Excel macro 4.0 abuse protection prevents opening password protected files

[Adam2022]

Hi,

I've got Malwarebytes Premium Trial 4.5.9 installed for 11 days and 3 days remaining before I have to purchase it to continue using the full version.  So far, I am happy with the way it's been protecting my system with one caveat.  The program is preventing me from opening any password protected Microsoft Excel files with the xlsx extension.  The scary part of this is that I initially had no idea that it was Malwarebytes causing the problem.  There was no warning or notification from Malwarebytes nor anything in the quarantine or detection history.  Instead, Excel just tells me the files are corrupted and are unable to be repaired, causing panic because they contain important information and backed up versions exhibit the same behavior.  Since Malwarebytes is the only program I've installed on my computer recently, I tried disabling it and opening the files and voila they opened without any problem.  Of course, I don't want to be using my system without any protection, so I started troubleshooting.   

I was able to narrow it down to the specific setting of excel macro 4.0 abuse protection in the behavior section of exploit protection advanced settings.   I am using Windows 10 version 10.0.19044 and Excel 2010 version 14.0.7268.5000 by the way and the problem only happens when trying to open a password protected excel file saved in the default Excel 2010 format with the extension xlsx.  It does not happen with files saved in legacy excel format with xls extension.  

I can reproduce the problem by simply creating a brand new excel file with and then saving it with password protection. If I try to open the file while the macro 4.0 abuse protection is enabled, Excel tells me that the file is corrupted and cannot be repaired.   It doesn't even ask me for the password. The first 2 attachments show what is happening in this scenario.  It is scary AF to get those messages let me tell you.   If I turn off the macro 4.0 abuse protection, Excel asks me for the password and opens the file without complaint.  If I create a file without password protection, it opens fine even with macro abuse protection enabled.  It's only password protected files that are affected by this problem.  

If I rename the file extension of an Excel 2010 file to .xls, Excel allows me to enter the password and open the file after complaining that the extension is wrong and prompting me if I trust the source.  The third attachment shows the prompt from Excel in this scenario. 

If I create a new excel file and save it in an old excel 93-97 format with password protection, I am able to open it with the macro protection enabled in Malwarebytes no problem, but obviously I don't want to save all my files in a legacy format. 

Ideally I would prefer to have the macro abuse protection enabled in case there really is malicious code in an excel file that I am opening.  However, just having password protection is not malicious code.   Can you fix it?

[Malwarebytes]

***This is an automated reply***

Hi,

Thanks for posting in the Malwarebytes for Windows Help forum.

If you are having technical issues with our Windows product, please do the following:

Malwarebytes Support Tool - Advanced Options

This feature is designed for the following reasons:

• For use when you are on the forums and need to provide logs for assistance
• For use when you don't need or want to create a ticket with Malwarebytes
• For use when you want to perform local troubleshooting on your own

How to use the Advanced Options:

Spoiler

1. Download Malwarebytes Support Tool
2. Double-click mb-support-X.X.X.XXXX.exe to run the program
   • You may be prompted by User Account Control (UAC) to allow changes to be made to your computer. Click Yes to consent.
3. Place a checkmark next to Accept License Agreement and click Next
4. Navigate to the Advanced tab
5. The Advanced menu page contains four categories:
   • Gather Logs: Collects troubleshooting information from the computer. As part of this process, Farbar Recovery Scan Tool (FRST) is run to perform a complete diagnosis. The information is saved to a file on the Desktop named mbst-grab-results.zip and can be added as an email attachment or uploaded to a forum post to assist with troubleshooting the issue at hand.
   • Clean: Performs an automated uninstallation of all Malwarebytes products installed to the computer and prompts to install the latest version of Malwarebytes for Windows afterwards. The Premium license key is backed up and reinstated. All user configurations and other data are removed. This process requires a reboot.
   •  Repair System: Includes various system-related repairs in case a Windows service is not functioning correctly that Malwarebytes for Windows is dependent on. It is not recommended to use any Repair System options unless instructed by a Malwarebytes Support agent.
   • Anonymously help the community by providing usage and threat statistics: Unchecking this option will prevent Malwarebytes Support Tool from sending anonymous telemetry data on usage of the program.
6. To provide logs for review click the Gather Logs button
7. Upon completion, click OK
8. A file named mbst-grab-results.zip will be saved to your Desktop
9. Please attach the file in your next reply.
10. To uninstall all Malwarebytes Products, click the Clean button.
11. Click the Yes button to proceed. 
12. Save all your work and click OK when you are ready to reboot.
13. After the reboot, you will have the option to re-install the latest version of Malwarebytes for Windows.
14. Select Yes to install Malwarebytes.
15. Malwarebytes for Windows will open once the installation completes successfully.

