on other sites
Posted (edited)

Hi All,

Can you please post logs?

ZIP the entire contents (ALL the files, not just .LOG) of the following directory

C:\ProgramData\Malwarebytes Anti-Exploit

Thanks.

Edited by Arthi

Share this post


Link to post
Share on other sites

Do you mean from the console or from the Endpoints?

Share this post


Link to post
Share on other sites

Hi JeffKitchens,

I meant from the endpoints that are seeing the blocks.

Share this post


Link to post
Share on other sites

Sent logs from one endpoint as a PM.

Share this post


Link to post
Share on other sites

Hi All,

Are you seeing these blocks just one time after the update or repeatedly ?

Share this post


Link to post
Share on other sites

We have forced an update of the Signature files to the ones released at 2:50 today.  

 

Share this post


Link to post
Share on other sites

I had one PC throw multiple alerts whereas several other PCs threw a single alert. 

It seemed to roughly correlate withe the log entry of AntiExploit doing a stop/start for the most part - though ONE PC bucked the trend.

 

 

Share this post


Link to post
Share on other sites

We do have a known unresolved issue of many (not all) machines throwing up a single alert during or shortly after an upgrade to a latest version.

But multiple alerts is the concern, the logs you sent as a PM are from this multiple alerts machine?

Share this post


Link to post
Share on other sites

Yep.  That was the odd duck. 

I kinda figured the other PCs might have just crashed/triggered on the update - but since I did see a 'noisier' alert  - I decided to make a post. 

To be honest - I haven't seen a single alert since then.  So maybe that was just an anomaly...

 

Share this post


Link to post
Share on other sites
4 minutes ago, Arthi said:

We do have a known unresolved issue of many (not all) machines throwing up a single alert during or shortly after an upgrade to a latest version.

But multiple alerts is the concern, the logs you sent as a PM are from this multiple alerts machine?

Multiple alerts, usually a machine will flag 2-3 programs (word, excel, acrobat, foxit) then after those 2-3 alerts nothing else. 

Application behavior protection: Unauthorized attempt to unload protection detected.

Share this post


Link to post
Share on other sites

We had a bunch of our users as well and then the alerts stopped after 3:45 so did Malwarebytes send out an update file again?

Share this post


Link to post
Share on other sites

The alerts that you saw are one-time alerts from a known, unresolved bug. The blocks stop automatically once the upgrade process completes.

This is a known issue that we are taking a look at, but unfortunately, it is not reproducible, happens only on few machines and then goes away once the upgrade is done - all in all making it very difficult for us to debug internally. Hence the delay in fixing it.

I will keep you posted on its resolution.

Thanks for reporting and apologize for the inconvenience caused.

Share this post


Link to post
Share on other sites

Hi Arthi,

We had issues yesterday as well.  We had a flurry of anti-exploit popups from users who we saw were primarily remote.  The team is looking for more reassurance and specifics.  This happened even on machines that had not gone through an update in a long time.  Our guys pushed out another update.  Can you please tell us specifically what update this bug relates to?  Is it happening across the board with all of your recent update versions?

We had users on multiple different anti-Exploit versions tat were experiencing this.  What guidance would you recommend?  What are we looking for in the end user logs ( or malware bytes server logs?) to determine if this is a false positive vs a real incident?  This is very important to organizations or we could become complacent when there is really an issue going on.  

Best Regards,

MultiThreadedEndlessLoop

 

 

Share this post


Link to post
Share on other sites

Hi Arthi,

We had issues yesterday as well.  We had a flurry of anti-exploit popups from users who we saw were primarily remote.  The team is looking for more reassurance and specifics.  This happened even on machines that had not gone through an update in a long time.  Our guys pushed out another update.  Can you please tell us specifically what update this bug relates to?  Is it happening across the board with all of your recent update versions?

We had users on multiple different anti-Exploit versions tat were experiencing this.  What guidance would you recommend?  What are we looking for in the end user logs ( or malware bytes server logs?) to determine if this is a false positive vs a real incident?  This is very important to organizations or we could become complacent when there is really an issue going on.  

Best Regards,

MultiThreadedEndlessLoop

 

 

Share this post


Link to post
Share on other sites

Hi Arthi,

We had issues yesterday as well.  We had a flurry of anti-exploit popups from users who we saw were primarily remote.  The team is looking for more reassurance and specifics.  This happened even on machines that had not gone through an update in a long time.  Our guys pushed out another update.  Can you please tell us specifically what update this bug relates to?  Is it happening across the board with all of your recent update versions?

We had users on multiple different anti-Exploit versions tat were experiencing this.  What guidance would you recommend?  What are we looking for in the end user logs ( or malware bytes server logs?) to determine if this is a false positive vs a real incident?  This is very important to organizations or we could become complacent when there is really an issue going on.  

Best Regards,

MultiThreadedEndlessLoop

 

 

Share this post


Link to post
Share on other sites

Hi Arthi,

We had issues yesterday as well.  We had a flurry of anti-exploit popups from users who we saw were primarily remote.  The team is looking for more reassurance and specifics.  This happened even on machines that had not gone through an update in a long time.  Our guys pushed out another update.  Can you please tell us specifically what update this bug relates to?  Is it happening across the board with all of your recent update versions?

We had users on multiple different anti-Exploit versions tat were experiencing this.  What guidance would you recommend?  What are we looking for in the end user logs ( or malware bytes server logs?) to determine if this is a false positive vs a real incident?  This is very important to organizations or we could become complacent when there is really an issue going on.  

Best Regards,

MultiThreadedEndlessLoop

 

 

Share this post


Link to post
Share on other sites

Hi

The block related to the "known unresolved issue" that I mention above is when Malwarebytes Anti-Exploit updates from an older version to a newer version. Yesterday we released a newer version and machines that are set up to auto-upgrade, would have faced this block during/immediately after upgrade.

Again, not all the machines that upgraded get these blocks, only a few are affected. 

The new version that we released is 1.13.2.164. If you are still concerned, please zip the folder C:\ProgramData\Malwarebytes Anti-Exploit from an affected machine and send it. I will take a look and confirm if indeed it was this false positive block.

Thank you.

 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.