topic Re: Secure Endpoint Closing Excel in Endpoint Security

Secure Endpoint Closing Excel

johnmac — Wed, 16 Mar 2022 16:20:50 GMT

Hi all,

A user is reporting that every time they try to work on a specific CSV file Secure Endpoint is shutting excel down.

In the device trajectory i am getting the below info:

An attack was prevented in Script Control:wbemdisp.dll at base address 0x00007FF7EC730000 inside the EXCEL.EXE process.

I think perhaps, the office version needs to be updated? has anyone else seen somthing similar?

TIA

Re: Secure Endpoint Closing Excel

David Janulik — Thu, 17 Mar 2022 08:52:06 GMT

So, You have Exprev Script control with enabled Quarantine - in the policy. This is the reason of shutting down the MS Excel. You might want to check details of the malicious dll, which was prevented from loading with the Excel launch. This could put you on the right track, to find the root cause. You better look up the events:

in the Secure Console for details or
the Windows event viewer>Applications and Services logs > Cisco Secure Client, filter current log and in the keywords field just insert the

filter current log and in the keywords field just insert the "Script Control:wbemdisp.dll" or "Script Control"

Re: Secure Endpoint Closing Excel

Troja007 — Thu, 24 Mar 2022 13:47:26 GMT

Hello @johnmac ,
have you checked the policy and being able so solve the issue?
Greetings, Thorsten

Re: Secure Endpoint Closing Excel

johnmac — Thu, 31 Mar 2022 08:31:48 GMT

Hi @David Janulik, thanks for the response. The details of the event when i try to open the CSV file myself are below...

PID 18388
TimeStamp 1648552388
ProcessName C:\Program Files\Microsoft Office\Office16\EXCEL.EXE
AttackInfo {"afps":"C:\\Program Files\\Microsoft Office\\Office16\\EXCEL.EXE","ams":"Script Control:wbemdisp.dll","at":"2022-03-29 11:13:03","bas":"0x00007FF623E80000","edvs":"4.1.10.65","sfs":["C:\\Users\\johnwmcnamara\\Downloads\\Model 4000 Data Capture WMI 32+64Bit Trial.xls","7ddd900311d2865ff2664a80c079c81302d8f5184cf9d4e0369c94920b98334f"],"sus":[""],"u":"johnwmcnamara@RCSI"}
SuspiciousFiles C:\Users\johnwmcnamara\Downloads\Model 4000 Data Capture WMI 32+64Bit Trial.xls
ParentProcessName C:\Windows\explorer.exe
ParentProcessPID 15756
ScriptControlBadDll wbemdisp.dll

I know there was a notice sent out recently regarding false positives with explorer.exe, could this be related to that?

Re: Secure Endpoint Closing Excel

David Janulik — Thu, 31 Mar 2022 08:50:58 GMT

What I can see is a clear message to you from the Event:
wbemdisp.dll (Common Excel DLL) is used-injected by this file, most probably for WMI script
SuspiciousFiles C:\Users\johnwmcnamara\Downloads\Model 4000 Data Capture WMI 32+64Bit Trial.xls

You need to investigate this particular file for malicious activity. This is job e.g. for Secure Malware Analytics, or investigate the event in the Secure Console via event - is there any Mitre ATT&CK link? This has nothing to do with explorer.exe, because to open the file you always use Explorer.

Re: Secure Endpoint Closing Excel

johnmac — Thu, 31 Mar 2022 12:57:33 GMT

Thanks for your help @David Janulik