Jump to content

Recommended Posts

Hi,

I had a user having Anti-Exploit blocking Excel files pulled from our network shared drive.        

Exploit attempt blocked BLOCK......................Microsoft Office Excel    C:\Program Files\Microsoft Office\Office16\EXCEL.EXE   Attacked application: C:\Program Files\Microsoft Office\Office16\EXCEL.EXE; Parent process name: explorer.exe; Layer: Application Behavior Protection; API ID: 301; Address: ; Module: ; AddressType: ; StackTop: ; StackBottom: ; StackPointer: ; Extra:

This behavior start happening yesterday and the user was not able to work, is there a reason why suddenly Anti-Exploit blocked all these files?

Thank you

 

Link to post
Share on other sites

  • Staff

Hi leobando,

Can you restore to default settings by following the instructions as in the screenshots below. Thank you.

image.png.483e41f69b6df5317d5d55ae36ffb3b3.png

Apart from this please also ensure that the following setting is unchecked

image.png

After the above 2 steps if the block still occurs, please uncheck the following setting

image.png.433e3319b16a88e1b9fd9b0897ed4b8f.png

 

 

Link to post
Share on other sites

Hi Arthi,

I've just changed the settings as you described

image.png.eba616e8aadeda6bb413092f7074300e.png

Do you have an idea what it was triggering the blocking? How bad is it to have that setting turned off?

I also see my Protection for MessageBox payload is turned off by default, should I turn it on?

Thank you

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.