Jump to content

Exploit payload process blocked WHY???


Recommended Posts

I am using Malwarebytes Premium 4.2.1.  Never had a problem until today. Receiving the message: Exploit payload process blocked  I received this message when attempting to print using Microsoft Publisher. WHY?? I use Publisher ALL THE TIME with no issue or problems. How can this be fixed. I NEED TO PRINT PUBLISHER DOCUMENTS NOW! : ) Can the latest update to Malwarebytes be rolled back?

Edited by AdvancedSetup
corrected font issue
Link to post
Share on other sites
33 minutes ago, bethieskulls said:

I NEED TO PRINT PUBLISHER DOCUMENTS NOW! :

Seen this with Excel yesterday. to print your document, Turn off exploit protection temporarily.

After you get printed,

Please do the following Uninstall and reinstall using the Malwarebytes Support Tool

Please have lots of patience with the tool.  The first phase is a cleanup and does require a Windows Restart.
After the Restart, it may take 2 - 3 - 4 minutes till the Support tool screen shows up.   Please be patient and have faith.  Wait for it, whatever it takes.
The 2nd phase is where it offers to do a new Install.

 Let me know if that clears up the issue or not.

 

Link to post
Share on other sites
20 minutes ago, Porthos said:

Seen this with Excel yesterday. to print your document, Turn off exploit protection temporarily.

After you get printed,

Please do the following Uninstall and reinstall using the Malwarebytes Support Tool

 

Please have lots of patience with the tool.  The first phase is a cleanup and does require a Windows Restart.
After the Restart, it may take 2 - 3 - 4 minutes till the Support tool screen shows up.   Please be patient and have faith.  Wait for it, whatever it takes.
The 2nd phase is where it offers to do a new Install.

 

 Let me know if that clears up the issue or not.

 

 

 

No, it didn't work. I used the Support Tool and it cleaned out the files, told me to reboot, asked to reinstall Malwarebyes, and after installation, said it was done. Went back into Publisher to print. Got the same message and Publisher got closed down. Should I try the same process again ... or would you have another suggestion?

Link to post
Share on other sites

No, it didn't work. I used the Support Tool and it cleaned out the files, told me to reboot, asked to reinstall Malwarebyes, and after installation, said it was done. Went back into Publisher to print. Got the same message and Publisher got closed down. Should I try the same process again ... or would you have another suggestion?

Link to post
Share on other sites
40 minutes ago, bethieskulls said:

or would you have another suggestion?

I will have you topic moved to the exploit section of the forums. While we wait,

Can you please collect and upload as an attachment the diagnostic data using our MBST?

  • Download and run the Malwarebytes Support Tool
  • Accept the EULA and click Advanced tab on the left (not Start Repair)
  • Click the Gather Logs button, and once it completes, attach the zip file it creates on your desktop to your next reply

 

Link to post
Share on other sites
23 hours ago, bethieskulls said:

Log files attached.

Just a solution given to another user. Might fix your issue.

Can you please disable this setting marked in red. You should find it in Exploit Settings->Advanced settings.

This is not one of the recommended default settings that is turned ON. It can result in false detection's like in this case.

Thanks.

image.png.0f4f62d10cdbfa233b196030e1b4ea0e.png

 

Link to post
Share on other sites

Here's a log of the actual detection from the logs you posted in case they are helpful to Research/the Devs in checking the FP:

	 "threats" : [
      {
         "ddsSigFileVersion" : "",
         "linkedTraces" : [
	         ],
         "mainTrace" : {
            "archiveMember" : "",
            "archiveMemberMD5" : "",
            "cleanAction" : "block",
            "cleanResult" : "successful",
            "cleanResultErrorCode" : 0,
            "cleanTime" : "2020-09-18T15:41:09Z",
            "exploitData" : {
               "appDisplayName" : "Microsoft Office Publisher",
               "blockedFileName" : "C:\\Windows\\System32\\rundll32.exe C:\\WINDOWS\\system32\\spool\\DRIVERS\\x64\\3\\hpmsn140.DLL,MonitorPrintJobStatus \\pjob=2 \\pnameHP LaserJet 400 M401 PCL 6",
               "documentFileName" : "",
               "layerText" : "Application Behavior Protection",
               "protectionTechnique" : "Exploit payload process blocked",
               "url" : ""
            },
            "generatedByPostCleanupAction" : false,
            "id" : "5fc0de0a-f9c5-11ea-bd75-00d861beeaae",
            "isPEFile" : false,
            "isPEFileValid" : false,
            "linkType" : "none",
            "objectMD5" : "",
            "objectPath" : "",
            "objectSha256" : "",
            "objectSize" : -1,
            "objectType" : "exploit",
            "resolvedPath" : ""
         },
         "ruleID" : 392684,
         "ruleString" : "",
         "rulesVersion" : "0.0.0",
         "srcEngineComponent" : "unknown",
         "srcEngineThreatNames" : [
	         ],
         "threatID" : 0,
         "threatName" : "Malware.Exploit.Agent.Generic"
      }
   ],
   "threatsDetected" : 1
}

Link to post
Share on other sites

Thanks, but I have no idea what this is telling me ... or what I need to do to correct the situation. I have been using Publisher for years ... I have been using Malwarebytes for years ... this just started happening with the latest download from Malwarebytes.  How do I fix the problem???? 

Link to post
Share on other sites
20 minutes ago, bethieskulls said:

Thanks, but I have no idea what this is telling me ... or what I need to do to correct the situation.

That is for staff to help with tracking down the issue. You need to wait for staff to research, In the mean time you can turn off exploit protection to use Publisher.

It is also the weekend so support will be limited.

Edited by Porthos
Link to post
Share on other sites

You can try disabling the various options under the tabs for Office under the Advanced Exploit Protection settings, clicking Apply after making each change to test and see which one specifically allows the application to launch without any detections, however the generic identifier and lack of other details in the log indicates that it is probably some rule based protection that might not be covered by any of the options there.  If not, then disabling the option listed below for Publisher under Manage protected applications should eliminate the detection for now so you may continue printing without the blocks until a member of the staff can address the issue with you:

ProtectedApps.png.f0e5a58012da54b08a3dce050fe6693a.png

Toggle the above highlighted option via the switch on the left then click Done and you should no longer see the blocks.

Link to post
Share on other sites
  • 3 weeks later...
  • 2 weeks later...
2 minutes ago, BrendaGrates said:

I can't print to one printer out of publisher sending it to port WSD-9951f828-976d-4db2-8b9f-3ddec11f74cf.

What happens when you just disable Web Protection?

Edited by Porthos
Link to post
Share on other sites
1 minute ago, BrendaGrates said:

I was able to print to it.

There is your workaround until it is fixed. This cropped up in CU 1070 and is known. The issue affects network printers and scanners and NAS storage.

Edited by Porthos
Link to post
Share on other sites
1 minute ago, BrendaGrates said:

  I turned off exploit protection and it worked.

In that case,

Do 2 things,

Be sure penetration setting is off. And in the second screenshot reset each section to default.

 

2020-10-08_15h05_03.png

2020-10-06_07h45_29.png

 
Link to post
Share on other sites

Hi All,

The fix to this Exploit block issue has been rolled out to our Beta community earlier today. If you wish to use this, please refer to the below post. The official release will be in a week from now. Thank you all for your patience and understanding.

 

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.