Malware.Exploit.Agent.Generic message when opening doc in Word or Excel

[FOIT_Team]

Recently migrated over to Malwarebytes Nebula and there are multiple endpoints that get the malware.exploit.agent.generic message when opening a document via Word or Excel but the document still opens and they can work on it. Is this a false positive?

[Porthos]

13 minutes ago, FOIT_Team said:

Is this a false positive?

Without logs showing the detection, it is most likely due to an issue with exploit protection and Office currently.

15 minutes ago, FOIT_Team said:

multiple endpoints

Each one could have a different workaround.

[FOIT_Team]

7 minutes ago, Porthos said:

Without logs showing the detection, it is most likely due to an issue with exploit protection and Office currently.

Where can we locate the exploit protection part in Nebula, if there is one? Or where do you suggest we look?

[Porthos]

I will ask @knguyen1 to assist.

[knguyen1]

Hi @FOIT_Team, looking at your portal, I mostly see ComSpec=C:\Windows\system32\cmd.exe detections, which are a bug from a recent update at the beginning of last month. We are actually releasing another update shortly which should resolve this issue. That's good to hear it is not affecting any users from actually using their office applications and just an annoyance. There is technically a setting you could turn off to prevent these, but with the update coming out so soon, we may just want to hold off and then it should resolve on it's own. Until then, these can safely be ignored.

[FOIT_Team]

Thank you very much for the clarification @knguyen1!

[knguyen1]

No problem! I was looking and you currently have "Install software updates automatically" disabled. You could enable this just to make the update process and resolving this issue more seamless.

Otherwise, once the update does release, it will have to first check for updates (we meter this slowly out to endpoints, but it can be expedited by selecting endpoints and clicking on Actions -> Check for Software Updates), and then you will have to manually click install software updates. Either way works, the manual way just gives you more control over when it updates, as a reboot may be required to complete the update. 

If you do want to turn automatic updates on, go to Settings -> Policies -> Default Policy -> Endpoint Agent -> Software Updates & check the checkbox under Windows for "Automatically download and install Malwarebytes application updates"

I can provide more information once the update releases.

[WestM]

Good to know. Thank you for the update regarding this issue.

[knguyen1]

This update is currently being metered out, however, you can bypass the metering to make sure your clients get the build earlier.
 
To do this, select the computers you would like to update in Nebula and click the actions option in the upper right. From here, select Check for Software Updates. This will allow you to bypass the metering. After the machines get the update, select the machines again and select Install Software updates from the action menu to force the endpoints to install the update. If you have the Automatically download and install Malwarebytes application updates option enabled in the policy, then you can skip this step.
 
This should update the version of the product to:

• Protection Service (MBAMService) - 4.4.7.134
• Component Package (ctlr) - 1.0.1464

 
After you do this, you can move your machines back to a policy with WMI enabled. You can also enable WMI in the policy again by going to the Policy > Protection settings. From there, click on Advanced settings > Anti-Exploit Settings > Application Behavior protection >  and enable Office WMI abuse protection. Please let us know if you run into any issues with this!

Edited October 6, 2022 by AdvancedSetup
Corrected font issue