Jump to content

Recommended Posts

This issue has just started with the new version of MalwareBytes install yesterday.

I often use VBA in MS Access to open a folder (or file). 

Shell "C:\WINDOWS\explorer.exe """ & strFolder & "", vbNormalFocuslms-crash-course-metrics-analytics-refresh.pdf

I can't see how to allow allow this. I've tried adding C:\WIndows\explorer.exe and the specified folder to the Allow list but the call is still being blocked.

see attached Report

MalwareBytes Access Block.txt

Link to post
Share on other sites

  • Root Admin

Sorry to hear you're having detection issues @kentgorrell

It's quite late in the evening but hopefully one of the Research team member can assist soon or by tomorrow.

In the mean time can you please also get us the following logs to help them verify the issue.

 

To begin, please do the following so that we may take a closer look at your installation for troubleshooting:

NOTE: The tools and the information obtained are safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

  • Download the Malwarebytes Support Tool
  • In your Downloads folder, open the mb-support-x.x.x.xxx.exe file
  • In the User Account Control pop-up window, click Yes to continue the installation
  • Run the MBST Support Tool
  • In the left navigation pane of the Malwarebytes Support Tool, click Advanced
  • In the Advanced Options, click Gather Logs. A status diagram displays the tool is Getting logs from your machine
  • A zip file named mbst-grab-results.zip will be saved to your desktop, please upload that file on your next reply

Thank you

 

Link to post
Share on other sites

  • Root Admin

Has this previously worked well without a block? Has anything recently changed?

Have you tried resetting the Exploit settings back to default?

Click the small gear on the top right of the program. Then click on the Security tab and scroll to the bottom, then click on the Advanced settings from there you can click the Restore Defaults

Try that and let us know if the corrects the issue or not.

Thanks

 

Link to post
Share on other sites

This has been working OK for years, problem only arose after installing the new version of MalwareBytes.

why would I set Exploit settings back to default?

what other things would this affect?

Can you be specific on which settings may be causing this issue?

Under MS Office - we have options checked for

Malicious LoadLibrary prevention

Office WMI abuse prevention

Office VBA7 abuse prevention

Office VBD7 abuse prevention

Office scripting abuse prevention

etc.

could it be one of these?

Note: in the attached file, the exclusions shown were added after this issue arose.

 

mbst-grab-results.zip

Link to post
Share on other sites

Well, there are two posibilities, either -

  • installing the new version changed this option from false to true
  • or there is a change to how the new version implements this option

do you have any detailed documentation on this option or indeed all options?

some option names are not very descriptive and it would be good if you could click on an option and be taken to a page that explained its effect.

maybe even a list of default settings and an explanation of why each is either set to true or false. Even just a "Recommended" next to settings to identify them as default to true.

Link to post
Share on other sites

  • Root Admin

Hello @kentgorrell

I've heard back from the team and yes it appears we have updated the AE engine and it has detection enhancements and more granular control of Office blocks.

 

Protection:

  • New protection technique to block exploits from abusing MS Office and scripting applications
  • New technique to protect MS Office applications from loading points abuse attacks
  • New technique to protect MS Office applications from batch command abuse attacks
  • New granular protection against VBA7 process and VBE7 object abuse
  • New protection for email clients against scripting applications abuse attacks
  • New protection to protect MS Office applications from macro 4.0 abuse attacks 

Stability/issues fixed:

  • Fixed slowdown issues with MS Excel application
  • Disabled Java shield by default
  • Improved Logging capabilities
  • Internal Product Improvements

 

 

It looks like you found the correct options to change for this behavior block.

 

Security settings in Malwarebytes for Windows
https://support.malwarebytes.com/hc/en-us/articles/360038984953-Security-settings-in-Malwarebytes-for-Windows

Exclude detections in Malwarebytes for Windows
https://support.malwarebytes.com/hc/en-us/articles/360038479234-Exclude-detections-in-Malwarebytes-for-Windows


We do not have documentation on all the specific settings but we do have a general FAQ on the Anti-Exploit

 

Thank you

 

 

Edited by AdvancedSetup
updated information
Link to post
Share on other sites

I don't suppose there were release notes to inform users of these changes but you would at least think that they might inform support staff.

May I suggest an email to, at least premium users, just before a new version is unleashed on the unsuspecting.

In this case a headline in the email or release notes like "If you use Office Automation (VBA or Macros in Office Applications), please note the following..."

I can see why you might want to block VBA from opening a file but...

I'm not entirely sure that there is a business case for blocking a VBA script from simply opening a folder. Maybe they need to get a bit more granular on what they block. Preferably before they implement a new technique.

Just think about how much time it takes each user to work out what's happened then multiply that by the number of users affected.

Otherwise, I'm pretty happy with MalwareBytes and recommend it to my clients.

Link to post
Share on other sites

  • Root Admin

I understand but as a business owner I'm sure you can also understand the repercussions of sending out millions of emails when the change so far appears to have affected less than a couple dozen users such as yourself.

There were release notes and I apologize for not knowing them, my brother passed away recently and I was out for a while.

Thank you again for your understanding

 

Link to post
Share on other sites

  • 2 weeks later...

Came to the forums to report basically the same issue. We have an Access file that uses a batch script to aggregate some text files and it's being blocked by Malwarebytes. I tried to add the .accdb file and the .bat file to the allow list which didn't appear to help at all. I ended up disabling the Exploit Protection whenever we need to run the file now. It was working fine until the recent update.

office-spawn-batch.txt

Link to post
Share on other sites

  • Root Admin

@gmariani405

You cannot exclude CMD.EXE which is what a batch is running. You'd need to disable the following entry.

  • Open Malwarebytes, click the small gear on the top right and go to the Security tab.
  • Scroll down to the bottom and click the Advanced settings button
  • Uncheck "Office spawning batch command prevention"

 

image.png

image.png

 

Link to post
Share on other sites

Could you dev team think about providing a bit more feedback on exploit blocks,

In this case the Report tells us the application and Location and Techinque: Exploit payload process blocked; Layer: Application Behavior Protection; Exploit: Malware.Exploit.Agent.Generic

but no mention of the security option involved - in this case: Office scripting abuse prevention

Could they add a section to the Exploit Block Report that had something like

- If you do not want to block this potent exploit in future go to Exploit Protection > Advanced settings where you can change your setting for "Office scripting abuse prevention"

 

Edited by AdvancedSetup
corrected font issue
Link to post
Share on other sites

  • Root Admin

Part of the issue is that we've made the blocks more granular so that one wouldn't have to turn off entire features if possible as was done in older versions.

Knowing which one to disable isn't always a quick easy answer. In some cases we need the enhanced logging enabled, then duplicate the process that initiated the block and provide those logs so that we can assist further.

Thank you for the feedback

 

Edited by AdvancedSetup
updated information
Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.