Jump to content

Blocking Window's vbscript.dll


DonWiss
 Share

Recommended Posts

  • Staff

This is a block due to Malwarebytes system-hardening technique. The block should only happen when a page is visited that tries to load the vbscript.dll component. VBScript has been deprecated by Microsoft years ago. It is a gaping security hole and actively abused by web-based exploits and drive-by downloads.

If you would like to take the risk (not recommended!) you can disable this hardening technique under the Advanced settings of Anti-Exploit, Application Hardening, "Prevent loading of VBScript Library".

Link to post
Share on other sites

This is in my VBA code that I am trying to run. I'll take the risk. This all worked on Windows 7. But not when I switched to Windows 10.

I followed this:

Settings -> Security -> Exploit Protection -> Advanced Settings -> Application Hardening -> Disable loading of VBScript libraries -> ??

I found that MS Office was already checked. Unchecking it didn't change anything. The problem is in both Excel 2002 and Excel-365.

Link to post
Share on other sites

  • 3 months later...

Unfortunately, because of the way this particular behavioral protection component works, I do not believe there is any way to create an exception to avoid this detection so you will likely need to disable the option under the Advanced Settings for Exploit Protection called Internet Explorer VBScripting protection under Application Behavior Protection.

If you are using Nebula, the cloud managed version, you will find a description of each section and setting for Exploit Protection in this support article.  The setting I mentioned above is called Protection for Internet Explorer VB Scripting in the Nebula client and is the second item listed under Application Behavior Protection.

I hope this helps and if there is anything else we might be of assistance with please let us know.

Thanks

  • Like 1
Link to post
Share on other sites

  • Staff
12 hours ago, Nicone2 said:

Hi @pbust,

How can I add an exception on OneView? I have this issue with IE and it's on a very specific url that only send labels to print. I could not find a way to create an exception more than deactivate the exploit protection on the policy.

Thanks.

Completely disabling anti-exploit is not a good idea as this is our main and most effective infection prevention layer that's not based on signatures. Please replicate the problem on an endpoint and post the anti-exploit logs (mbae-default.log and mbae-default.xpe) from the ProgramData folder. We'll look at the logs and let you know how to best tweak anti-exploit to prevent the issue without disabling too many protections.

Link to post
Share on other sites

5 hours ago, pbust said:

Completely disabling anti-exploit is not a good idea as this is our main and most effective infection prevention layer that's not based on signatures. Please replicate the problem on an endpoint and post the anti-exploit logs (mbae-default.log and mbae-default.xpe) from the ProgramData folder. We'll look at the logs and let you know how to best tweak anti-exploit to prevent the issue without disabling too many protections.

Hi @pbust, I did what @exile360 said and it worked. IE is only used to run a web based system and nothing else. Do you still think I should send you the logs?.

Thanks.

Link to post
Share on other sites

  • 3 months later...

Some changes have been made to the anti-exploit. It is now shutting down my Excel 2002 when I'm trying to run a line of code in the command processor

ShellAndThenWait "cmd.exe /c dir """ & d & "\*.*"" >c:\temp.prn"

With ShellAndThenWait from:

https://web.archive.org/web/20090201012636/http://puremis.net/excel/code/084.shtml

Under Application behavior protection I tried unchecking for MS Office the boxes for Office scripting abuse prevention and Office spawning batch command prevention. That didn't work.

What new was added that I have to uncheck?

Link to post
Share on other sites

I guess this is the relevant part:

-Exploit Data-
Affected Application: Microsoft Office Excel
Protection Layer: Application Behavior Protection
Protection Technique: Exploit Office spawning batch command blocked
File Name: C:\WINDOWS\SYSTEM32\cmd.exe \c dir C:\Music\0_Rips\*.* >c:\temp.prn

For MS Office I had unchecked it, but I guess I didn't test properly. I can now run the macro.

Thanks for getting me to figure out how to get more details on entries in the Detection History. What is displayed is pretty minimal.

Link to post
Share on other sites

  • Root Admin

Hello @DonWiss

Can we please get the following logs to review further?

 

Please do the following so that we may take a closer look at your installation for troubleshooting:

NOTE: The tools and the information obtained are safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

  • Download the Malwarebytes Support Tool
  • In your Downloads folder, open the mb-support-x.x.x.xxx.exe file
  • In the User Account Control pop-up window, click Yes to continue the installation
  • Run the MBST Support Tool
  • In the left navigation pane of the Malwarebytes Support Tool, click Advanced
  • In the Advanced Options, click Gather Logs. A status diagram displays the tool is Getting logs from your machine
  • A zip file named mbst-grab-results.zip will be saved to your desktop, please upload that file on your next reply

Thank you

 

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.