Jump to content

Anti-Exploit blocking Word Documents


Recommended Posts

In Malwarebytes 4.2.1, CU, 1.0.1053 , trying to open a word document (synced to OneDrive, my whole computer has OneDrive enabled) causes Malwarebytes to incorrectly block it with "Exploit blocked:Malware.Exploit.Agent.Generic, exploit payload macro process blocked". 

Link to post
Share on other sites
  • Replies 59
  • Created
  • Last Reply

Top Posters In This Topic

Top Posters In This Topic

Popular Posts

Greetings, Please see if the following instructions correct the issue: Open Malwarebytes and Click on the small gear icon in the upper right of the main UI Select the Security tab

I try to apply all updates regularly but don't remember when the last program update was. Yesterday, I began having the same problem with all my excel spreadsheets in my OneDrive folder on my computer

Not only that, but penetration testing is a specialized activity utilizing specific types of applications and procedures; detecting pen testing attacks is not a function for protecting the system from

Posted Images

  • Staff

Thanks.

Can you please collect and upload as an attachment the diagnostic data using our MBST?

  • Download and run the Malwarebytes Support Tool
  • Accept the EULA and click Advanced tab on the left (not Start Repair)
  • Click the Gather Logs button, and once it completes, attach the zip file it creates on your desktop to your next reply
Link to post
Share on other sites
  • Staff

Thanks. Please toggle off the 'Block penetration testing attacks' setting. Then right click on the Malwarebyes tray icon, and select Quit. Wait a minute or so, then relaunch Malwarebytes.

Does that alleviate the issue?

Link to post
Share on other sites
  • Staff

Hi DarthVitrial,

Thanks for your post.

There is a very fine line between offering customers optimum security against threats while keeping the false detections as low as possible. Often as the threat landscape moves, this line needs to move as well to adapt. We have a Research team that looks out for threats and try to be proactive with our protection in our products before the malicious actors have a chance to exploit our customers.

I understand what you are saying, there is no doubt this was a false detection, however this block is not to say that Onedrive is causing a pen-testing attack, but the technique that we block here is something we have found in exploit penetration testing attacks before. We typically introduce new protection techniques in a non-default setting and closely monitor it and tweak it and then when we feel it has matured enough to be made default, we do so. Until then, we advise customers to turn it OFF if they run into issues.

Please do get back if you have any questions/concerns.

Thank you.

 

Link to post
Share on other sites

Glad to know I am not the only one.   ALL of my data is on my drive, NOT on OneDrive.

I have the current version, and tried to open an existing WORD document on my hard drive., Got the notice Exploit blocked.  Tried opening WORD itself, got 3 notices.

The 3 Exploit X are WORD itself, and the Word Exploit is the document.

Decided to try EXCEL got the same result see attached.

I am turning off the Real Time Exploit protection as that enables me to open WORD and EXCEL.

 

 

Exploit 1.txt Exploit2.txt Exploit3.txt Word Exploit Download.txt Excel1.txt Excel2.txt Excel3.txt

Link to post
Share on other sites

Greetings,

Please see if the following instructions correct the issue:

  • Open Malwarebytes and Click on the small gear icon in the upper right of the main UI
  • Select the Security tab
  • Scroll to the bottom and click on the Advanced settings button
  • Select the Application behavior protection tab
  • Click on the Restore Defaults button

Please let us know how it goes.

Thanks

  • Thanks 1
Link to post
Share on other sites

So, when I opened the Security/Advanced Settings button it refused to let me continue until I turned back on Real Time Exploits, which I did.  I then clicked on the Advanced Settings button and then Application Behavior/Restore Defaults button -- and I should add I NEVER played in those settings. The Restore Defaults did absolutely zip, and I clicked on Apply, which appeared to be live.  I have no idea what occurred, the settings on the screen DID NOT change, however WORD and EXCEL now open correctly.  I also was able to open the WORD document that was originally blocked.

Thank you

Link to post
Share on other sites

It's possible that the configuration file that controls the settings had been modified or corrupted somehow, possibly due to an issue during an update or during the upgrade to the latest version.  I've seen a lot of similar reports lately and I suspect that this is precisely why it keeps being reported because I don't believe that so many users have deliberately dug into Malwarebytes' settings to modify it from its defaults, and your report about nothing appearing to change in the UI and that you never messed with it would seem to confirm my suspicions.

Thank you for the confirmation; I will be sure to report your experiences to the Product team for analysis.

Link to post
Share on other sites

I have had the same issue.  Turning off the 'Block penetration testing attacks' setting and restarting Malwarebytes for Teams 4.2.1 seems to provide a work around for me, too.

QUSO

Link to post
Share on other sites

I highly doubt that is related. I don't use IE, my only browser is Pale Moon which does not have any office plugins installed (i explictly disabled them), and besides I didn't have anything open at the time the issue occurred. No programs at all.

Link to post
Share on other sites
  • 2 weeks later...
23 minutes ago, MaxWeinstein1 said:

I have the same problem with spreadsheets. As soon I place a URL in the file, the file is blocked by the software

Try the following.

 

2020-10-06_07h45_29.png

Link to post
Share on other sites

I tried that solution previously, as I saw it advised in the other thread I mentioned. BUT... I noted that when I clicked the Restore Defaults option there were NO changes to my settings - which is really not surprising I as I have NEVER made any changes myself to the software's default settings. So it seems to me that this still points to a bug in a recent update.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    No registered users viewing this page.


Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.