False positive AI.exe (Microsoft Office)

[mkelleycprw]

This morning, I adjusted the advanced security settings in Malwarebytes to take full advantage of its protection. Unfortunately, this caused it to block a valid file in Microsoft Office. As a result, every time I opened a Word document, it force-closed the file. Here is one of the logs from this behavior:

Malwarebytes
www.malwarebytes.com

-Log Details-
Protection Event Date: 2/22/23
Protection Event Time: 4:15 PM
Log File: b969b2b8-b306-11ed-929a-6c24087e0e58.json

-Software Information-
Version: 4.5.21.231
Components Version: 1.0.1890
Update Package Version: 1.0.66011
License: Premium

-System Information-
OS: Windows 11 (Build 22000.1574)
CPU: x64
File System: NTFS
User: System

-Exploit Details-
File: 0
(No malicious items detected)

Exploit: 1
Exploit.PayloadProcessBlock, C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ai.exe 148E169B-F376-445A-8CE7-C5FCC2FE4E89 77A2E1F6-ED05-4414-9532-100D0CECD0EF 13360, Blocked, 0, 392684, 0.0.0, , 

-Exploit Data-
Affected Application: Microsoft Office Word
Protection Layer: Application Behavior Protection
Protection Technique: Exploit payload process blocked
File Name: C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ai.exe 148E169B-F376-445A-8CE7-C5FCC2FE4E89 77A2E1F6-ED05-4414-9532-100D0CECD0EF 13360
URL: 

(end)

 

I had to set everything back to defaults (for now). Thanks in advance for your help.

[Porthos]

6 minutes ago, mkelleycprw said:

I had to set everything back to defaults (for now). Thanks in advance for your help.

Does it still happen with the defaults??

[Porthos]

7 minutes ago, mkelleycprw said:

This morning, I adjusted the advanced security settings in Malwarebytes to take full advantage of its protection.

Do not change any of the settings in that section from default with out instruction.

[Porthos]

I am going to make an assumption, one of the settings you enabled was Penetration testing.

That setting is specific to penetration testing (i.e. not actual threats) so enabling won't really do anything unless the system is tested using third-party testing tools/test exploits.  It is purely for testing purposes to verify that protection is working properly, however, it is not needed for protecting your system from actual malware which is why it is turned off by default.

I hope that helps to clarify things and if there is anything else we might help with please let us know

[mkelleycprw]

22 minutes ago, Porthos said:

Does it still happen with the defaults??

No, it doesn't.

[mkelleycprw]

18 minutes ago, Porthos said:

I am going to make an assumption, one of the settings you enabled was Penetration testing.

That setting is specific to penetration testing (i.e. not actual threats) so enabling won't really do anything unless the system is tested using third-party testing tools/test exploits.  It is purely for testing purposes to verify that protection is working properly, however, it is not needed for protecting your system from actual malware which is why it is turned off by default.

 

I hope that helps to clarify things and if there is anything else we might help with please let us know

Ahhhh. I thought it was to prevent penetration attempts by bad actors. Thanks for explaining!

[Porthos]

It is best, for many reasons to not change any default settings anywhere in the software. The only exception is the following to re-enable Windows security if you are using Win 10 or 11.

Malwarebytes does extensive testing to give you the most protection (defaults) with the least issues and false positives.

Edited February 23, 2023 by Porthos