Screenshots:

Spoiler

 

 

 

 

Spoiler

 

 

 

 

If you are having licensing issues, please do the following: 

Spoiler

For any of these issues:

• Renewals
• Refunds (including double billing)
• Cancellations
• Update Billing Info
• Multiple Transactions
• Consumer Purchases
• Transaction Receipt

Please contact our support team at https://support.malwarebytes.com/hc/en-us/requests/new to get help

If you need help looking up your license details, please head here: Find my premium license key

 

 

Thanks in advance for your patience.

-The Malwarebytes Forum Team

[Firefox]

Hello and Welcome @Adam2022

Sorry the program is not working for you correctly. Have you made any changes to the default settings?

Please restore defaults in the advanced section of exploit protections and click apply. Restart the computer.

If the above does not work, please do the following so that we may take a closer look at your installation for troubleshooting:

NOTE: The tools and the information obtained are safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

• Download the Malwarebytes Support Tool
• In your Downloads folder, open the mb-support-x.x.x.xxx.exe file
• In the User Account Control pop-up window, click Yes to continue the installation
• Run the MBST Support Tool
• In the left navigation pane of the Malwarebytes Support Tool, click Advanced
• In the Advanced Options, click Gather Logs. A status diagram displays the tool is Getting logs from your machine
• A zip file named mbst-grab-results.zip will be saved to your desktop, please upload that file on your next reply

Thank you

Edited June 10, 2022 by Firefox

[Adam2022]

I've restored the default settings, but by default that setting is enabled, and the problem persists. The only way I can open password protected Excel files is by disabling excel macro 4.0 abuse protection.  It should also be worth noting that adding the password protected excel files into the "allow list" does not rectify the behavior either.

 

I've run the support tool and attached the log here.

mbst-grab-results.zip

[AdvancedSetup]

Please see the following

https://techcommunity.microsoft.com/t5/excel-blog/excel-4-0-xlm-macros-now-restricted-by-default-for-customer/ba-p/3057905

https://blog.malwarebytes.com/reports/2021/10/at-long-last-microsoft-is-disabling-excel-4-0-macros-by-default/

 

 

 

[Adam2022]

I did take a look at those posts.  I understand macros can be dangerous and should not be allowed to run without asking the user for permission.  My Excel has macros disabled in the trust center (see attached), and the files do not need to have macros in them in order for Malwarebytes to block them from opening.  They just have to be password protected. 

An important observation is that Malwarebytes will allow me to open a password protected Excel file that is saved as a legacy Excel 93-97 compatible file.  It will just not allow me to open one saved in the native Excel 2010 format.

 

If Malwarebytes is believing there is a macro in a file, why wouldn't it notify the end user instead of holding the file hostage in memory while Excel is trying to open it, causing Excel to incorrectly believe it is a corrupted file that cannot be repaired?  Again, the file cannot even be added to the allow/exception list.  This seems to be a problem within the macro abuse protection code of Malwarebytes.

[Adam2022]

Even with macros disabled in Excel this problem is not happening because of macros. It's happening because the worksheet is password protected and for no other reason. So there is a flaw in the macro abuse protection code in Malwarebytes. Can you check?

[AdvancedSetup]

Please open Malwarebytes, go to Settings, General and enable the Event log data

Then restart the computer. Then test with Excel again and try to reproduce the issue. Then run the MBST tool again and gather new logs.

Make sure you go back and turn off the Event log data option when done.

Thank you

 

[Adam2022]

Here you go. 

mbst-grab-results.zip

[AdvancedSetup]

Are you sure there was a block from Malwarebytes? I don't see a block in the logs from the Anti Exploit module.

Let me have you do the following clean removal and reinstall and let me know if you're still having an issue.

 

Can you please do the following?

