Legitimate Excel Macro identified as exploit and can't bypass /w allow list

[Ippster32]

Hello, I have an Excel sheet that runs an important business process which uses a Microsoft VBA macro to access Outlook.

As soon as this line runs:

 Dim OutApp As Outlook.Application

Malwarebytes identifies it as an exploit and terminates Excel. Below is the log.  

I tried using the "allow list" and "exclude from all detections"(on both the file and folder). But Malware bytes keeps identifying it as an exploit and terminating it.

The only way to stop it is to turn off the exploit detection (which, of course, isn't a good idea).

How do I get by this to be able to run the Excel sheet?

Thanks.

-------------------

 

Malwarebytes
www.malwarebytes.com

-Log Details-
Protection Event Date: 8/3/22
Protection Event Time: 5:11 PM
Log File: c7a5875c-1370-11ed-bef8-60a5e21bee2c.json

-Software Information-
Version: 4.5.12.204
Components Version: 1.0.1725
Update Package Version: 1.0.58137
License: Premium

-System Information-
OS: Windows 11 (Build 22000.795)
CPU: x64
File System: NTFS
User: System

-Exploit Details-
File: 0
(No malicious items detected)

Exploit: 1
Malware.Exploit.Agent.Generic, C:\Users\ianip\OneDrive\Documents\Outlook.Application, Blocked, 0, 392684, 0.0.0, , 

-Exploit Data-
Affected Application: Microsoft Office Excel
Protection Layer: Application Behavior Protection
Protection Technique: Exploit Office VBE7 object abuse blocked
File Name: C:\Users\ianip\OneDrive\Documents\Outlook.Application
URL: 

(end)

[Porthos]

1 hour ago, Ippster32 said:

How do I get by this to be able to run the Excel sheet?

Please open Malwarebytes and go to security and exploit settings and click advanced.

Click Restore defaults and then click apply. Chose Malwarebytes and restart the computer for good measure.

Then see if it fixes the issue.

 

[Arthi]

Hi Ippster32, 

Please turn off this setting "Office VBE7 object abuse protection" under Advanced exploit settings->Application behavior protection tab

Thanks.

[Ippster32]

Thanks for the responses. 

Porthos, I tried that and it still exhibited same problem.

Arthi, that didn't quite work but it was very helpful because it led me to the right path (and thanks). I had to disable "office scripting abuse protection" to allow it to work. At least this is a much better workaround than disabling the entire Malware bytes.  Is there any way to be more granular with this, or is that as good as it gets at this time? Thanks again.

[Arthi]

We introduced these settings so customers can turn them off as appropriate if they are executing a legit action which we flag as exploit-like (based on our research into the threat landscape), instead of having to turn off the protection completely. Unfortunately this is as granular as we can get.

Thanks.

[Ippster32]

4 hours ago, Arthi said:

We introduced these settings so customers can turn them off as appropriate if they are executing a legit action which we flag as exploit-like (based on our research into the threat landscape), instead of having to turn off the protection completely. Unfortunately this is as granular as we can get.

Thanks.

I understand. No problem and thanks Arthi for the help.

[DanFlak]

I have this same issue. I used to get an error message and I now have the Application Hardening settings exactly like the ones set above. Now when I try to mail I no longer get an error message. Excel just closes silently. When I open up Excel again it offers to open the previously crashed version in the left window. The only way I can get this to work is to remove Excel entirely from the protection. Is this a safe thing to do?

[Porthos]

7 minutes ago, DanFlak said:

I have this same issue.

Please create your own topic even if your issue is the same or similar to other posted topics.