Jump to content

Recommended Posts

Hi 

I am an access database developer.  As of the update yesterday, my databases (1000s of them out there in the wild) are being detected as exploits.   The detection appears to be on a call to created a Create an object 'CreateObject("wscript.shell")'  MWB throws up an exploit message and terminates (crashes) the database, and access program.      The following is the report from MWB is below.

After reading your forum I note you have an advanced setting for VB Script libraries which I have disable for sometime, but none for WScript library that I can find.   I can resolve it on my development machine by disabling MWB and/or turning off protection for MS Access in advanced settings.  I don't consider either of these options as alternatives for my client using our databases locally.

What alternative solutions are there?

Cheers

 

Malwarebytes
www.malwarebytes.com

-Log Details-
Protection Event Date: 14/09/2021
Protection Event Time: 13:19
Log File: 8eef8968-150a-11ec-84c9-00155d5d833c.json

-Software Information-
Version: 4.4.6.132
Components Version: 1.0.1453
Update Package Version: 1.0.44954
Licence: Premium

-System Information-
OS: Windows 10 (Build 19042.1165)
CPU: x64
File System: NTFS
User: System

-Exploit Details-
File: 0
(No malicious items detected)

Exploit: 1
Malware.Exploit.Agent.Generic, C:\Users\gsevi\Documents\wscript.shell, Blocked, 0, 392684, 0.0.0, , 

-Exploit Data-
Affected Application: Microsoft Access
Protection Layer: Application Behavior Protection
Protection Technique: Exploit Office VBE7 object abuse blocked
File Name: C:\Users\gsevi\Documents\wscript.shell
URL: 

(end)

 

 

 

 

Link to post
Share on other sites

  • Root Admin

Hello @GregSevior and :welcome:

Open Malwarebytes, click the small gear on the top right and go to the Security tab.
Scroll down to the bottom and click the Advanced Settings button
Click on the Application behavior protection tab
Scroll down to "Office VBE7 abuse prevention" and uncheck it

image.png

image.png

 

Let us know if that corrects the issue for you

Thank you

 

 

Edited by AdvancedSetup
updated information
Link to post
Share on other sites

Hi

Unchecking the  "Office VBE7 abuse prevention" option under Application behavior protection

Has resolved the immediate problem but whata headache, we have literally 1000s of users out there which contains this script as it checks their License key in the registry. 

This last update will now prevent any of them (Using Malwarebytes) from opening and running the software.   Obviously  this will be a support nightmare for awhile.  Have you any objection to me using the images you posted in a FAQ I can point them to, to let them know how to resolve the issue, whilst we work through a solution to script call.

Cheers

 

Edited by AdvancedSetup
corrected font issue
Link to post
Share on other sites

Hi

On further investigating today, I find that MWB is no longer detecting calls in VBA/VBE to create a Wscript.Shell object (i.e. 'CreateObject("wscript.shell")), as an Exploit (and terminating the software) even when the 'Office VBE abuse preventions' switch active (on).   

I assume this due to some change or update and your end.  Can you please confirm?

Cheers

Greg Sevior

Edited by AdvancedSetup
corrected font issue
Link to post
Share on other sites

HI Again

Apologies.  I spoke to soon.  The behaviour still occurs when the software is operated in a folder which is not a designated Office Trusted Folder location.     Obviously this will never be the case for newly installed software..

Can you confirm this is the intended behaviour of MWB, and will continue going forward..?

Cheers

Greg Sevior

 

 

 

 

Link to post
Share on other sites

  • Root Admin

If you're still having issues and can replicate or duplicate the issue then please do the following.

Open Malwarebytes and go to Settings, General and enable Enhanced data logging.

Then duplicate the issue. Then gather logs as shown below and go back and disable the Enhanced logging.

 

 

To begin, please do the following so that we may take a closer look at your installation for troubleshooting:

NOTE: The tools and the information obtained are safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

  • Download the Malwarebytes Support Tool
  • In your Downloads folder, open the mb-support-x.x.x.xxx.exe file
  • In the User Account Control pop-up window, click Yes to continue the installation
  • Run the MBST Support Tool
  • In the left navigation pane of the Malwarebytes Support Tool, click Advanced
  • In the Advanced Options, click Gather Logs. A status diagram displays the tool is Getting logs from your machine
  • A zip file named mbst-grab-results.zip will be saved to your desktop, please upload that file on your next reply

Thank you

 

Link to post
Share on other sites

Hi

Okay, perhaps you did not read all the question I asked.   There is likely no need for further logs. What is occurring is very clear by stepping through the code and seeing at what point MWB interjects.  It is explained above.

The 'Issue' that I am seeking clarity on is as follows:   

1.   In the VBA / VBE code of any office product, making a call to create a WScript.Shell object (i.e createobject WScript.Shell) causes MWB  to identify that transaction as an exploit  (regardless the reason for creating the WScript object).  When this occurs a Exploit message is displayed to the user, and the Office Product is instantly (ie. access, outlook, PowerPoint outlook etc...)  -  not correctly shut down, but terminated.

2.  Your recommended solution for this is that user's Disable 'Office VBE abuse protection'  so it does not occur ?????   

Question:   1.   Is the shutting down of Office products that employ code to create WScript.Shell object, the intended and expected behaviour of WMB

                    2. Is it your solutions that User's of Office product, because of this behaviour, should disable 'Office VBE abuse protection' and there by open them selves up to any number of other exploits..    This does not sound like a sane or logical solutions, to an issue which should not be occurring in the first place.

Can you please confirm that MWB, in this case, is acting as intended, and your solution is to disable protect for any VBE abuse to resolve it.

Cheers

Link to post
Share on other sites

  • Root Admin

It is a temporary workaround while we continue to investigate and correct. We have millions of users and perhaps about a hundred experiencing the issue. We will probably have a beta out next week and if that goes well then about a week or so after that it will go to general release.

Thank you

 

Link to post
Share on other sites

  • 3 weeks later...
40 minutes ago, GregSevior said:

It's been over 2 weeks since you proposed a temporary fix.   Any idea on how long until there is a permanent correction.   

You can watch the release notes for each beta for a fix when ready for testing. It should mention a fix for the Office/exploit issue.

 

Link to post
Share on other sites

HI   

As suggested I went to the page.    Search for Office on the entire page not just the last update notes, .  1 hit for Office and it had nothing to do with this topic ?  

If you have posted a response, fix for this issue, can you paste the URL to that page please.    Cheers

Link to post
Share on other sites

Just now, GregSevior said:

Search for Office on the entire page not just the last update notes

There is no fix yet, I just refereed you to the beta page where new betas are announced. That is the best way to find out when a fixed version is made available as a Beta.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.