• Download the Malwarebytes Support Tool
• In your Downloads folder, open the mb-support-x.x.x.xxx.exe file
• In the User Account Control pop-up window, click Yes to continue the installation
• Run the MBST Support Tool
• In the left navigation pane of the Malwarebytes Support Tool, click Advanced
• In the Advanced Options, click the CLEAN button and follow the onscreen instructions to reinstall Malwarebytes
• NOTE: Please have patience as it can take a while to remove and reinstall. The computer will restart to complete

 

NOTE: You can ignore and close out the installer for Malwarebytes Privacy. There is also a known issue where it may say the install was canceled, you can ignore that too.

 

 

[Adam2022]

I did the clean removal and install and there is no change.  As long as macro 4.0 abuse prevention is enabled, I cannot open any password protected Excel *.xlsx file, even if it is a brand new file I just created.  There can't possibly be macros in a brand new Excel file.  Once password encryption is enabled in the Excel file, it will not open while that setting is enabled.   Excel complains about the file being corrupted and claims it is not repairable.  As soon as I turn off macro 4.0 abuse prevention, the file opens normally and asks for the password.  The problem can reproduced over and over 100% without fail.    If the file is saved as a legacy Excel 97-2003 Workbok (*.xls), the problem does not occur. 

 

 

[AdvancedSetup]

Yes, you will need to uncheck the Excel macro 4.0 abuse prevention setting. That should allow you to open the file without an issue.

 

[Remko]

Same problem here, after the latest update from Malwarebytes i am unable to use my password protected excel files!
Only  unchecking the Excel macro 4.0 abuse prevention setting solves this problem!

[Remko]

To be clear, this problem started after Malwarebytes updated to version:  4.5.9.198 - 1.0.1699
Before that never had an issue.

[AdvancedSetup]

I understand. The issue has been reported. It may take days for a fix or weeks or months. There is no guarantee how long it will take for the Dev team to address this, that's why I say the exclusion is your best option at this time.

 

[Remko]

Ok, thank you!
Is it possible to give an update when this is fixed?

[AdvancedSetup]

When the fix makes it to beta it should be listed here
https://forums.malwarebytes.com/forum/251-malwarebytes-4x-beta/

When the fix makes it to release it should be listed here
https://forums.malwarebytes.com/topic/281762-malwarebytes-45/

 

[WogerB]

I have exactly the same problem. Password protected xlsx files, with no marcos, will not open unless I disable 'Excel macro 4.0 abuse prevention. Malwarebytes Premium, Version 4.5.9.198, Update package version 1.0.56051, Component package version 1.0.1699. As per Remko post, this problem started after Malwarebytes updated to version:  4.5.9.198 - 1.0.1699.

Edited June 11, 2022 by AdvancedSetup
Corrected font issue

[AdvancedSetup]

Please see the above answers @WogerB

Thank you

 

[Adam2022]

Thank you for acknowledging that this is a problem within Malwarebytes. I will leave macro abuse prevention disabled.  To be honest, I'm not really worried about it on my own computer because I have macros disabled within the Excel program itself.  But it is probably something that should be hot fixed quickly so that people don't start panicking and believing that their files are truly corrupted and unrecoverable.  

[lmacri]

Hi Adam2022:

Thanks for posting about this.  I just discovered the same problem today where I was unable to open a password-protected Excel .XLSX spreadsheet after updating yesterday to Malwarebytes v4.5.9.198-1.0.1699.

It's probably not a coincidence that one of my other Excel .XLSX files that is not password protected would only open in read-only mode this morning.  I solved that particular problem by opening in read-only mode and then saving under a new file name.  If this happens again I'll try to remember to grab a screenshot of the warning message.

Just out of curiosity, do you use Microsoft Defender as your primary antivirus, and if so have you made and recent changes to your Attack Surface Reduction (ASR) settings to mitigate the recently discovered "Follina" zero-day vulnerability (CVE-2022-30190)? I recently added the “Block Office application from creating child processes” rule to the Microsoft Defender ASR settings using the Group Policy Editor (gpedit.msc) in my Win 10 Pro OS (see my 03-Jun-2022 post # 2450624 in Susan Bradley's Zero Day in Office – But Don’t Panic in the AskWoody forum) and I'm now wondering if this has somehow exacerbated my problems with  Malwarebytes v4.5.9.198-1.0.1699's Exploit Protection (specifically, the Application Behavior Protection | Excel Macro 4.0 Abuse Prevention) that goes beyond being unable to open my password-protected Excel files.
--------------
64-bit Win 10 Pro v21H2 build 19044.1706 * Firefox v101.0.1 * Microsoft Defender v4.18.2203.5-1.1.19200.5 * Malwarebytes Premium v4.5.9.198-1.0.1699 * Macrium Reflect Free v8.0.6758 * Dell SupportAssist v3.10.4.18 * Inspiron 5583/5584 BIOS v1.18.0
Dell Inspiron 15 5584, Intel i5-8265U CPU, 8 GB RAM, 256 GB Toshiba KBG40ZNS256G NVMe SSD, Intel UHD Graphics 620

