A few of our users use a piece of dictation software that somehow runs through Microsoft Word, which doesn't cause issues with small dictations but fails with larger ones. We have found this is due to McAfee Exploit Prevention flagging it up as trying to exploit WINWORD.EXE
Module Name: Threat Prevention Analyzer Content Creation Date: 29/08/18 03:46:52 BST Analyzer Content Version: 10.6.0.8623 Analyzer Rule ID: 9990 Analyzer Rule Name: Microsoft DEP integration and monitoring by Endpoint Security Target Hash: 27b21667293d38646083a94fcb3ae190 Target Signed: Yes Target Signer: C=US, S=WASHINGTON, L=REDMOND, O=MICROSOFT CORPORATION, OU=MOPR, CN=MICROSOFT CORPORATION Target Parent Process Signed: Yes Target Parent Process Signer: C=US, S=WASHINGTON, L=REDMOND, O=MICROSOFT CORPORATION, OU=MOPR, CN=MICROSOFT WINDOWS Target Parent Process Name: SVCHOST.EXE Target Parent Process Hash: c78655bc80301d76ed4fef1c1ea40a7d Target Name: WINWORD.EXE Target Path: C:\PROGRAM FILES (X86)\MICROSOFT OFFICE\OFFICE14 Target File Size (Bytes): 1432232 Target Modify Time: 26/06/18 19:05:12 BST Target Access Time: 09/08/18 13:06:26 BST Target Create Time: 26/06/18 19:05:12 BST First Action Status: Not available Second Action Status: Not available Description: ExP:DEP Stack Blocked an attempt to exploit C:\PROGRAM FILES (X86)\MICROSOFT OFFICE\OFFICE14\WINWORD.EXE. Attack Vector Type: Local System
What is the best way of resolving the issue for these users? We only have several so I could create a seperate policy for the affected machines but don't quite know the best way to resolve it!
I dont belive this rule is enabled by default, you can create a seperate policy and uncheck the "block" option. to prevent interruption to the user, however leave the Report box checked then you will be alerted if this behaviour continues.
This should get you working and provide some time to troubleshoot further if required.
Most likely this is a false detection caused by a dll that has overwritten more ram than it has reserved. Maybe an office update will resolve?
Was my reply helpful?
If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?