Unblock clipboard exploit

[LydiaS]

I use MS Access to program small applications for private use in a small business. I updated to the latest version of MalwareBytes about half an hour ago and have been experiencing a few issues since then. The latest update seems to take issue with a utility I created to improve the functionality of some of our databases. In this utility, I execute a WShellScript (I already found the fix to stop MalwareBytes from blocking that) that uses the clipboard to grab some information on a process. MalwareBytes is blocking the utility from doing this. Disabling Exploit Protection resolves the problem, but I do not want to disable Exploit Protection entirely. Please, help. TIA.

The report details on the blocked exploit are as follows:
 

Malwarebytes
www.malwarebytes.com

-Log Details-
Protection Event Date: 9/19/21
Protection Event Time: 9:01 AM
Log File: 16e51a54-1952-11ec-99a0-4cebbd66fe46.json

-Software Information-
Version: 4.4.6.132
Components Version: 1.0.1453
Update Package Version: 1.0.45114
License: Premium

-System Information-
OS: Windows 10 (Build 19042.1237)
CPU: x64
File System: NTFS
User: System

-Exploit Details-
File: 0
(No malicious items detected)

Exploit: 1
Malware.Exploit.Agent.Generic, C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe (Get-Process MSACCESS).id | clip, Blocked, 0, 392684, 0.0.0, , 

-Exploit Data-
Affected Application: Microsoft Access
Protection Layer: Application Behavior Protection
Protection Technique: Exploit payload process blocked
File Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe (Get-Process MSACCESS).id | clip
URL: 

(end)

[AdvancedSetup]

Hello @LydiaS

Please try the following and let me know if it helps or not

Open Malwarebytes, click the small gear on the top right and go to the Security tab.
Scroll down to the bottom and click the Advanced Settings button
Click on the Application behavior protection tab
Scroll down to "Office scripting abuse prevention" under MS Office and uncheck it

 

 

[LydiaS]

Thank you for the response, @AdvancedSetup! Love the Kirk av.!
Unchecking "Office scripting abuse prevention" did not work. I also tried unchecking each of the other checked settings listed under "MS Office" in "Application behavior protection", one at a time, with no success. My programmatic use of the clipboard is still being blocked.

[AdvancedSetup]

Okay let's do the following then @LydiaS

Open the Advanced Settings again. Reset to Defaults.

Then open the General tab and enable Event log data - then restart the computer.

Next, run the task that triggers this block, alert, and afterward go ahead and grab me the following logs.

 

NOTE: The tools and the information obtained are safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

• Download the Malwarebytes Support Tool
• In your Downloads folder, open the mb-support-x.x.x.xxx.exe file
• In the User Account Control pop-up window, click Yes to continue the installation
• Run the MBST Support Tool
• In the left navigation pane of the Malwarebytes Support Tool, click Advanced
• In the Advanced Options, click Gather Logs. A status diagram displays the tool is Getting logs from your machine
• A zip file named mbst-grab-results.zip will be saved to your desktop, please upload that file on your next reply

Thank you

 

[LydiaS]

@AdvancedSetup

The zip you requested is attached.

Incidentally, I discovered another conflict with MalwareBytes during the course of events yesterday. A VB script very common to our databases that we use to compact/repair/restart MS Access is also being blocked as an exploit. But one problem at a time. I am hopeful that a solution for this clipboard problem will be a solution for that problem as well. As a temporary solution, I disable exploit protection only for MS Access in the "Manage protected applications" menu whenever I need to work on these databases (I made sure to reenable it when I followed your instructions to get the event logs).

Thanks again. Looking forward to your next reply.

mbst-grab-results.zip

[LydiaS]

@AdvancedSetup

I just realized that the zip I sent you earlier might not have information on the blocked clipboard exploit, but rather on a problem I had previous to that one that I had already resolved by disabling "Office VBE7 abuse prevention" under the "Application abuse prevention" tab in advanced settings. 

I have attached another zip. This one was run with "Office VBE7 abuse prevention" disabled so that the clipboard problem would be caught instead of the WShellScript that runs prior to the clipboard call.

mbst-grab-results.zip

[AdvancedSetup]

Thank you @LydiaS

The first zip file does not show any AE blocked

The second one does show it was blocked but still shows it is due to the Office VBE7 abuse prevention setting

 

Let's try doing a complete clean removal and reinstall of Malwarebytes. If the block still happens then let's try to isolate out each instance in a more methodical way.

 

 

Can you please do the following?

• Download the Malwarebytes Support Tool
• In your Downloads folder, open the mb-support-x.x.x.xxx.exe file
• In the User Account Control pop-up window, click Yes to continue the installation
• Run the MBST Support Tool
• In the left navigation pane of the Malwarebytes Support Tool, click Advanced
• In the Advanced Options, click the CLEAN button and follow the onscreen instructions to reinstall Malwarebytes
• NOTE: Please have patience as it can take a while to remove and reinstall. The computer will restart to complete

After the restart please do the following

• Run the MBST Support Tool
• In the left navigation pane of the Malwarebytes Support Tool, click Advanced
• In the Advanced Options, click Gather Logs. A status diagram displays the tool is Getting logs from your machine
• A zip file named mbst-grab-results.zip will be saved to your desktop, please upload that file on your next reply

Thank you

 

[LydiaS]

Thank you for your continued assistance @AdvancedSetup. Apologies for the delayed response.

I am still having the issues previously discussed. I had a minor point of confusion with your most recent instructions, so here is what I did.

1) Performed the Clean reinstall of MalwareBytes using the Malwarebytes Support Tool. I was not prompted to restart the machine, but I did so anyway. A text file called "mbst-clean-results" was generated after the reinstall.

2) Gathered logs right after the machine restarted. This zip is attached and named "mbst-grab-results_afterRestart".

3) Gathered logs with default settings after launching the program that is having problems. This zip is attached and named "mbst-grab-results_defaultSettings".

4) Gathered logs after launching the program with Office VBE7 abuse prevention disabled. This zip is attached and named "mbst-grab-results_VBE7disabled".

I hope what I did was sufficient to gather the information that you need. Thanks, again.

mbst-grab-results_afterRestart.zip mbst-grab-results_defaultSettings.zip mbst-grab-results_VBE7disabled.zip

[AdvancedSetup]

Thank you my mistake. You will need to uncheck the MS Access protection. @LydiaS

Open Malwarebytes, click the small gear on the top right and go to the Security tab.
Scroll down to the bottom and click the Manage protected applications button
Scroll down to "Microsoft Access" and disable it.

 

Then restart the computer and let me know if you're still getting a block

 

 

 

[LydiaS]

@AdvancedSetup, yes, turning off exploit protection for MS Access does the trick.

I was hopeful we could find a different solution, but that works. 
Thanks again for all your help with this.