MBAM crashes Excel – exploit code executing from heap memory

Topic

New Reply

I think this is a Malwarebytes issue rather than an Excel issue.

Attempting to open an Excel file, one that I created myself not more than a month ago, a simple little spreadsheet, it hasn’t been anywhere off my system, Excel froze and crashed.  MBAM returned this report: “exploit code executing from heap memory”

This feels like some kind of false positive by MBAM.  Can I repair the file to the point where MBAM will not flag it?  I have not posted this on Malwarebytes forum.

MBAM is version 4.4.5.130 (latest version, lifetime licence); Excel is version 2010.

Dell E5570 Latitude, Intel Core i5 6440@2.60 GHz, 8.00 GB - Win 10 Pro

Reply | Quote

Replies

Does it happen with other spreadsheets?
Do you have any macros in the sheet?
Try turning off macros in Excel and then loading the spreadsheet.

cheers, Paul

Reply | Quote

Paul – thanks.

No macros, and they were turned off anyway.

The only expression of any complexity was this, to insert the day-of-the-week from the column to the left.

=IF(D4<>0,TEXT(D4,” ddd”),””)

I think that may be the source of the problem, as Excel crashes when I use this expression in another sheet.  This post may belong in the Excel section rather in security.

Dell E5570 Latitude, Intel Core i5 6440@2.60 GHz, 8.00 GB - Win 10 Pro

Reply | Quote

Time to head to the MBAM forum methinks!
Let us know what you find?

cheers, Paul

Reply | Quote

Certainly, thanks

Dell E5570 Latitude, Intel Core i5 6440@2.60 GHz, 8.00 GB - Win 10 Pro

Reply | Quote

In case what follows contains any useful clues: I have both the latest Malwarebytes: v4.12.9 and Office 2016 in a Mac, and have no problems when opening my existing Excel spreadsheets, both xls and xlsx, whether received from others, or created by me (I just tried.)

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

Reply | Quote

Oscar – thanks.

I’ve posted this on the MBAM forum, and uploaded some grab results from their support tool.  I’ll post back what i hear from them.

Dell E5570 Latitude, Intel Core i5 6440@2.60 GHz, 8.00 GB - Win 10 Pro

1 user thanked author for this post.

OscarCP

Reply | Quote

ScotchJohn wrote:

Oscar – thanks.

I’ve posted this on the MBAM forum, and uploaded some grab results from their support tool.  I’ll post back what i hear from them.

by any chance, did you change the default settings of MalwareBytes Premium 4.4.5.130  [1.0.44430 ,  1.0.1430] ‘anti-heap’ settings?
see picture

* _ ... _ *

Reply | Quote

Fred – thanks.  No, I have not done a thing to any of the MBAM settings.

I have a reply on the MBAM forum that this may follow from the latest update of MBAM and that I should turn off Exploit Protection and try that.

Here goes.

Dell E5570 Latitude, Intel Core i5 6440@2.60 GHz, 8.00 GB - Win 10 Pro

1 user thanked author for this post.

Fred

Reply | Quote

I ought to have mentioned this before: I have the Malwarebytes Free version, that can only be used to do scans on demand and I have antivirus that scans the computer for malware both in real time (most of the time), or on demand (just before I end the day’s last session, or when something happens that prompts me to do so right away). I prefer no to have two antimalware software scanning in real time independently of each other, maybe each with its own firewall, as there can be conflicts between the two with undesirable side effects.

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

Reply | Quote

Oscar – this has not yet been solved.

I’m not going to post all my discussion on the MBAM forum here, but you’ll find that I also post there as ScotchJohn.

Dell E5570 Latitude, Intel Core i5 6440@2.60 GHz, 8.00 GB - Win 10 Pro

1 user thanked author for this post.

OscarCP

Reply | Quote

Have you added the the application to the “Allowed” list? If not, go to settings (the gear icon on the top right) click on the Allow  and add the application that’s at issue.

Peace, CAS

Reply | Quote

> Have you added the the application to the “Allowed” list?

With respect, as the purpose of anti-exploit protection is to, well, protect your system from real malicious exploits, maybe not wise to implement an app-level bypass?

Hmmmm. Yes, problem appears to be MBAM false positive. So maybe just try to modify offending formula to attempt to bypass specific problem?

Just for giggles, ScotchJohn, maybe try testing something like this:

=IF(D4<>0,CHOOSE(WEEKDAY(D4,2),”Mon”,”Tue”,”Wed”,”Thu”,”Fri”,”Sat”,”Sun”),””)

Hope this helps.

Reply | Quote

Hi, me again.

Above formula should end as follows:  …  ,”Sun”),””)

For some reason displayed formula appears truncated when I view page in browser (Firefox ESR), although copying & pasting formula seems to work properly if I drag past end of line, so right-most characters seem to be hidden but still present at end of line.

Hope this helps too.

Reply | Quote

MBAM support seems to think the issue relates to a recent update and how it interacts with Office 2010.  I am still supplying various logs over the MBAM forum, but the problem remains.

I can always uncheck “Exploit Protection” if I need to make Office 2010 function as designed.

I’ll post back when I have a final outcome from MBAM.

Dell E5570 Latitude, Intel Core i5 6440@2.60 GHz, 8.00 GB - Win 10 Pro

2 users thanked author for this post.

OscarCP, Fred

Reply | Quote

MBAM support forum has finished up by suggesting that I disable one of the security settings.

Open Malwarebytes > Settings (gear wheel) > Security > Advanced settings > Advanced memory protection > uncheck Malicious return address detection in the Office 2010 column.

My Office 2010 applications, Excel (where I noticed this first) and Word, now behave as designed.

This is for licenced Malwarebytes; I have no idea whether these options exist to be configured in the free version.

MBAM support has closed the thread.  I believe they are working on this issue for a future update of Malwarebytes.

Dell E5570 Latitude, Intel Core i5 6440@2.60 GHz, 8.00 GB - Win 10 Pro

Reply | Quote

Right on the money. Thank you ScotchJohn, I did exactly as you suggested to do, and the problem is now gone. I was about to reinstall both, my office 2019 and my kutools for excels, thinking that was the problem, thanks God I have just found this site. Thank you again.

Open Malwarebytes > Settings (gear wheel) > Security > Advanced settings > Advanced memory protection > uncheck Malicious return address detection in the Office 2010 column.

Reply | Quote

Hey Y’all,

I also have a Ticket in with MB about a similar issue. I have an Excel file with VBA that calls a PowerShell program. It’s been working for years until the latest MB update. Now it will only work if I turn Exploit Protection off. Not a biggy for one program as I can turn it off run the program then turn it back on and I only run it every 2 weeks. None of my other Excel-VBA programs are affected.

I sent MB the logs and other things their support tool grabs last evening. Awaiting their reply. I’ll post here.

Note: Malwarebytes Premium (Lifetime License) running in tandem with Defender (Primary). Been running it that way for years.

HTH

May the Forces of good computing be with you!

RG

PowerShell & VBA Rule!
Computer Specs

1 user thanked author for this post.

ScotchJohn

Reply | Quote