Jump to content
Darkdirk

EXCEL.EXE blocked / Excel broken now

Recommended Posts

 Like many others in the last few days apparently, I too have been slapped with Excel being detected as Malware.Random.Agent.Generic and swiftly blocked.  Also like several others, my Excel program is now broken.

 Malwarebytes did not quarantine the file, so there was nothing for me to restore.  When I went to the MS Office program location, EXCEL.EXE was where it belonged, only it was 0kB in size.  I could not move or delete it. I suspect Malwarebytes was locking it up somehow.

 Following the advice I had seen on a few other recent posts, I rebooted the computer, disabled ransomware protection, And then rebooted again.  Supposedly this should have fixed Excel, However it did not. The file was still 0 kB.  Only this time I could move it to the recycle bin if I want, but I am kind of hesitant to do that since I don’t exactly know what’s happening.

 Could someone at Malwarebytes please respond and let me know exactly what Malwarebytes is doing with my files here?  Did Malwarebytes intentionally modify or overwrite my EXCEL.EXE with an empty file as part of how the ransom protection module works?

 Also, could someone please verify that this is indeed a false positive. I’m assuming *probably*, since there have been so many similar recent reports, but that could also mean multiple people are all getting the same malware that’s affecting Excel.  So please, let us all know for sure.

 I hope to hear back from someone very soon, because as of right now I’ve got the computer disconnected and shut down until I get verification that Malwarebytes is erroneously detecting perfectly healthy EXCEL executables.  Thanks in advance.

Share this post


Link to post
Share on other sites

@Darkdirk - we're sorry you've experienced this issue. Without seeing log files it would be imprudent to say definitively that this was a false positive, but it seems quite likely.

The Ransomware Protection component should not permanently affect your Excel.exe in that manner. Ensure that it is still disabled.

Can you please collect and upload as an attachment the diagnostic data using our MBST?

  • Download and run the Malwarebytes Support Tool
  • Accept the EULA and click Advanced tab on the left (not Start Repair)
  • Click the Gather Logs button, and once it completes, attach the zip file it creates on your desktop to your next reply

In addition, can you please copy, zip and attach the following folder?

C:\ProgramData\Malwarebytes\MBAMService\ARW

Share this post


Link to post
Share on other sites
3 hours ago, Darkdirk said:

I rebooted the computer, disabled ransomware protection, And then rebooted again.  Supposedly this should have fixed Excel, However it did not. The file was still 0 kB.  Only this time I could move it to the recycle bin if I want, but I am kind of hesitant to do that since I don’t exactly know what’s happening.

To fix excel and other office apps, Go to programs and features and choose Modify and then do a repair. The example below is 2010 but they all have that feature.

 

2020-06-29_16h42_20.png

2020-06-29_16h43_04.png

Share this post


Link to post
Share on other sites
59 minutes ago, Porthos said:

To fix excel and other office apps, Go to programs and features and choose Modify and then do a repair. The example below is 2010 but they all have that feature.

 

2020-06-29_16h42_20.png

2020-06-29_16h43_04.png

Thank you for the reply, Porthos.  I was able to repaired, and get excel working again.  But I would still like if someone could explain to me what Malwarebytes did to my EXCEL.EXE file.  Could someone please verify whether or not Malwarebytes turns it into a 0 kB file, and if so, why? 

Share this post


Link to post
Share on other sites
1 hour ago, Darkdirk said:

But I would still like if someone could explain to me what Malwarebytes did to my EXCEL.EXE file.  Could someone please verify whether or not Malwarebytes turns it into a 0 kB file, and if so, why? 

I am sure they are working on it. The requested info from each user with the issue will make the search for the issue go quicker.

Share this post


Link to post
Share on other sites
Quote

Could someone please verify whether or not Malwarebytes turns it into a 0 kB file, and if so, why? 

Now that it's been repaired already, that may be difficult to assess. That being said, gathering and sending the logs I requested earlier may provide some insight.

Thank you.

Share this post


Link to post
Share on other sites
8 hours ago, tetonbob said:

Now that it's been repaired already, that may be difficult to assess. That being said, gathering and sending the logs I requested earlier may provide some insight.

Thank you.

I apologize but I was not able to run the support tool on this machine as I had already remotely shut it off for paranoia that it might be an actual ransomware, and not just a false positive. Although based on the number of recent posts involving Excel being detected, I strongly suspect an FP.

I very specifically want to know about that 0 kB file, and whether I should be concerned about it, or if that’s just the normal way Ransomware Protection was designed to function. I’m going to create a new post about it since I’m not sure if it qualifies as a different question and might be more helpful to others in a new post.  Please read it when you have a chance and let me know your thoughts. Thank you.

Share this post


Link to post
Share on other sites
Posted (edited)

Hi. I did address that question in my first reply.
 

Quote

The Ransomware Protection component should not permanently affect your Excel.exe in that manner.

If the Ransomware Protection component blocks (not quarantines) a process and terminates it, it places a hold on that executable for that session (period of time where either the protection remains running, or Malwarebytes is running, or Windows is up and logged in). It should never, and I have never seen a file, become 0bytes.

