Jump to content

MS Word and Excel 2019 - Exploit Office WMI Abuse Blocked (cmd.exe)


lmacri
 Share

Recommended Posts

I tried to open MS Word 2019 today (i.e., starting with a blank document with the default template, was not opening a saved .docx file) and Malwarebytes Premium v4.4.6.132-1.0.1453 prevented the launch with the following Malware.Exploit.Agent.Generic detection for cmd.exe.  I tried to re-create the block by re-launching MS Word 2019 again and was shown a prompt asking if I wanted to start Word in Safe Mode due to an unexpected shutdown (which I declined) and can't seem to reproduce the problem - for now, Word seems to be launching again as expected without any changes to my Exploit Protection settings (see image below).
---------------------------------------

Malwarebytes
www.malwarebytes.com

-Log Details-
Protection Event Date: 9/16/21
Protection Event Time: 6:12 PM
Log File: 904ace9b-1743-11ec-bfdf-e454e81e1efc.json

-Software Information-
Version: 4.4.6.132
Components Version: 1.0.1453
Update Package Version: 1.0.45000
License: Premium

-System Information-
OS: Windows 10 (Build 19043.1237)
CPU: x64
File System: NTFS
User: System

-Exploit Details-
File: 0
(No malicious items detected)

Exploit: 1
Malware.Exploit.Agent.Generic, ComSpec=C:\WINDOWS\system32\cmd.exe, Blocked, 0, 392684, 0.0.0, ,

-Exploit Data-
Affected Application: Microsoft Office Word
Protection Layer: Application Behavior Protection
Protection Technique: Exploit Office WMI abuse blocked
File Name: ComSpec=C:\WINDOWS\system32\cmd.exe
URL:

(end)

---------------------------------------

I am currently using default settings for Exploit Protection - namely Settings | Security | Exploit Protection | Advanced Settings | Application Behaviour Protection | Office WMI Abuse Prevention is ENABLED.

165400824_Malwarebytesv4_4_6Word2019FPAdvancedExploitApplicationProtection16Sep2021.png.aaa75a8df3727ec0113633964e3f62f1.png
---------------
64-bit Win 10 Pro v21H1 build 19043.1237 * Firefox v92.0.0 * Microsoft Defender v4.18.2108.7 * Malwarebytes Premium v4.4.6.132-1.0.1453 * MS Office Home and Business 2019 C2R v2108 (build 14326.20238)
Dell Inspiron 15 5584, Intel i5-8265U CPU, 8 GB RAM, Toshiba KBG40ZNS256G 256 GB NVMe SSD, Intel UHD Graphics 620

Link to post
Share on other sites

6 minutes ago, lmacri said:

I am currently using default settings for Exploit Protection - namely Settings | Security | Exploit Protection | Advanced Settings | Application Behaviour Protection | Office WMI Abuse Prevention is ENABLED.

Uncheck that box if you still have issues.

Link to post
Share on other sites

  • lmacri changed the title to MS Word and Excel 2019 - Exploit Office WMI Abuse Blocked (cmd.exe)
On 9/16/2021 at 7:00 PM, lmacri said:

I tried to open MS Word 2019 today (i.e., starting with a blank document with the default template, was not opening a saved .docx file) and Malwarebytes Premium v4.4.6.132-1.0.1453 prevented the launch with the following Malware.Exploit.Agent.Generic detection for cmd.exe.  I tried to re-create the block by re-launching MS Word 2019 again and was shown a prompt asking if I wanted to start Word in Safe Mode due to an unexpected shutdown (which I declined) and can't seem to reproduce the problem - for now, Word seems to be launching again as expected without any changes to my Exploit Protection settings...

Just an FYI that I had a similar Exploit Office WMI Abuse Blocked (cmd.exe) detection today, but this time it was for MS Excel 2019, not MS Word 2019.  As before, the next time I tried to launch Excel I was shown a prompt asking if I wanted to start Excel in Safe Mode due (which I declined - see image below) and can't seem to reproduce the problem - for now, Excel seems to be launching again as expected after that initial exploit block without any changes to my default Exploit Protection settings.

