Jump to content

False positive - AddinTools Classic Menu for Office / Office 365


tsmith
 Share

Recommended Posts

I recently updated Office 2019 to Office 365. My addins work fine except for Classic Menu. Every time I try to use any part of the menu, the Office application freezes and Malwarebytes pops up "Exploit blocked" and says it blocked this:

Affected Application: Microsoft Office {insert program name such as Excel, Word, etc}
Protection Layer: Malicious Memory Protection
Protection Technique: Exploit code executing from Heap memory blocked

The notification history for MWB says, "Exploit blocked" "Exploit attempt detected and blocked. It is no longer a threat. Open quarantine to learn more."

When I go to quarantine, nothing is there. ???

I added the entire Office directory to the exclude list. I added the Classic Menu directory to the exclude list. The issue remains. What's the next step?

Details from the last detection:
Malwarebytes
www.malwarebytes.com

-Log Details-
Protection Event Date: 11/7/21
Protection Event Time: 9:30 PM
Log File: 4345696e-4044-11ec-b8fd-9c5c8ebc0d92.json

-Software Information-
Version: 4.4.10.144
Components Version: 1.0.1499
Update Package Version: 1.0.46948
License: Premium

-System Information-
OS: Windows 10 (Build 19043.1320)
CPU: x64
File System: NTFS
User: System

-Exploit Details-
File: 0
(No malicious items detected)

Exploit: 1
Malware.Exploit.Agent.Generic, , Blocked, 0, 392684, 0.0.0, , 

-Exploit Data-
Affected Application: Microsoft Office Excel
Protection Layer: Malicious Memory Protection
Protection Technique: Exploit code executing from Heap memory blocked
File Name: 
URL: 

(end)

Link to post
Share on other sites

I disabled Exploit Detection and can now run Office 365 applications normally, but I can't help but wonder what the correct solution to this would be.

I see a number of options in Advanced Exploit Protection settings, but I'm not sure which ones to turn off in what categories. I see these categories:

Application hardening
Advanced memory protection
Application behavior protection
Java protection
Penetration Testing

Columns within Application hardening, Advanced memory protection and Application behavior protection are:

Non-Chromium browsers
Chromium browsers
PDF readers
MS Office
Media players
Other

Rows within Application hardening are:

DEP enforcement
Anti-heap spraying environment
Dynamic anti-heap spraying enforcement
BottomUp ASLR enforcement
Disable loading of VBScript libraries
Anti-Exploit fingerprint attempt detection

Rows within Advanced memory protection are:

Malicious return address detection
DEP bypass protection
Memory patch hijack protection
Stack pivoting protection
CALL ROP gadget detection (32 bit)
RET ROP gadget detection (32 bit)
CALL ROP gadget detection (64 bit)
RET ROP gadget detection (64 bit)

Rows within Application behavior protection are:

Malicious LoadLibrary prevention
Internet Explorer VBScripting protection
MessageBox payload protection
Office WMI abuse prevention
Office VBA7 abuse prevention
Office VBE7 abuse prevention
Office scripting abuse prevention
Office loading points abuse prevention
Office spawning batch command prevention
Excel macro 4.0 abuse prevention
Email client scripting abuse prevention

There's also the Java protection category with these items:

Prevent web-based Java command line operations
Prevent malicious inbound shell attacks
Use Metasploit/Meterpreter generic protection
Use Metasploit/Meterpreter command execution protection
Allow insecure Java operation in internal IP Ranges

Penetration testing only has one item:

Block penetration testing attacks

I'm attaching the current settings from the five categories. Thanks.

1.png

2.png

3.png

4.png

5.png

Link to post
Share on other sites

So I'm answering my own question. I was kind of hoping someone at Malwarebytes would chime in, but oh well.

I turned off "Malicious return address detection" for "MS Office" in "Advanced memory protection" and now I'm able to leave MBAM Exploit Protection on without my Office 365 applications crashing.

Hope it helps anyone in the same situation.

Tom

Link to post
Share on other sites

  • Root Admin

Sorry for the delay @tsmith

Can we please get the logs so that we can review in more detail

 

To begin, please do the following so that we may take a closer look at your installation for troubleshooting:

NOTE: The tools and the information obtained are safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

  • Download the Malwarebytes Support Tool
  • In your Downloads folder, open the mb-support-x.x.x.xxx.exe file
  • In the User Account Control pop-up window, click Yes to continue the installation
  • Run the MBST Support Tool
  • In the left navigation pane of the Malwarebytes Support Tool, click Advanced
  • In the Advanced Options, click Gather Logs. A status diagram displays the tool is Getting logs from your machine
  • A zip file named mbst-grab-results.zip will be saved to your desktop, please upload that file on your next reply

Thank you

 

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.