Edited by tetonbob

Share this post


Link to post
Share on other sites

 OK, thank you for the clarification. When you said that it shouldn’t “permanently” affect the Excel file, I wasn’t sure if you meant that as in, Malwarebytes would *temporarily* do something to the file with the expectation that it would eventually be set back to its original state. Thank you.

Share this post


Link to post
Share on other sites

You're quite welcome, and we apologize for the trouble this caused you, and our other affected customers. We are working to address this issue in the code base of the Ransomware Protection component.

Share this post


Link to post
Share on other sites

No biggie.  Thank you for all the info.  So in the meantime while you guys are working on the fix, can you enlighten us all a bit as to what triggers this to happen on only some machines, or is it just completely random? Because I have a lot of customers with MBW Premium and Excel, but no one else has had this issue except for one single computer (which also gave me paranoia that it might be a legit threat).  Any thoughts why that is?

Share this post


Link to post
Share on other sites

Can you provide more details about what was being performed in Excel at the time of detection?

Share this post


Link to post
Share on other sites
21 minutes ago, SolveMyProblemUK said:

I had closed excel when it locked it

Spreadsheet with local macros that create PDF's from the active sheet.

Thanks for that additional detail, I'd seen the mention of macros in your earlier reply, which I'd split to it's own topic. The additional detail is useful for us, for additional reproduction/test steps when verifying the planned fix.

Share this post


Link to post
Share on other sites

This same issue happened to me today (Monday, July 1) and my Excel was rendered completely broken.

My spreadsheets use Microsoft's own built-in Stocks functions to pull data down from Bing.com. Once again, the functionality is BUILT INTO Excel and should NEVER be blocked or permanently damaged by MalwareBytes.

I'm very disappointed to see this issue has been going on for 72 hours without a fix. This is devastatingly serious to my business which uses Excel all-day every day to function.

Share this post


Link to post
Share on other sites

Same issue, happened more than once today on different versions of Excel (2013 and a completely current Office365).

Occurred in the midst of saving a file that was a data export from our UPC provider (that is to say, nothing special).

Following the instructions from above:

Download and run the Malwarebytes Support Tool

  • Accept the EULA and click Advanced tab on the left (not Start Repair)
  • Click the Gather Logs button, and once it completes, attach the zip file it creates on your desktop to this reply

In addition, can you please copy, zip and attach the following folder?

C:\ProgramData\Malwarebytes\MBAMService\ARW

 

 

mbst-grab-results.zip ARW.zip

Share this post


Link to post
Share on other sites

More info:

Office 365 ProPlus 16.0.11929.20838

Excel.exe is not 0k.

When I try to run it, i get this error message:
"Windows cannot access the specified device, path or file. You may not have the appropriate permissions to access the item."

 

Share this post


Link to post
Share on other sites

Attempting to fix Excel using the Settings>Apps & Features

- Doing a Modify and Quick Repair appears to complete, but does not fix the issue

- Doing an Online Repair gives the error 30088-4

Note that I am running all this as a secondary user on this computer, with a different Microsoft account. Switching to the other user does not help (Excel is still broken.)

Share this post


Link to post
Share on other sites

Hi @nickyr,

Have you restarted the computer or used the "Quit Malwarebytes" option and relaunched the program since experiencing the last block on Excel.exe? If not, please perform one of these actions and verify Excel opens correctly.

Share this post


Link to post
Share on other sites

Hi again, Malwarebytes,

First, let me kick this note off by letting you know that I was the CEO of a computer services company in a past life, so I have some experience with what I'm talking about.

In forensics analysis, we were able to determine that Malwarebytes completely corrupted the EXCEL.EXE file after identifying it as general malware on my main system. My system uses an Office 365 subscription with hardware (although this shouldn't be relevant) including an Intel Core i9 9900K, 32GB of RAM, a Samsung 970 Pro 512GB as the boot drive, and a variety of three SSDs and two HDDs as data.

Initially, the Malwarebytes misidentification corrupted all of Office 365 including Word and PowerPoint. The Online Repair (the full repair) function of Office 365 was able to repair Word and PowerPoint, however EXCEL.EXE remained corrupted after running the FULL repair option (not the Quick Repair).

At this point, we utilized Acronis TrueImage to restore a previous snapshot of the drive. While uninstalling and reinstalling Office 365 may have solved the problem, I didn't have the time to waste any further as this is my primary system for daily work.

In order to remedy the situation, the Office folders and files were added as exceptions in the Malwarebytes software.

Share this post


Link to post
Share on other sites

@LiquidTension Rebooting initially did not help. However, Quick Repair followed by full reboots did restore Excel, but disconnected Excel from .xlsx files (now repaired).

So at least we are functioning again.

Observations:
- Version of Excel seems relatively immaterial (happened on Excel 2013 and Office 365 on the same day)
- Happened while Excel was saving both times
- The excel file itself has straightforward data - no formulas or pulling down outside data as another user reported
 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.