03-16-2022 09:20 AM
Hi all,
A user is reporting that every time they try to work on a specific CSV file Secure Endpoint is shutting excel down.
In the device trajectory i am getting the below info:
An attack was prevented in Script Control:wbemdisp.dll at base address 0x00007FF7EC730000 inside the EXCEL.EXE process.
I think perhaps, the office version needs to be updated? has anyone else seen somthing similar?
TIA
03-17-2022 01:37 AM - edited 03-17-2022 01:52 AM
So, You have Exprev Script control with enabled Quarantine - in the policy. This is the reason of shutting down the MS Excel. You might want to check details of the malicious dll, which was prevented from loading with the Excel launch. This could put you on the right track, to find the root cause. You better look up the events:
filter current log and in the keywords field just insert the "Script Control:wbemdisp.dll" or "Script Control"
03-31-2022 01:31 AM
Hi @David Janulik, thanks for the response. The details of the event when i try to open the CSV file myself are below...
03-24-2022 06:47 AM
Hello @johnmac ,
have you checked the policy and being able so solve the issue?
Greetings, Thorsten
03-31-2022 01:50 AM
What I can see is a clear message to you from the Event:
wbemdisp.dll (Common Excel DLL) is used-injected by this file, most probably for WMI script
SuspiciousFiles C:\Users\johnwmcnamara\Downloads\Model 4000 Data Capture WMI 32+64Bit Trial.xls
You need to investigate this particular file for malicious activity. This is job e.g. for Secure Malware Analytics, or investigate the event in the Secure Console via event - is there any Mitre ATT&CK link? This has nothing to do with explorer.exe, because to open the file you always use Explorer.
03-31-2022 05:57 AM
Thanks for your help @David Janulik
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide