Jump to content

False Positive for LibreOffice_7.5.3_Win_x86-64.msi ?

ChantelleCameronFan
 Share
Go to solution Solved by Porthos,

Recommended Posts

ChantelleCameronFan

ChantelleCameronFan

Posted
Posted

Hi, people. I downloaded days ago the file LibreOffice_7.5.3_Win_x86-64.msi and I have problems as follows:
If I open it fresh, i.e. without opening any other created document, it opens OK.

But if I open an old file then Malwarebytes says the following: "Exploit payload process blocked". 

And that happens opening any file created by Libreoffice, Draw, etc. Weird and the first time I see this.

I tried to upload the LibreOffice_7.5.3_Win_x86-64.msi but its size does not allow me to do so.

I don't know how to check the sum but it is false positive or not?

 

 

 

 

 

opening also with Base.jpg

with Libreoffice.jpg

Exploit payload process (Libre Office file created, later downloaded by me) blocked .jpg

Link to post
Share on other sites
Porthos

Porthos

Posted
Posted

Please provide the log for the detection.

You can find Scan and Protection logs within the Malwarebytes 4 program in the following location

 

image.png

 

RTP stands for Real-Time Protection and is where automatic protection operations would normally be logged

 

image.png

 

If you click on the View option you should get something similar to the following with other options available.

 

image.png

 

 

 

Thank you

Link to post
Share on other sites
ChantelleCameronFan

ChantelleCameronFan

Posted
  • Author
Posted
7 minutes ago, Porthos said:

Please provide the log for the detection.

You can find Scan and Protection logs within the Malwarebytes 4 program in the following location

 

image.png

 

RTP stands for Real-Time Protection and is where automatic protection operations would normally be logged

 

image.png

 

If you click on the View option you should get something similar to the following with other options available.

 

image.png

 

 

 

Thank you

Ok, thank you for the info.

I am attaching the screenshots below.

Let me know your opinion

 

 

 

 

 

 

1- malwarebytes + Exploit payload process.jpg

2- malwarebytes + Exploit payload process.jpg

Link to post
Share on other sites
ChantelleCameronFan

ChantelleCameronFan

Posted
  • Author
Posted

Malwarebytes
www.malwarebytes.com

-Log Details-
Protection Event Date: 5/25/23
Protection Event Time: 5:12 AM
Log File: 4ce53cb6-fadc-11ed-99f2-8019346d28e1.json

-Software Information-
Version: 4.5.29.268
Components Version: 1.0.2022
Update Package Version: 1.0.69969
License: Premium

-System Information-
OS: Windows 10 (Build 19045.3031)
CPU: x64
File System: NTFS
User: System

-Exploit Details-
File: 0
(No malicious items detected)

Exploit: 1
Exploit.PayloadProcessBlock, C:\Program Files\LibreOffice\program\gpgme-w32spawn.exe C:\Program Files\LibreOffice\program\gpgme-w32spawn.exe C:\Users\pc\AppData\Local\Temp\gpgme-VCxuUM C:\Program Files (x86)\GnuPG\bin\gpgconf.exe --list-dirs, Blocked, 0, 392684, 0.0.0, , 

-Exploit Data-
Affected Application: LibreOffice
Protection Layer: Application Behavior Protection
Protection Technique: Exploit payload process blocked
File Name: C:\Program Files\LibreOffice\program\gpgme-w32spawn.exe C:\Program Files\LibreOffice\program\gpgme-w32spawn.exe C:\Users\pc\AppData\Local\Temp\gpgme-VCxuUM C:\Program Files (x86)\GnuPG\bin\gpgconf.exe --list-dirs
URL: 

(end)

Link to post
Share on other sites
  • Staff
Arthi

Arthi

Posted
  • Staff
Posted

Hi ChantelleCameronFan,

Thanks for reaching out. I will need a couple of log files to analyze this further. 

1. Please enable “Event Log Data” under MB4->Settings->General tab

2. Reproduce the block
3. Grab logs-
Please get the following two files

  • C:\ProgramData\Malwarebytes\MBAMService\logs\mbae-default.log
  • C:\ProgramData\Malwarebytes\MBAMService\logs\MBAMSERVICE.log

Thank you.

Link to post
Share on other sites
ChantelleCameronFan

ChantelleCameronFan

Posted
  • Author
Posted
3 hours ago, Arthi said:

Hi ChantelleCameronFan,

Thanks for reaching out. I will need a couple of log files to analyze this further. 

1. Please enable “Event Log Data” under MB4->Settings->General tab

I did.

image.png.82e7d2a651316c8df8ea09f9134bb768.png

 

 

3 hours ago, Arthi said:

2. Reproduce the block
3. Grab logs-

and How I do this?

 

 


Please get the following two files

  • C:\ProgramData\Malwarebytes\MBAMService\logs\mbae-default.log
  • C:\ProgramData\Malwarebytes\MBAMService\logs\MBAMSERVICE.log

Thank you.

 

Link to post
Share on other sites
Porthos

Porthos

Posted
Posted

Also to get logs you can do the following.

Please do the following so that we may take a closer look at your installation for troubleshooting:

NOTE: The tools and the information obtained is safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

 

  • Download the Malwarebytes Support Tool
  • In your Downloads folder, open the mb-support-x.x.x.xxx.exe file
  • In the User Account Control pop-up window, click Yes to continue the installation
  • Run the MBST Support Tool
  • In the left navigation pane of the Malwarebytes Support Tool, click Advanced
  • In the Advanced Options, click Gather Logs. A status diagram displays the tool is Getting logs from your machine
  • A zip file named mbst-grab-results.zip will be saved to your desktop, please upload that file on your next reply

Thanks

Link to post
Share on other sites
ChantelleCameronFan

ChantelleCameronFan

Posted
  • Author
Posted
3 hours ago, Arthi said:


Please get the following two files

  • C:\ProgramData\Malwarebytes\MBAMService\logs\mbae-default.log
  • C:\ProgramData\Malwarebytes\MBAMService\logs\MBAMSERVICE.log

Okay, I have logged into the PC, not into the Malwarebytes application:

Thank you Arthi. Here are them as attachments :

 

mbae-default.log MBAMSERVICE.LOG

  • Like 1
Link to post
Share on other sites
ChantelleCameronFan

ChantelleCameronFan

Posted
  • Author
Posted
13 hours ago, Arthi said:

Hi,

Your upload was successful. I am able to see the logs.

However, I don't think the block was reproduced the issue after debug log was turned on as I do not see them in the latest log files.

Can you please reproduce the block and then grab the logs, please. Thanks.

Hi Arthi

re-producing the logs using directly Libreoffice and opening files already created or doc files I just created. Every time I open them the same thing happens: the libreoffice application disappears and the Malwarebytes window appears with the same description: "Exploit payload process blocked". Note: if I open Libreoffice again and write something and save it nothing happens; the problem is when I open again the same document (or another already created) and then Malwarebytes closes it with the same payload exploit warning. 

What I have noticed very strange is (even though the doc was already closed, I can visually see ODT# File (.odt#) with 0 bytes present in the folder where I created/opened the original doc, why?

Screenshots are coming in before I send you back everything you and Portos asked for.

Please wait for the files you need..

 

 

1.jpg

2.jpg

5.jpg

6.jpg

Screenshot of ODT# File (.odt#).jpg

test 3.jpg

Link to post
Share on other sites
ChantelleCameronFan

ChantelleCameronFan

Posted
  • Author
Posted

Thanks to AdvancedSetup for removing block.

--------------------------------

 

Again uploading the 3 files for Arthi and Portos:

1- C:\ProgramData\Malwarebytes\MBAMService\logs\mbae-default.log

2- C:\ProgramData\Malwarebytes\MBAMService\logs\MBAMSERVICE.log

3- "mbst-grab-results.zip"

LibreOffice continues with the problem in Writer, etc

 

mbst-grab-results.zip MBAMSERVICE.LOG mbae-default.log

Link to post
Share on other sites
ChantelleCameronFan

ChantelleCameronFan

Posted
  • Author
Posted
8 hours ago, Arthi said:

Hi,

Can you turn off "Penetration Testing" toggle. You should find it in the Advanced settings.

Click on Advanced settings->Turn off Penetration testing toggle and restart Libreoffice.

Please let us know if that resolved the issue. Thanks.

image.png.1ee52d8cdcba43634b87124365f1793f.png

Hi Arthi:

I did, but I point out that for months and months (with the toggle on for not allowing penetration testing attacks) Libreoffice and every other program on my PC were running at 100% perfection. 

The problem only started a week ago when I downloaded the latest version of Libreoffice "LibreOffice_7.5.3_Win_x86-64.msi".

Ok, I removed the toggle on and now it is off. 
Now it opens all docs in (libreoffice) .

My question is, what will happen now if at some point someone comes with a genuine 'penetration testing' attempt on my PC? For months and months I am a target of such action and I can explain it to you in a PM here. How can I defend myself from them now?

Thanks for your help, Arthi and Porthos.

Link to post
Share on other sites
  • Solution
Porthos

Porthos

Posted
  • Solution
Posted (edited)
4 hours ago, ChantelleCameronFan said:

My question is, what will happen now if at some point someone comes with a genuine 'penetration testing' attempt on my PC? For months and months I am a target of such action and I can explain it to you in a PM here. How can I defend myself from them now?

That setting is specific to penetration testing (i.e. not actual threats) so enabling won't really do anything unless the system is tested using third-party testing tools/test exploits.  It is purely for testing purposes to verify that protection is working properly, however, it is not needed for protecting your system from actual malware which is why it is turned off by default. 

There is also a warning there to not change those settings.

image.png.0a124c5da919e2401826322306f82b75.png

I hope that helps to clarify things and if there is anything else we might help with please let us know.

Edited by Porthos
Link to post
Share on other sites
ChantelleCameronFan

ChantelleCameronFan

Posted
  • Author
Posted
6 hours ago, Porthos said:

That setting is specific to penetration testing (i.e. not actual threats) so enabling won't really do anything unless the system is tested using third-party testing tools/test exploits.  It is purely for testing purposes to verify that protection is working properly, however, it is not needed for protecting your system from actual malware which is why it is turned off by default. 

There is also a warning there to not change those settings.

image.png.0a124c5da919e2401826322306f82b75.png

I hope that helps to clarify things and if there is anything else we might help with please let us know.

Hi, Porthos

You and Arthi (both) has solved this situation. 

I thank you both for the help.

I will follow your suggestions too.

Thank you 

Link to post
Share on other sites
ChantelleCameronFan

ChantelleCameronFan

Posted
  • Author
Posted
19 hours ago, Arthi said:

Hi,

Can you turn off "Penetration Testing" toggle. You should find it in the Advanced settings.

Click on Advanced settings->Turn off Penetration testing toggle and restart Libreoffice.

Please let us know if that resolved the issue. Thanks.

image.png.1ee52d8cdcba43634b87124365f1793f.png

Thank you Arthi for all your awesome help.

You and Phortos solved this,

 

  • Like 1
  • Thanks 1
Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.

  I accept