GregSevior Posted September 14, 2021 ID:1479713 Share Posted September 14, 2021 Hi I am an access database developer. As of the update yesterday, my databases (1000s of them out there in the wild) are being detected as exploits. The detection appears to be on a call to created a Create an object 'CreateObject("wscript.shell")' MWB throws up an exploit message and terminates (crashes) the database, and access program. The following is the report from MWB is below. After reading your forum I note you have an advanced setting for VB Script libraries which I have disable for sometime, but none for WScript library that I can find. I can resolve it on my development machine by disabling MWB and/or turning off protection for MS Access in advanced settings. I don't consider either of these options as alternatives for my client using our databases locally. What alternative solutions are there? Cheers Malwarebytes www.malwarebytes.com -Log Details- Protection Event Date: 14/09/2021 Protection Event Time: 13:19 Log File: 8eef8968-150a-11ec-84c9-00155d5d833c.json -Software Information- Version: 4.4.6.132 Components Version: 1.0.1453 Update Package Version: 1.0.44954 Licence: Premium -System Information- OS: Windows 10 (Build 19042.1165) CPU: x64 File System: NTFS User: System -Exploit Details- File: 0 (No malicious items detected) Exploit: 1 Malware.Exploit.Agent.Generic, C:\Users\gsevi\Documents\wscript.shell, Blocked, 0, 392684, 0.0.0, , -Exploit Data- Affected Application: Microsoft Access Protection Layer: Application Behavior Protection Protection Technique: Exploit Office VBE7 object abuse blocked File Name: C:\Users\gsevi\Documents\wscript.shell URL: (end) Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted September 14, 2021 Root Admin ID:1479715 Share Posted September 14, 2021 (edited) Hello @GregSevior and Open Malwarebytes, click the small gear on the top right and go to the Security tab. Scroll down to the bottom and click the Advanced Settings button Click on the Application behavior protection tab Scroll down to "Office VBE7 abuse prevention" and uncheck it Let us know if that corrects the issue for you Thank you Edited September 14, 2021 by AdvancedSetup updated information Link to post Share on other sites More sharing options...
GregSevior Posted September 14, 2021 Author ID:1479723 Share Posted September 14, 2021 (edited) Hi Unchecking the "Office VBE7 abuse prevention" option under Application behavior protection Has resolved the immediate problem but whata headache, we have literally 1000s of users out there which contains this script as it checks their License key in the registry. This last update will now prevent any of them (Using Malwarebytes) from opening and running the software. Obviously this will be a support nightmare for awhile. Have you any objection to me using the images you posted in a FAQ I can point them to, to let them know how to resolve the issue, whilst we work through a solution to script call. Cheers Edited September 14, 2021 by AdvancedSetup corrected font issue Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted September 14, 2021 Root Admin ID:1479813 Share Posted September 14, 2021 We have added more granular control which has caused some issues for some people. We're continuing to investigate. Thank you Link to post Share on other sites More sharing options...
GregSevior Posted September 16, 2021 Author ID:1480004 Share Posted September 16, 2021 (edited) Hi On further investigating today, I find that MWB is no longer detecting calls in VBA/VBE to create a Wscript.Shell object (i.e. 'CreateObject("wscript.shell")), as an Exploit (and terminating the software) even when the 'Office VBE abuse preventions' switch active (on). I assume this due to some change or update and your end. Can you please confirm? Cheers Greg Sevior Edited September 16, 2021 by AdvancedSetup corrected font issue Link to post Share on other sites More sharing options...
GregSevior Posted September 16, 2021 Author ID:1480005 Share Posted September 16, 2021 HI Again Apologies. I spoke to soon. The behaviour still occurs when the software is operated in a folder which is not a designated Office Trusted Folder location. Obviously this will never be the case for newly installed software.. Can you confirm this is the intended behaviour of MWB, and will continue going forward..? Cheers Greg Sevior Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted September 16, 2021 Root Admin ID:1480025 Share Posted September 16, 2021 If you're still having issues and can replicate or duplicate the issue then please do the following. Open Malwarebytes and go to Settings, General and enable Enhanced data logging. Then duplicate the issue. Then gather logs as shown below and go back and disable the Enhanced logging. To begin, please do the following so that we may take a closer look at your installation for troubleshooting: NOTE: The tools and the information obtained are safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system. Download the Malwarebytes Support Tool In your Downloads folder, open the mb-support-x.x.x.xxx.exe file In the User Account Control pop-up window, click Yes to continue the installation Run the MBST Support Tool In the left navigation pane of the Malwarebytes Support Tool, click Advanced In the Advanced Options, click Gather Logs. A status diagram displays the tool is Getting logs from your machine A zip file named mbst-grab-results.zip will be saved to your desktop, please upload that file on your next reply Thank you Link to post Share on other sites More sharing options...
GregSevior Posted September 16, 2021 Author ID:1480223 Share Posted September 16, 2021 Hi Okay, perhaps you did not read all the question I asked. There is likely no need for further logs. What is occurring is very clear by stepping through the code and seeing at what point MWB interjects. It is explained above. The 'Issue' that I am seeking clarity on is as follows: 1. In the VBA / VBE code of any office product, making a call to create a WScript.Shell object (i.e createobject WScript.Shell) causes MWB to identify that transaction as an exploit (regardless the reason for creating the WScript object). When this occurs a Exploit message is displayed to the user, and the Office Product is instantly (ie. access, outlook, PowerPoint outlook etc...) - not correctly shut down, but terminated. 2. Your recommended solution for this is that user's Disable 'Office VBE abuse protection' so it does not occur ????? Question: 1. Is the shutting down of Office products that employ code to create WScript.Shell object, the intended and expected behaviour of WMB 2. Is it your solutions that User's of Office product, because of this behaviour, should disable 'Office VBE abuse protection' and there by open them selves up to any number of other exploits.. This does not sound like a sane or logical solutions, to an issue which should not be occurring in the first place. Can you please confirm that MWB, in this case, is acting as intended, and your solution is to disable protect for any VBE abuse to resolve it. Cheers Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted September 17, 2021 Root Admin ID:1480269 Share Posted September 17, 2021 It is a temporary workaround while we continue to investigate and correct. We have millions of users and perhaps about a hundred experiencing the issue. We will probably have a beta out next week and if that goes well then about a week or so after that it will go to general release. Thank you Link to post Share on other sites More sharing options...
GregSevior Posted October 5, 2021 Author ID:1482694 Share Posted October 5, 2021 It's been over 2 weeks since you proposed a temporary fix. Any idea on how long until there is a permanent correction. Link to post Share on other sites More sharing options...
Porthos Posted October 5, 2021 ID:1482696 Share Posted October 5, 2021 40 minutes ago, GregSevior said: It's been over 2 weeks since you proposed a temporary fix. Any idea on how long until there is a permanent correction. You can watch the release notes for each beta for a fix when ready for testing. It should mention a fix for the Office/exploit issue. Link to post Share on other sites More sharing options...
GregSevior Posted October 5, 2021 Author ID:1482697 Share Posted October 5, 2021 HI As suggested I went to the page. Search for Office on the entire page not just the last update notes, . 1 hit for Office and it had nothing to do with this topic ? If you have posted a response, fix for this issue, can you paste the URL to that page please. Cheers Link to post Share on other sites More sharing options...
Porthos Posted October 5, 2021 ID:1482698 Share Posted October 5, 2021 Just now, GregSevior said: Search for Office on the entire page not just the last update notes There is no fix yet, I just refereed you to the beta page where new betas are announced. That is the best way to find out when a fixed version is made available as a Beta. Link to post Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now