Jump to content

Exploit payload process blocked WHY???

bethieskulls

By bethieskulls
in Exploit

 Share

Recommended Posts

bethieskulls

bethieskulls

Posted
Posted (edited)

I am using Malwarebytes Premium 4.2.1.  Never had a problem until today. Receiving the message: Exploit payload process blocked  I received this message when attempting to print using Microsoft Publisher. WHY?? I use Publisher ALL THE TIME with no issue or problems. How can this be fixed. I NEED TO PRINT PUBLISHER DOCUMENTS NOW! : ) Can the latest update to Malwarebytes be rolled back?

Edited by AdvancedSetup
corrected font issue
Link to post
Share on other sites
Porthos

Porthos

Posted
Posted
33 minutes ago, bethieskulls said:

I NEED TO PRINT PUBLISHER DOCUMENTS NOW! :

Seen this with Excel yesterday. to print your document, Turn off exploit protection temporarily.

After you get printed,

Please do the following Uninstall and reinstall using the Malwarebytes Support Tool

Please have lots of patience with the tool.  The first phase is a cleanup and does require a Windows Restart.
After the Restart, it may take 2 - 3 - 4 minutes till the Support tool screen shows up.   Please be patient and have faith.  Wait for it, whatever it takes.
The 2nd phase is where it offers to do a new Install.

 Let me know if that clears up the issue or not.

 

Link to post
Share on other sites
bethieskulls

bethieskulls

Posted
  • Author
Posted
20 minutes ago, Porthos said:

Seen this with Excel yesterday. to print your document, Turn off exploit protection temporarily.

After you get printed,

Please do the following Uninstall and reinstall using the Malwarebytes Support Tool

 

Please have lots of patience with the tool.  The first phase is a cleanup and does require a Windows Restart.
After the Restart, it may take 2 - 3 - 4 minutes till the Support tool screen shows up.   Please be patient and have faith.  Wait for it, whatever it takes.
The 2nd phase is where it offers to do a new Install.

 

 Let me know if that clears up the issue or not.

 

 

 

No, it didn't work. I used the Support Tool and it cleaned out the files, told me to reboot, asked to reinstall Malwarebyes, and after installation, said it was done. Went back into Publisher to print. Got the same message and Publisher got closed down. Should I try the same process again ... or would you have another suggestion?

Link to post
Share on other sites
bethieskulls

bethieskulls

Posted
  • Author
Posted

No, it didn't work. I used the Support Tool and it cleaned out the files, told me to reboot, asked to reinstall Malwarebyes, and after installation, said it was done. Went back into Publisher to print. Got the same message and Publisher got closed down. Should I try the same process again ... or would you have another suggestion?

Link to post
Share on other sites
Porthos

Porthos

Posted
Posted
40 minutes ago, bethieskulls said:

or would you have another suggestion?

I will have you topic moved to the exploit section of the forums. While we wait,

Can you please collect and upload as an attachment the diagnostic data using our MBST?

  • Download and run the Malwarebytes Support Tool
  • Accept the EULA and click Advanced tab on the left (not Start Repair)
  • Click the Gather Logs button, and once it completes, attach the zip file it creates on your desktop to your next reply

 

Link to post
Share on other sites
Porthos

Porthos

Posted
Posted
23 hours ago, bethieskulls said:

Log files attached.

Just a solution given to another user. Might fix your issue.

Can you please disable this setting marked in red. You should find it in Exploit Settings->Advanced settings.

This is not one of the recommended default settings that is turned ON. It can result in false detection's like in this case.

Thanks.

image.png.0f4f62d10cdbfa233b196030e1b4ea0e.png

 

Link to post
Share on other sites
exile360

exile360

Posted
Posted

Here's a log of the actual detection from the logs you posted in case they are helpful to Research/the Devs in checking the FP: 

	 "threats" : [
      {
         "ddsSigFileVersion" : "",
         "linkedTraces" : [
	         ],
         "mainTrace" : {
            "archiveMember" : "",
            "archiveMemberMD5" : "",
            "cleanAction" : "block",
            "cleanResult" : "successful",
            "cleanResultErrorCode" : 0,
            "cleanTime" : "2020-09-18T15:41:09Z",
            "exploitData" : {
               "appDisplayName" : "Microsoft Office Publisher",
               "blockedFileName" : "C:\\Windows\\System32\\rundll32.exe C:\\WINDOWS\\system32\\spool\\DRIVERS\\x64\\3\\hpmsn140.DLL,MonitorPrintJobStatus \\pjob=2 \\pnameHP LaserJet 400 M401 PCL 6",
               "documentFileName" : "",
               "layerText" : "Application Behavior Protection",
               "protectionTechnique" : "Exploit payload process blocked",
               "url" : ""
            },
            "generatedByPostCleanupAction" : false,
            "id" : "5fc0de0a-f9c5-11ea-bd75-00d861beeaae",
            "isPEFile" : false,
            "isPEFileValid" : false,
            "linkType" : "none",
            "objectMD5" : "",
            "objectPath" : "",
            "objectSha256" : "",
            "objectSize" : -1,
            "objectType" : "exploit",
            "resolvedPath" : ""
         },
         "ruleID" : 392684,
         "ruleString" : "",
         "rulesVersion" : "0.0.0",
         "srcEngineComponent" : "unknown",
         "srcEngineThreatNames" : [
	         ],
         "threatID" : 0,
         "threatName" : "Malware.Exploit.Agent.Generic"
      }
   ],
   "threatsDetected" : 1
}

Link to post
Share on other sites
Porthos

Porthos

Posted
Posted (edited)
20 minutes ago, bethieskulls said:

Thanks, but I have no idea what this is telling me ... or what I need to do to correct the situation.

That is for staff to help with tracking down the issue. You need to wait for staff to research, In the mean time you can turn off exploit protection to use Publisher.

It is also the weekend so support will be limited.

Edited by Porthos
Link to post
Share on other sites
exile360

exile360

Posted
Posted

You can try disabling the various options under the tabs for Office under the Advanced Exploit Protection settings, clicking Apply after making each change to test and see which one specifically allows the application to launch without any detections, however the generic identifier and lack of other details in the log indicates that it is probably some rule based protection that might not be covered by any of the options there.  If not, then disabling the option listed below for Publisher under Manage protected applications should eliminate the detection for now so you may continue printing without the blocks until a member of the staff can address the issue with you:

ProtectedApps.png.f0e5a58012da54b08a3dce050fe6693a.png

Toggle the above highlighted option via the switch on the left then click Done and you should no longer see the blocks.

Link to post
Share on other sites
  • 3 weeks later...
  • 2 weeks later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.