Greybeard1 Posted July 7, 2022 ID:1523807 Share Posted July 7, 2022 Malwarebytes is flagging an exploit when attempting to run a macro in LibreOffice. Invoking the menu command Tools > Macro > Run Macro on a newly created blank text document or spreadsheet with only the built in macros will cause the application to close and the exploit to be flagged. This happens before selection of a macro to run. This occurs on a two separate new installations of LibreOffice 7.3.4, downloaded from https://www.libreoffice.org/download/download/?type=win-x86_64&version=7.3.4&lang=en-GB. SHA256 string of the downloaded file matches the target. Macro protection settings in the application do not affect the outcome. Saving a blank file and adding it to the Allow List in Malwarebytes does not prevent the behavior. I attach a typical log and zipped .odt file - the issue may be in the application itself, which I have not attached but can be downloaded as above. I have turned off LibreOffice in the Protection Applications list but see that as a temporary workaround. Thanks. mwb libre.txt LibreOfficeblank.zip Link to post Share on other sites More sharing options...
Porthos Posted July 7, 2022 ID:1523839 Share Posted July 7, 2022 3 hours ago, Greybeard1 said: Malwarebytes is flagging an exploit Please open Malwarebytes and go to security and exploit settings and click advanced. Click Restore defaults and then click apply. Chose Malwarebytes and restart the computer for good measure. Then see if it fixes the issue. Link to post Share on other sites More sharing options...
Greybeard1 Posted July 7, 2022 Author ID:1523844 Share Posted July 7, 2022 Thanks Porthos. Apologies for posting in the wrong section. I've done that and tested it (having put LibreOffice back on the Protected list) and it flags an exploit as before. I didn't see any control ticks change when I restored the defaults. However, I haven't explore that area of Settings previously, and I notice the 3rd tab is "Application behavior protection" and includes a control in the "MS Office" column for "Office Spawning Batch Command Prevention". I turned off that control and and that does prevent an exploit being flagged. So it appears that control applies to other Office suites, not just MS Office. I assume it's a narrower exemption than taking protection off LibreOffice completely, which I think is better. Do you know if that's the way Malwarebytes is intended to work, or should it be possible to respond to the nature of the macro rather than react to it as a Spawning Batch Command? I can see from the log that cmd.exe was called so understand that it literally is a spawned batch command. Link to post Share on other sites More sharing options...
Solution Porthos Posted July 7, 2022 Solution ID:1523846 Share Posted July 7, 2022 I was hoping this setting was not on and was causing this. It should be off. 8 minutes ago, Greybeard1 said: However, I haven't explore that area of Settings previously, and I notice the 3rd tab is "Application behavior protection" and includes a control in the "MS Office" column for "Office Spawning Batch Command Prevention". I turned off that control and and that does prevent an exploit being flagged. This was my next step. 8 minutes ago, Greybeard1 said: Apologies for posting in the wrong section. You posted in the correct section. Link to post Share on other sites More sharing options...
Greybeard1 Posted July 7, 2022 Author ID:1523856 Share Posted July 7, 2022 Thank you. Block Penetration Testing attacks is off. I'll take turning off Spawning Batch Command Prevention as the solution. 1 Link to post Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now