Edited June 11, 2022 by lmacri

[Adam2022]

I do use Microsoft Defender but I have not made any changes to ASR settings. My computer is on a home network and I don't typically open documents from unknown sources so I'm not too worried about that vulnerability for myself.  Wouldn't Bottomup ASLR enforcement for Office in Malwarebytes catch it?   The funny thing is that when I used process monitor to see if I could narrow down what is locking the file and preventing Excel from opening it, it seemed like it was Microsoft Defender and not Malwarebytes. So it is very possible that the macro prevention within Malwarebytes is somehow causing Microsoft Defender to lock the Excel file.  

[Adam2022]

I should add that the problem persists even if I turn off Microsoft Defender real time protection.  Process monitor still shows Microsoft Anti-Malware (smartscreen.exe) accessing the Excel file.  It doesn't ever show any Malwarebytes processes accessing the Excel file, whether enabled or disabled. 

[lmacri]

5 hours ago, lmacri said:

....Just out of curiosity, do you use Microsoft Defender as your primary antivirus, and if so have you made and recent changes to your Attack Surface Reduction (ASR) settings to mitigate the recently discovered "Follina" zero-day vulnerability (CVE-2022-30190)? I recently added the “Block Office application from creating child processes” rule to the Microsoft Defender ASR settings using the Group Policy Editor...

5 hours ago, Adam2022 said:

I do use Microsoft Defender but I have not made any changes to ASR settings. My computer is on a home network and I don't typically open documents from unknown sources so I'm not too worried about that vulnerability for myself.  Wouldn't Bottomup ASLR enforcement for Office in Malwarebytes catch it?...

Hi Adam2022:

I honestly have no idea how Application Hardening | BottomUp ASLR Enforcement or any of the other Advanced Exploit Protection settings work in Malwarebytes Premium, so hopefully someone from Malwarebytes will be able to provide some insight. 

The last time I had an issue opening my MS Office 2019 files it was caused by the Application Behavior Protection | Office WMI Abuse Prevention technique of Malwarebytes' Exploit Protection.  In that case the exploit block was actually logged as a Malware.Exploit.Agent.Generic detection in my Malwarebytes v4.4.6 detection history so it was easy to trace the exact exploit protection technique causing the problem.  See my 16-Sep-2021 thread MS Word 2019 - Exploit Office WMI Abuse Blocked (cmd.exe) that was posted in the Malwarebytes for Home Support | Exploit | False Positives board that included a sample detection log identifying "Protection Technique: Exploit Office WMI Abuse Blocked" as the cause of the exploit block.
--------------
64-bit Win 10 Pro v21H2 build 19044.1706 * Firefox v101.0.1 * Microsoft Defender v4.18.2203.5-1.1.19200.5 * Malwarebytes Premium v4.5.9.198-1.0.1699 * Macrium Reflect Free v8.0.6758 * Dell SupportAssist v3.10.4.18 * Inspiron 5583/5584 BIOS v1.18.0
Dell Inspiron 15 5584, Intel i5-8265U CPU, 8 GB RAM, 256 GB Toshiba KBG40ZNS256G NVMe SSD, Intel UHD Graphics 620

[Adam2022]

I will say though that if the customer service I received on this issue is any indication of what it will be like as a paying user, I'm not likely to buy it.

 

I initially called on the phone to report this problem and the support person I spoke to refused to help me unless I allowed him to remote into my computer, which I did not, and insisted there was no other way to help me.  That turned out to be wrong.  

 

At least the forum support had me run the support tool to gather information.  But after reporting the exact setting which is causing the issue and even providing step by step instructions on how to reproduce it, I feel like the replies were dismissive.    

 

It seemed like we were going to be talking in circles until other folks popped in to report they were having the same issue.  Now it's acknowledged but "It may take days for a fix or weeks or months".  How about a quick Hot Fix that disables that feature in the interim before more people freak out after being told their files are gone forever?