Jump to content

Legitimate Excel Macro identified as exploit and can't bypass /w allow list


Ippster32

Recommended Posts

Hello, I have an Excel sheet that runs an important business process which uses a Microsoft VBA macro to access Outlook.

As soon as this line runs:

 Dim OutApp As Outlook.Application

Malwarebytes identifies it as an exploit and terminates Excel. Below is the log.  

I tried using the "allow list" and "exclude from all detections"(on both the file and folder). But Malware bytes keeps identifying it as an exploit and terminating it.

The only way to stop it is to turn off the exploit detection (which, of course, isn't a good idea).

How do I get by this to be able to run the Excel sheet?

Thanks.

-------------------

 

Malwarebytes
www.malwarebytes.com

-Log Details-
Protection Event Date: 8/3/22
Protection Event Time: 5:11 PM
Log File: c7a5875c-1370-11ed-bef8-60a5e21bee2c.json

-Software Information-
Version: 4.5.12.204
Components Version: 1.0.1725
Update Package Version: 1.0.58137
License: Premium

-System Information-
OS: Windows 11 (Build 22000.795)
CPU: x64
File System: NTFS
User: System

-Exploit Details-
File: 0
(No malicious items detected)

Exploit: 1
Malware.Exploit.Agent.Generic, C:\Users\ianip\OneDrive\Documents\Outlook.Application, Blocked, 0, 392684, 0.0.0, , 

-Exploit Data-
Affected Application: Microsoft Office Excel
Protection Layer: Application Behavior Protection
Protection Technique: Exploit Office VBE7 object abuse blocked
File Name: C:\Users\ianip\OneDrive\Documents\Outlook.Application
URL: 

(end)

Link to post
Share on other sites

1 hour ago, Ippster32 said:

How do I get by this to be able to run the Excel sheet?

Please open Malwarebytes and go to security and exploit settings and click advanced.

image.png.d690c8af6274dfb080c4f34c1db6adc3.png

Click Restore defaults and then click apply. Chose Malwarebytes and restart the computer for good measure.

Then see if it fixes the issue.

image.png.0a376bd44b1a3a36eef2432ef9bed118.png

 

Link to post
Share on other sites

Thanks for the responses. 

Porthos, I tried that and it still exhibited same problem.

Arthi, that didn't quite work but it was very helpful because it led me to the right path (and thanks). I had to disable "office scripting abuse protection" to allow it to work. At least this is a much better workaround than disabling the entire Malware bytes.  Is there any way to be more granular with this, or is that as good as it gets at this time? Thanks again.

Link to post
Share on other sites

  • Staff

We introduced these settings so customers can turn them off as appropriate if they are executing a legit action which we flag as exploit-like (based on our research into the threat landscape), instead of having to turn off the protection completely. Unfortunately this is as granular as we can get.

Thanks.

Link to post
Share on other sites

4 hours ago, Arthi said:

We introduced these settings so customers can turn them off as appropriate if they are executing a legit action which we flag as exploit-like (based on our research into the threat landscape), instead of having to turn off the protection completely. Unfortunately this is as granular as we can get.

Thanks.

I understand. No problem and thanks Arthi for the help.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.