Secure Endpoint Closing Excel
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-16-2022 09:20 AM
Hi all,
A user is reporting that every time they try to work on a specific CSV file Secure Endpoint is shutting excel down.
In the device trajectory i am getting the below info:
An attack was prevented in Script Control:wbemdisp.dll at base address 0x00007FF7EC730000 inside the EXCEL.EXE process.
I think perhaps, the office version needs to be updated? has anyone else seen somthing similar?
TIA
- Labels:
-
AMP for Endpoints
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-17-2022 01:37 AM - edited 03-17-2022 01:52 AM
So, You have Exprev Script control with enabled Quarantine - in the policy. This is the reason of shutting down the MS Excel. You might want to check details of the malicious dll, which was prevented from loading with the Excel launch. This could put you on the right track, to find the root cause. You better look up the events:
- in the Secure Console for details or
- the Windows event viewer>Applications and Services logs > Cisco Secure Client, filter current log and in the keywords field just insert the
filter current log and in the keywords field just insert the "Script Control:wbemdisp.dll" or "Script Control"
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-31-2022 01:31 AM
Hi @David Janulik, thanks for the response. The details of the event when i try to open the CSV file myself are below...
TimeStamp 1648552388
ProcessName C:\Program Files\Microsoft Office\Office16\EXCEL.EXE
AttackInfo {"afps":"C:\\Program Files\\Microsoft Office\\Office16\\EXCEL.EXE","ams":"Script Control:wbemdisp.dll","at":"2022-03-29 11:13:03","bas":"0x00007FF623E80000","edvs":"4.1.10.65","sfs":["C:\\Users\\johnwmcnamara\\Downloads\\Model 4000 Data Capture WMI 32+64Bit Trial.xls","7ddd900311d2865ff2664a80c079c81302d8f5184cf9d4e0369c94920b98334f"],"sus":[""],"u":"johnwmcnamara@RCSI"}
SuspiciousFiles C:\Users\johnwmcnamara\Downloads\Model 4000 Data Capture WMI 32+64Bit Trial.xls
ParentProcessName C:\Windows\explorer.exe
ParentProcessPID 15756
ScriptControlBadDll wbemdisp.dll
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-24-2022 06:47 AM
Hello @johnmac ,
have you checked the policy and being able so solve the issue?
Greetings, Thorsten
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-31-2022 01:50 AM
What I can see is a clear message to you from the Event:
wbemdisp.dll (Common Excel DLL) is used-injected by this file, most probably for WMI script
SuspiciousFiles C:\Users\johnwmcnamara\Downloads\Model 4000 Data Capture WMI 32+64Bit Trial.xls
You need to investigate this particular file for malicious activity. This is job e.g. for Secure Malware Analytics, or investigate the event in the Secure Console via event - is there any Mitre ATT&CK link? This has nothing to do with explorer.exe, because to open the file you always use Explorer.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-31-2022 05:57 AM
Thanks for your help @David Janulik
