Jump to content

Anti-Exploit blocking Word Documents


DarthVitrial

Recommended Posts

I know of at least 2 cases where the user had made no changes to their settings, they appeared to be correct/default, yet clicking Restore Defaults did indeed fix their issues.  I suspect that either an update or one of the recent version's installers is corrupting/altering the configuration file(s) where the settings for Exploit Protection are stored, modifying some of the settings from their default values, but failing to update the UI so that everything still appears normal even though it is not.

Just to make certain, once you've clicked 'Restore Defaults', please wait around 30 seconds or so, then try launching an MS Office document that was previously detected/blocked to see whether it still is or not and let us know how it goes.

Thanks

Link to post
Share on other sites

12 hours ago, Porthos said:

Try the following.

 

2020-10-06_07h45_29.png

You may well be right. As I said I DID use the Restore Defualts option. I did not try opening my spreadsheeet right away after that, but instead closed and restarted Malwarebytes - and after that it allowed my spreadsheet to open OK. So perhaps the Restore option was what fixed it. Either way it seems clear that a recent update introduced a bug, so it's disappointing that nobody from Malwarebytes has so far acknowledged this.

Link to post
Share on other sites

They are aware of the issue.  In fact, I just sent a report this week to the Product team with a list of recent topics about this issue.  My guess is that whatever is causing it, it's likely to be fixed in a future version.  My personal suspicion is that it's a problem in the installer and the default config files it ships with, but I don't know for certain as that's just based on my observations and the reports I've seen from users such as yourself who experienced it.

Link to post
Share on other sites

28 minutes ago, exile360 said:

They are aware of the issue.  In fact, I just sent a report this week to the Product team with a list of recent topics about this issue.  My guess is that whatever is causing it, it's likely to be fixed in a future version.  My personal suspicion is that it's a problem in the installer and the default config files it ships with, but I don't know for certain as that's just based on my observations and the reports I've seen from users such as yourself who experienced it.

Good to know. Thanks very much for your input and advice on this matter.

Link to post
Share on other sites

I have the same problem with MS Word when opening documents on hard drive or on onedrive.

On 9/26/2020 at 2:37 PM, exile360 said:

Greetings,

Please see if the following instructions correct the issue:

  • Open Malwarebytes and Click on the small gear icon in the upper right of the main UI
  • Select the Security tab
  • Scroll to the bottom and click on the Advanced settings button
  • Select the Application behavior protection tab
  • Click on the Restore Defaults button

Please let us know how it goes.

Thanks

This worked for me. Thanks!

 

Link to post
Share on other sites

On 9/26/2020 at 11:37 PM, exile360 said:

Greetings,

Please see if the following instructions correct the issue:

  • Open Malwarebytes and Click on the small gear icon in the upper right of the main UI
  • Select the Security tab
  • Scroll to the bottom and click on the Advanced settings button
  • Select the Application behavior protection tab
  • Click on the Restore Defaults button

Please let us know how it goes.

Thanks

I had the same problem. This is the solution. Thanks.

Link to post
Share on other sites

I try to apply all updates regularly but don't remember when the last program update was. Yesterday, I began having the same problem with all my excel spreadsheets in my OneDrive folder on my computer. The folder is synced to OneDrive, so I can use it offline. I encountered the same problem when not connected to the internet. Last week I used these spreadsheets and had no issues. I devised a workaround by copying the spreadsheets to another folder on the computer not inside the OneDrive folder. I can then access the copied spreadsheet normally without problems.

Today I followed-up on this, accessing the forums and found this thread and the one about excel (topic 264962) referencing this topic. When I applied the workaround (actually clicking on the "restore defaults" tab) the workaround seems to be working for me as well. I also had not made any changes to the advanced settings, but I did notice that applying the "restore defaults" tab turns off the "block penetration testing attacks" tab on the first page of the Settings - Security section. Later, I will see if turning this back on creates the problem again.

Also, some of my spreadsheets may have URLs in them but not all of them. I didn't notice any problems with Word documents but I do not access them often and this problem only began yesterday. I will check with Word also if my test with the "block penetration testing attacks" tab actually recreates the problem. I am attaching screenshot of my version information.

