cancel
Showing results for 
Search instead for 
Did you mean: 
jround
Level 9
Report Inappropriate Content
Message 1 of 2

Exploit Prevention WINWORD.EXE (Dictation addon)

A few of our users use a piece of dictation software that somehow runs through Microsoft Word, which doesn't cause issues with small dictations but fails with larger ones.  We have found this is due to McAfee Exploit Prevention flagging it up as trying to exploit WINWORD.EXE

Module Name: Threat Prevention
Analyzer Content Creation Date: 29/08/18 03:46:52 BST
Analyzer Content Version: 10.6.0.8623
Analyzer Rule ID: 9990
Analyzer Rule Name: Microsoft DEP integration and monitoring by Endpoint Security
Target Hash: 27b21667293d38646083a94fcb3ae190
Target Signed: Yes
Target Signer: C=US, S=WASHINGTON, L=REDMOND, O=MICROSOFT CORPORATION, OU=MOPR, CN=MICROSOFT CORPORATION
Target Parent Process Signed: Yes
Target Parent Process Signer: C=US, S=WASHINGTON, L=REDMOND, O=MICROSOFT CORPORATION, OU=MOPR, CN=MICROSOFT WINDOWS
Target Parent Process Name: SVCHOST.EXE
Target Parent Process Hash: c78655bc80301d76ed4fef1c1ea40a7d
Target Name: WINWORD.EXE
Target Path: C:\PROGRAM FILES (X86)\MICROSOFT OFFICE\OFFICE14
Target File Size (Bytes): 1432232
Target Modify Time: 26/06/18 19:05:12 BST
Target Access Time: 09/08/18 13:06:26 BST
Target Create Time: 26/06/18 19:05:12 BST
First Action Status: Not available
Second Action Status: Not available
Description: ExP:DEP Stack Blocked an attempt to exploit C:\PROGRAM FILES (X86)\MICROSOFT OFFICE\OFFICE14\WINWORD.EXE.
Attack Vector Type: Local System

What is the best way of resolving the issue for these users?  We only have several so I could create a seperate policy for the affected machines but don't quite know the best way to resolve it!

Thanks 🙂

1 Reply
Highlighted
McAfee Employee johma
McAfee Employee
Report Inappropriate Content
Message 2 of 2

Re: Exploit Prevention WINWORD.EXE (Dictation addon)

Hi, jround.

I dont belive this rule is enabled by default, you can create a seperate policy and uncheck the "block" option. to prevent interruption to the user, however leave the Report box checked then you will be alerted if this behaviour continues. 

 

 
Endpoint Security Threat Prevention : Policy Category > Exploit Prevention > My Default  <or policy>
 

This should get you working and provide some time to troubleshoot further if required. 

Most likely this is a false detection caused by a dll that has overwritten more ram than it has reserved. Maybe an office update will resolve?

 




Was my reply helpful?


If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?
More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator