Jump to content

Blocking Window's vbscript.dll


Recommended Posts

vbscript.dll lives in SysWOW64 and System32. It is blocking both as Malware.Exploit.Agent.Generic. I put both in the allow list, but it was blocked again.

The one is System32 is 622,592 bytes.

The one is SysWOW64 is 547,840 bytes.

Link to post
Share on other sites
  • Staff

Hi DonWiss,

Thanks for posting, 

Please attach the following file here, so we can check what's going on and provide a resolution.

C:\ProgramData\Malwarebytes\MBAMService\logs\mbae-default.log

Link to post
Share on other sites
  • Staff

This is a block due to Malwarebytes system-hardening technique. The block should only happen when a page is visited that tries to load the vbscript.dll component. VBScript has been deprecated by Microsoft years ago. It is a gaping security hole and actively abused by web-based exploits and drive-by downloads.

If you would like to take the risk (not recommended!) you can disable this hardening technique under the Advanced settings of Anti-Exploit, Application Hardening, "Prevent loading of VBScript Library".

Link to post
Share on other sites

This is in my VBA code that I am trying to run. I'll take the risk. This all worked on Windows 7. But not when I switched to Windows 10.

I followed this:

Settings -> Security -> Exploit Protection -> Advanced Settings -> Application Hardening -> Disable loading of VBScript libraries -> ??

I found that MS Office was already checked. Unchecking it didn't change anything. The problem is in both Excel 2002 and Excel-365.

Link to post
Share on other sites
  • Staff

Try unchecking it for browsers.

Also, check under Advanced Settings -> App Behavior Protection and uncheck for Office VBA7 to see if that makes a difference.

WARNING: You will be unchecking core protections which are actively abused by malware gangs.

Link to post
Share on other sites
  • 3 months later...

Hi @pbust,

How can I add an exception on OneView? I have this issue with IE and it's on a very specific url that only send labels to print. I could not find a way to create an exception more than deactivate the exploit protection on the policy.

Thanks.

Link to post
Share on other sites
  • Staff

Unfortunately, because of the way this particular behavioral protection component works, I do not believe there is any way to create an exception to avoid this detection so you will likely need to disable the option under the Advanced Settings for Exploit Protection called Internet Explorer VBScripting protection under Application Behavior Protection.

If you are using Nebula, the cloud managed version, you will find a description of each section and setting for Exploit Protection in this support article.  The setting I mentioned above is called Protection for Internet Explorer VB Scripting in the Nebula client and is the second item listed under Application Behavior Protection.

I hope this helps and if there is anything else we might be of assistance with please let us know.

Thanks

  • Like 1
Link to post
Share on other sites
  • Staff
12 hours ago, Nicone2 said:

Hi @pbust,

How can I add an exception on OneView? I have this issue with IE and it's on a very specific url that only send labels to print. I could not find a way to create an exception more than deactivate the exploit protection on the policy.

Thanks.

Completely disabling anti-exploit is not a good idea as this is our main and most effective infection prevention layer that's not based on signatures. Please replicate the problem on an endpoint and post the anti-exploit logs (mbae-default.log and mbae-default.xpe) from the ProgramData folder. We'll look at the logs and let you know how to best tweak anti-exploit to prevent the issue without disabling too many protections.

Link to post
Share on other sites
5 hours ago, pbust said:

Completely disabling anti-exploit is not a good idea as this is our main and most effective infection prevention layer that's not based on signatures. Please replicate the problem on an endpoint and post the anti-exploit logs (mbae-default.log and mbae-default.xpe) from the ProgramData folder. We'll look at the logs and let you know how to best tweak anti-exploit to prevent the issue without disabling too many protections.

Hi @pbust, I did what @exile360 said and it worked. IE is only used to run a web based system and nothing else. Do you still think I should send you the logs?.

Thanks.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.