2020-10-15_092240.jpg.069848d815602acfb873ebf6bc97ba25.jpg

 

 

  • Like 1
Link to post
Share on other sites

4 hours ago, DT_br said:

<snip>

Today I followed-up on this, accessing the forums and found this thread and the one about excel (topic 264962) referencing this topic. When I applied the workaround (actually clicking on the "restore defaults" tab) the workaround seems to be working for me as well. I also had not made any changes to the advanced settings, but I did notice that applying the "restore defaults" tab turns off the "block penetration testing attacks" tab on the first page of the Settings - Security section. Later, I will see if turning this back on creates the problem again.

<snip>

Thanks for this.  I also didn't change anything in advanced settings but I *had* enabled pen testing setting when this error started occurring with all my PowerPoint slides stored in OneDrive.

I've gone back and verified - simply enabling that Penetration testing setting immediately causes a recurrence of the issue with my PowerPoints, and disabling that setting causes the issue to regress back to normal.

Thanks for paying careful attention to that - I didn't think that there would be a link and did not notice the change after attempting to reset advanced setting would change anything outside of the advanced settings area.

Link to post
Share on other sites

  • 2 weeks later...
10 minutes ago, DarthVitrial said:

Having "block penetration testing attacks" still breaks Office in 4.2.2.95, CU 1.0.1091.

Word is not a pen testing attack. This is a bug that should be fixed.

It is not supposed to be on anyway at this time, It is still under testing and the current default should be off.

Link to post
Share on other sites

12 minutes ago, Porthos said:

It is not supposed to be on anyway at this time, It is still under testing and the current default should be off.

Not only that, but penetration testing is a specialized activity utilizing specific types of applications and procedures; detecting pen testing attacks is not a function for protecting the system from any actual threats and it is likely deliberately more aggressive (and therefore more prone to FPs) than actual shields/protections.

  • Like 1
Link to post
Share on other sites

I have the same problem.  MWB won't allow me to save word docs that contain an URL.

I applied the changes suggested earlier to do a Restore Defaults in Advanced Exploit Protection  Settings, and this fixed the problem, strangely.  I have never been into these settings.  Because previous posters noted that Restore Defaults changed nothing to be seen, I did a screen capture of each tab for later comparison, and true enough, nothing was changed, but the problem was fixed.  ?Perhaps the Restore Defaults rewites some file that has been corrupted??

My current version is 

Version Information
Malwarebytes version    Update package version    Component package version
4.2.1.89                                1.0.32024                                         1.0.1070
Check for updates        
Last updated: 26/10/2020 16:58  (equivalent to abt 08:00 UTC)       

The problem was first noted Sunday 25th Oct 04:00 UTC

 

Please Malwarebytes, you have known about this problem for a month or more.  A warning to your paying subscribers would have saved me a bl**dy lot of time.

 

Regards,

Doug Price

Link to post
Share on other sites

15 minutes ago, rickinAZ said:

FYI, the "restore defaults" process works, but update 1.0.32062 (installed today) does not.

Greetings,

Update 1.0.32062 is just a database/signature update; it has no bearing on what is and is not detected by the behavior based Exploit Protection component.  The new beta being referenced in this and other topics is program version 4.2.2.95 and component package version 1.0.1096:

Version.png.f3b1735b8acecf858c22b5fb6f779f48.png

If you want to install the new beta, assuming you haven't done so already, visit the General tab under settings and scroll down to the Beta updates section and enable the option there, then return to the top of the General tab and click the Check for updates button and it should download and install the new beta, likely prompting for a reboot to finish the install process.  Once the system has been restarted the issue should hopefully be resolved for good.

Link to post
Share on other sites

I assumed the fact that the changelog for it mentioned a word exploit fix and the fact that the post by Exile360 above referred to "the issue should be fixed for good in the new beta" meant "the pentesting setting will no longer have the false positive that makes it think Microsoft Word is a pentesting tool", rather than "Malwarebytes now properly turns off pentesting blocking by default". I misunderstood.

Link to post
Share on other sites

(the changelog entry I'm referring to is "Fixed: rundll32 AE block in Word". I can't edit my post for some reason.)

I will still argue that

A: Microsoft Office is not a pentesting tool and blocking it is a false positive even in the context of only working on penetration tests, and
B: The UI as it stands now simply saying "block pentesting attacks" with no warning that it is explicitly not intended for use will confuse average users that will look at the settings and just go "attacks are bad and should be blocked".

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.