143204010_MBv4_4_6MSOfficeExploitFPMSExcel2019StartinSafeModePost.png.ba91fd0354532ee7789ab282e0d587bc.png

I have no idea why this exploit block suddenly appeared this afternoon, since I was using MS Excel 2019 as early as this morning and didn't encounter a problem.  I don't know if it's relevant but my MS Office Home and Business 2019 C2R updated to v2108 (build 14326.20404) yesterday, and the malware database for my Malwarebytes Premium v4.4.6 is now at v1.0.45134.

---------------------------------------------------------

Malwarebytes
www.malwarebytes.com

-Log Details-
Protection Event Date: 9/19/21
Protection Event Time: 6:04 PM
Log File: eb5123bf-199d-11ec-88dc-e454e81e1efc.json

-Software Information-
Version: 4.4.6.132
Components Version: 1.0.1453
Update Package Version: 1.0.45134
License: Premium

-System Information-
OS: Windows 10 (Build 19043.1237)
CPU: x64
File System: NTFS
User: System

-Exploit Details-
File: 0
(No malicious items detected)

Exploit: 1
Malware.Exploit.Agent.Generic, ComSpec=C:\WINDOWS\system32\cmd.exe, Blocked, 0, 392684, 0.0.0, ,

-Exploit Data-
Affected Application: Microsoft Office Excel
Protection Layer: Application Behavior Protection
Protection Technique: Exploit Office WMI abuse blocked
File Name: ComSpec=C:\WINDOWS\system32\cmd.exe
URL:

(end)

---------------------------------------------------------
64-bit Win 10 Pro v21H1 build 19043.1237 * Firefox v92.0.0 * Microsoft Defender v4.18.2108.7 * Malwarebytes Premium v4.4.6.132-1.0.1453 * MS Office Home and Business 2019 C2R v2108 (build 14326.20404)
Dell Inspiron 15 5584, Intel i5-8265U CPU, 8 GB RAM, Toshiba KBG40ZNS256G 256 GB NVMe SSD, Intel UHD Graphics 620

Edited by lmacri
Link to post
Share on other sites

54 minutes ago, Nicone2 said:

Yes, it lets me make these kinds of changes that you propose but I would like to think that they are going to fix it. This didn't happen before and I wouldn't want to leave that protection disabled.

Hi Nicone2:

Malwarebytes employee AdvancedSetup posted <above> on 16-Sep-2021 that "We are working on an update. Hopefully a beta will be out soon with a possible solution."  Unfortunately, the release notes <here> for Malwarebytes v4.4.7.134-1.0.1464 (released yesterday on 23-Sep-2021) don't mention a permanent fix for this particular Exploit Office WMI Abuse block so we'll have to wait a bit longer.
-------------
64-bit Win 10 Pro v21H1 build 19043.1237 * Firefox v92.01 * Microsoft Defender v4.18.2108.7 * Malwarebytes Premium v4.4.6.132-1.0.1453 * MS Office Home and Business 2019 C2R v2108 (build 14326.20404)
Dell Inspiron 15 5584, Intel i5-8265U CPU, 8 GB RAM, Toshiba KBG40ZNS256G 256 GB NVMe SSD, Intel UHD Graphics 620

  • Like 1
Link to post
Share on other sites

  • 1 month later...
On 9/16/2021 at 9:30 PM, AdvancedSetup said:

We are working on an update. Hopefully a beta will be out soon with a possible solution.

Is there any update on the status of this fix? The release notes <here> for the latest Malwarebytes v4.4.10.144-1.0.1499 (rel. 04-Nov-2021) state in part ...

Quote

Some Issues now addressed:

  • AE winword.exe test sample detection only occurs with pen testing ON

... but I'm not clear if that fix is related in any way to the anti-exploit false positive (Office WMI Abuse Prevention) for MS Excel 2019 that I reported in my original 16-Sep-2021 post  <above>.

-----------
64-bit Win 10 Pro v21H1 build 19043.1288 * Firefox v94.0.1 * Microsoft Defender v.4.18.2110.6-1.1.18700.4 * Malwarebytes Premium v4.4.9.142-1.0.1486 * MS Office Home and Business 2019 C2R v2110 (build 14527.20234)
Dell Inspiron 15 5584, Intel i5-8265U CPU, 8 GB RAM, 256 GB Toshiba KBG40ZNS256G NVMe SSD, Intel UHD Graphics 620

Edited by lmacri
Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.