Jump to content

Exploit protection blocking certain excel spreadsheets from opening

Roj9

By Roj9
in Exploit

 Share

Recommended Posts

Roj9

Roj9

Posted
Posted

Currently have a client who cannot open certain excel spreadsheets. I have disabled exploit protection as a temporary fix. Their colleagues can all open the documents and I cannot find any difference in settings between them. 

Can send logs etc if you can let me know which?

thanks

Link to post
Share on other sites
lmacri

lmacri

Posted
Posted (edited)

Hi Roj9:

If you can Export the detection log found at Detection History | History to a .txt file (see the first image below) and then paste the contents in your next reply someone should be able to confirm if your client's Exploit Protection detection is a false positive, and if so, how to temporarily change their Exploit Protection settings to prevent these false positive warnings.

 

Many users have recently reported Exploit Protection blocks for MS Office in the False Positives | Exploit board.  See my 16-Sep-2021 thread MS Word and Excel 2019 - Exploit Office WMI Abuse Blocked (cmd.exe) for one example.  When I view the detailed detection log at Detection History | History the Protection Technique says "Exploit Office WMI Abuse Blocked" (your client's Protection Technique might be slightly different)...

1216436931_MBv4_4_7DetectionHistoryExploitOfficeWMIAbuseBlocked04Oct2021.png.27a737c65f1221d6c9498bdc3185edd7.png

... and if I wish, I can temporarily DISABLE the Exploit Protection settings at Settings | Security | Exploit Protection | Advanced Settings | Application Behaviour Protection | Office WMI Abuse Prevention (enabled by default) to prevent these false positive detections until Malwarebytes releases a bug fix.

637536404_MBv4_4_6Word2019FPAdvancedExploitApplicationProtection16Sep2021.png.827ab20eefe5d0d9d39243c252778f68.png

-------------
64-bit Win 10 Pro v21H1 build 19043.1237 * Firefox v92.0.1 * Microsoft Defender v4.18.2108.7 * Malwarebytes Premium v4.4.7.134-1.0.1464 * MS Office Home and Business 2019 C2R v2108 (build 14326.20404)
Dell Inspiron 15 5584, Intel i5-8265U CPU, 8 GB RAM, Toshiba KBG40ZNS256G 256 GB NVMe SSD, Intel UHD Graphics 620

Edited by lmacri
Link to post
Share on other sites
lmacri

lmacri

Posted
Posted

Hi Roj9:

Sorry, only Malwarebytes employees and a small group of users with advanced permissions are allowed to open attached files, so you'll have to wait for @AdvancedSetup or one of the other senior members of this forum to review your detection log.

If the Protection Technique that triggered the block for your client was something other than Office WMI Abuse Prevention (I only used that as a example) then disabling Settings | Security | Exploit Protection | Advanced Settings | Application Behaviour Protection | Office WMI Abuse Prevention isn't going to stop the block.
-------------
64-bit Win 10 Pro v21H1 build 19043.1237 * Firefox v92.0.1 * Microsoft Defender v4.18.2108.7 * Malwarebytes Premium v4.4.7.134-1.0.1464 * MS Office Home and Business 2019 C2R v2108 (build 14326.20404)
Dell Inspiron 15 5584, Intel i5-8265U CPU, 8 GB RAM, Toshiba KBG40ZNS256G 256 GB NVMe SSD, Intel UHD Graphics 620

Link to post
Share on other sites
Porthos

Porthos

Posted
Posted
22 minutes ago, Roj9 said:

Thanks

Thanks. Here is the TXT file log. 

The following did not help...

DISABLE the Exploit Protection settings at Settings | Security | Exploit Protection | Advanced Settings | Application Behaviour Protection | Office WMI Abuse Prevention

scan.txt 878 B · 0 downloads

Uncheck the following and click apply.

image.png.d32e7dd7fb1628428fe1132c50280af0.png

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.