Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2348
Views
15
Helpful
5
Replies

Secure Endpoint Closing Excel

johnmac
Level 1
Level 1

‎03-16-2022 09:20 AM

Hi all,

 

A user is reporting that every time they try to work on a specific CSV file Secure Endpoint is shutting excel down.

 

In the device trajectory i am getting the below info:

An attack was prevented in Script Control:wbemdisp.dll at base address 0x00007FF7EC730000 inside the EXCEL.EXE process.

 

I think perhaps, the office version needs to be updated? has anyone else seen somthing similar?

 

TIA

 

Labels:
0 Helpful
5 Replies 5

David Janulik
Cisco Employee
Cisco Employee

‎03-17-2022 01:37 AM - edited ‎03-17-2022 01:52 AM

So, You have Exprev Script control with enabled Quarantine - in the policy. This is the reason of shutting down the MS Excel. You might want to check details of the malicious dll, which was prevented from loading with the Excel launch. This could put you on the right track, to find the root cause. You better look up the events:

  • in the Secure Console for details or
  • the Windows event viewer>Applications and Services logs > Cisco Secure Client, filter current log and in the keywords field just insert the 

filter current log and in the keywords field just insert the "Script Control:wbemdisp.dll" or "Script Control"

Cyber security escalation engineer

johnmac
Level 1
Level 1
In response to David Janulik

‎03-31-2022 01:31 AM

Hi @David Janulik, thanks for the response.  The details of the event when i try to open the CSV file myself are below...

 

PID 18388
TimeStamp 1648552388
ProcessName C:\Program Files\Microsoft Office\Office16\EXCEL.EXE
AttackInfo {"afps":"C:\\Program Files\\Microsoft Office\\Office16\\EXCEL.EXE","ams":"Script Control:wbemdisp.dll","at":"2022-03-29 11:13:03","bas":"0x00007FF623E80000","edvs":"4.1.10.65","sfs":["C:\\Users\\johnwmcnamara\\Downloads\\Model 4000 Data Capture WMI 32+64Bit Trial.xls","7ddd900311d2865ff2664a80c079c81302d8f5184cf9d4e0369c94920b98334f"],"sus":[""],"u":"johnwmcnamara@RCSI"}
SuspiciousFiles C:\Users\johnwmcnamara\Downloads\Model 4000 Data Capture WMI 32+64Bit Trial.xls
ParentProcessName C:\Windows\explorer.exe
ParentProcessPID 15756
ScriptControlBadDll wbemdisp.dll
 
I know there was a notice sent out recently regarding false positives with explorer.exe, could this be related to that?
0 Helpful

Troja007
Cisco Employee
Cisco Employee

‎03-24-2022 06:47 AM

Hello @johnmac ,
have you checked the policy and being able so solve the issue?
Greetings, Thorsten

0 Helpful

David Janulik
Cisco Employee
Cisco Employee

‎03-31-2022 01:50 AM

What I can see is a clear message to you from the Event:
wbemdisp.dll (Common Excel DLL) is used-injected by this file, most probably for WMI script
SuspiciousFiles C:\Users\johnwmcnamara\Downloads\Model 4000 Data Capture WMI 32+64Bit Trial.xls

 

You need to investigate this particular file for malicious activity. This is job e.g. for Secure Malware Analytics, or investigate the event in the Secure Console via event - is there any Mitre ATT&CK link? This has nothing to do with explorer.exe, because to open the file you always use Explorer.

Cyber security escalation engineer

johnmac
Level 1
Level 1
In response to David Janulik

‎03-31-2022 05:57 AM

Thanks for your help @David Janulik

0 Helpful
Customers Also Viewed These Support Documents