Jump to content

Malware.Exploit.Agent.Generic message when opening doc in Word or Excel


Go to solution Solved by knguyen1,

Recommended Posts

Recently migrated over to Malwarebytes Nebula and there are multiple endpoints that get the malware.exploit.agent.generic message when opening a document via Word or Excel but the document still opens and they can work on it. Is this a false positive?

Link to post
Share on other sites

13 minutes ago, FOIT_Team said:

Is this a false positive?

Without logs showing the detection, it is most likely due to an issue with exploit protection and Office currently.

15 minutes ago, FOIT_Team said:

multiple endpoints

Each one could have a different workaround.

Link to post
Share on other sites

7 minutes ago, Porthos said:

Without logs showing the detection, it is most likely due to an issue with exploit protection and Office currently.

Where can we locate the exploit protection part in Nebula, if there is one? Or where do you suggest we look?

Link to post
Share on other sites

  • Staff
  • Solution

Hi @FOIT_Team, looking at your portal, I mostly see ComSpec=C:\Windows\system32\cmd.exe detections, which are a bug from a recent update at the beginning of last month. We are actually releasing another update shortly which should resolve this issue. That's good to hear it is not affecting any users from actually using their office applications and just an annoyance. There is technically a setting you could turn off to prevent these, but with the update coming out so soon, we may just want to hold off and then it should resolve on it's own. Until then, these can safely be ignored.

  • Thanks 2
Link to post
Share on other sites

  • Staff

No problem! I was looking and you currently have "Install software updates automatically" disabled. You could enable this just to make the update process and resolving this issue more seamless.

Otherwise, once the update does release, it will have to first check for updates (we meter this slowly out to endpoints, but it can be expedited by selecting endpoints and clicking on Actions -> Check for Software Updates), and then you will have to manually click install software updates. Either way works, the manual way just gives you more control over when it updates, as a reboot may be required to complete the update. 

If you do want to turn automatic updates on, go to Settings -> Policies -> Default Policy -> Endpoint Agent -> Software Updates & check the checkbox under Windows for "Automatically download and install Malwarebytes application updates"

I can provide more information once the update releases.

  • Like 1
Link to post
Share on other sites

  • Staff

This update is currently being metered out, however, you can bypass the metering to make sure your clients get the build earlier.
 
To do this, select the computers you would like to update in Nebula and click the actions option in the upper right. From here, select Check for Software Updates. This will allow you to bypass the metering. After the machines get the update, select the machines again and select Install Software updates from the action menu to force the endpoints to install the update. If you have the Automatically download and install Malwarebytes application updates option enabled in the policy, then you can skip this step.
 
This should update the version of the product to:

  • Protection Service (MBAMService) - 4.4.7.134
  • Component Package (ctlr) - 1.0.1464

 
After you do this, you can move your machines back to a policy with WMI enabled. You can also enable WMI in the policy again by going to the Policy > Protection settings. From there, click on Advanced settings > Anti-Exploit Settings > Application Behavior protection >  and enable Office WMI abuse protection. Please let us know if you run into any issues with this!

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.