cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Highlighted
jround
jround
Level 9
Report Inappropriate Content
Message 1 of 2
‎10-04-2018 04:51 AM

Exploit Prevention WINWORD.EXE (Dictation addon)

A few of our users use a piece of dictation software that somehow runs through Microsoft Word, which doesn't cause issues with small dictations but fails with larger ones.  We have found this is due to McAfee Exploit Prevention flagging it up as trying to exploit WINWORD.EXE

Module Name: Threat Prevention
Analyzer Content Creation Date: 29/08/18 03:46:52 BST
Analyzer Content Version: 10.6.0.8623
Analyzer Rule ID: 9990
Analyzer Rule Name: Microsoft DEP integration and monitoring by Endpoint Security
Target Hash: 27b21667293d38646083a94fcb3ae190
Target Signed: Yes
Target Signer: C=US, S=WASHINGTON, L=REDMOND, O=MICROSOFT CORPORATION, OU=MOPR, CN=MICROSOFT CORPORATION
Target Parent Process Signed: Yes
Target Parent Process Signer: C=US, S=WASHINGTON, L=REDMOND, O=MICROSOFT CORPORATION, OU=MOPR, CN=MICROSOFT WINDOWS
Target Parent Process Name: SVCHOST.EXE
Target Parent Process Hash: c78655bc80301d76ed4fef1c1ea40a7d
Target Name: WINWORD.EXE
Target Path: C:\PROGRAM FILES (X86)\MICROSOFT OFFICE\OFFICE14
Target File Size (Bytes): 1432232
Target Modify Time: 26/06/18 19:05:12 BST
Target Access Time: 09/08/18 13:06:26 BST
Target Create Time: 26/06/18 19:05:12 BST
First Action Status: Not available
Second Action Status: Not available
Description: ExP:DEP Stack Blocked an attempt to exploit C:\PROGRAM FILES (X86)\MICROSOFT OFFICE\OFFICE14\WINWORD.EXE.
Attack Vector Type: Local System

What is the best way of resolving the issue for these users?  We only have several so I could create a seperate policy for the affected machines but don't quite know the best way to resolve it!

Thanks 🙂

0 Kudos
Reply
1 Reply
johma
McAfee Employee johma
McAfee Employee
Report Inappropriate Content
Message 2 of 2
‎10-04-2018 09:34 AM

Re: Exploit Prevention WINWORD.EXE (Dictation addon)

Hi, jround.

I dont belive this rule is enabled by default, you can create a seperate policy and uncheck the "block" option. to prevent interruption to the user, however leave the Report box checked then you will be alerted if this behaviour continues. 

 

 
Endpoint Security Threat Prevention : Policy Category > Exploit Prevention > My Default  <or policy>
 

This should get you working and provide some time to troubleshoot further if required. 

Most likely this is a false detection caused by a dll that has overwritten more ram than it has reserved. Maybe an office update will resolve?

 




Was my reply helpful?


If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?
0 Kudos
Reply
More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator

    • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community


    Corporate Headquarters
    2821 Mission College Blvd.
    Santa Clara, CA 95054 USA

    Consumer Support   |   Enterprise Support   |   McAfee.com

    Legal   |   Privacy   |   Copyright © 2019 McAfee, LLC