A few of our users use a piece of dictation software that somehow runs through Microsoft Word, which doesn't cause issues with small dictations but fails with larger ones. We have found this is due to McAfee Exploit Prevention flagging it up as trying to exploit WINWORD.EXE
Module Name: Threat Prevention
Analyzer Content Creation Date: 29/08/18 03:46:52 BST
Analyzer Content Version: 10.6.0.8623
Analyzer Rule ID: 9990
Analyzer Rule Name: Microsoft DEP integration and monitoring by Endpoint Security
Target Hash: 27b21667293d38646083a94fcb3ae190
Target Signed: Yes
Target Signer: C=US, S=WASHINGTON, L=REDMOND, O=MICROSOFT CORPORATION, OU=MOPR, CN=MICROSOFT CORPORATION
Target Parent Process Signed: Yes
Target Parent Process Signer: C=US, S=WASHINGTON, L=REDMOND, O=MICROSOFT CORPORATION, OU=MOPR, CN=MICROSOFT WINDOWS
Target Parent Process Name: SVCHOST.EXE
Target Parent Process Hash: c78655bc80301d76ed4fef1c1ea40a7d
Target Name: WINWORD.EXE
Target Path: C:\PROGRAM FILES (X86)\MICROSOFT OFFICE\OFFICE14
Target File Size (Bytes): 1432232
Target Modify Time: 26/06/18 19:05:12 BST
Target Access Time: 09/08/18 13:06:26 BST
Target Create Time: 26/06/18 19:05:12 BST
First Action Status: Not available
Second Action Status: Not available
Description: ExP:DEP Stack Blocked an attempt to exploit C:\PROGRAM FILES (X86)\MICROSOFT OFFICE\OFFICE14\WINWORD.EXE.
Attack Vector Type: Local System
What is the best way of resolving the issue for these users? We only have several so I could create a seperate policy for the affected machines but don't quite know the best way to resolve it!
Thanks 🙂