cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Host Intrusion Buffer Overflow - Illegal Execution in Microsoft Excel

Jump to solution
I'm receiving these alerts in my McAfee for Excel.exe. I want to understand these alerts and know what analysis is required or action needs to be taken. What is the reason they are being triggered or if they are false positives. Threat Target Process Name: EXCEL.EXE Threat Target File Path: C:\PROGRAM FILES (X86)\MICROSOFT OFFICE\ROOT\OFFICE16\EXCEL.EXE Event Category: Host intrusion buffer overflow Event ID: 18052 Threat Severity: Critical Threat Name: ExP:Write Threat Type: Exploit Prevention Action Taken: Would block Threat Handled: True Analyzer Detection Method: Exploit Prevention Events received from managed systems Event Description: Buffer Overflow detected and blocked (GBOP) Endpoint Security Module Name: Threat Prevention Analyzer Content Creation Date: 7/20/20 12:29:32 AM CEST Analyzer Content Version: 10.6.0.10342 Analyzer Rule ID: 3922 Analyzer Rule Name: Illegal Execution in Microsoft Excel Source Description: "C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE" Target Hash: 31d14533640dc0e58a54bd2407d7f323 Target Signed: Yes Target Signer: CN=MICROSOFT CORPORATION, O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US Target Parent Process Signed: Yes Target Parent Process Signer: C=US, S=WASHINGTON, L=REDMOND, O=MICROSOFT CORPORATION, CN=MICROSOFT WINDOWS Target Parent Process Name: EXPLORER.EXE Target Parent Process Hash: 8a1944e0d90c4fd44b59e07a8ab6e2c3 Target Name: EXCEL.EXE Target Path: C:\PROGRAM FILES (X86)\MICROSOFT OFFICE\ROOT\OFFICE16 Target File Size (Bytes): 43447488 Target Modify Time: 12/11/19 4:02:58 PM CET Target Access Time: 12/11/19 4:02:58 PM CET Target Create Time: 12/11/19 4:02:38 PM CET API Name: LoadLibraryW First Action Status: Not available Second Action Status: Not available Description: ExP:Write was detected as an attempt to exploit C:\PROGRAM FILES (X86)\MICROSOFT OFFICE\ROOT\OFFICE16\EXCEL.EXE, which targeted the LoadLibraryW API. It wasn't blocked because Exploit Prevention was set to Report Only. Attack
1 Solution

Accepted Solutions
ktankink
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 3 of 3

Re: Host Intrusion Buffer Overflow - Illegal Execution in Microsoft Excel

Jump to solution

Hi @User57094076 This is a Signature 3922 violation that occurred within Excel.exe.  If you review this signature number in your ENS Exploit Prevention policy on the ePO server (or ENS client), you will see details of what this signature covers.  By it's description, it covers this http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0081 vulnerability.  Based on the CVE details provided by Microsoft at https://docs.microsoft.com/en-us/security-updates/securitybulletins/2008/ms08-014, this signature is only applicable for older Office versions; ref the "Affected Software" section on Microsoft's website. 

  • If you are running that older software, and haven't patched the systems, then the signature event is valid. 
  • If you are not running that older software, or have patched your systems, then it's a false positive.
    • To resolve this, either create an exception or disable the signature.

 

The HIPS KB article here can also be used for (most of the) ENS Exploit Prevention signatures since most of them are similar and covers how to generally investigate and manage IPS/Exploit Prevention signature events.

https://kc.mcafee.com/corporate/index?page=content&id=KB73399
Section: "Client IPS and IPS events".

 

Summarized:


Use the following general method when you assess IPS signature events:
  1. Identify the signature number that is being triggered.
  2. Review the IPS Signature number description information from the IPS Rules policy in ePolicy Orchestrator (ePO).
  3. Review the reference CVE description links, if any are included in the description information for that signature.
  4. Identify whether any Microsoft TechNet Security Bulletins are linked for the applicable vulnerability. And, identify whether there are Microsoft security updates available that resolve the vulnerability.
  5. Verify whether systems reporting the IPS event have any applicable Microsoft Security Updates applied, as noted above:
    • If so, the applicable IPS Signature might be disabled on the systems that have the associated Microsoft Security Updates applied.
    • If not, McAfee recommends that you apply the applicable Microsoft Security Updates to the affected systems at your earliest convenience.
  6. If no CVE description links are noted for the triggering IPS signature, review all advanced details for the received IPS event.
  7. Identify whether the event triggers correlate to normal business use or process.
  8. Identify whether the systems experiencing the event have the latest Microsoft Security Updates applied.
  9. Identify whether the IPS event is specific for a third-party process such as Adobe, a process, or another tool. If so, review all applicable security updates from the vendor and make sure they are applied on the systems.
  10. If the signature still triggers after an applicable vendor security update has been applied, consider the event a false positive. Either disable the signature on the updated systems, or create an IPS exception for the updated systems to stop all further signature detections.
  11. If there is no applicable vendor security update available, determine whether the affected systems have current antivirus and antimalware definitions for VirusScan or other installed endpoint protection application. Perform a full scan on the affected systems.
  12. Determine whether the affected systems are protected by other perimeter security measures, such as Network Intrusion Detection.


 

View solution in original post

2 Replies
Dayananda
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 3

Re: Host Intrusion Buffer Overflow - Illegal Execution in Microsoft Excel

Jump to solution

Hello,

Host IPS: For complete information about the Windows class Buffer Overflow IPS directives, see the "Windows class Buffer Overflow" section of the Host Intrusion Prevention 8.0 Product Guide.
https://docs.mcafee.com/bundle/host-intrusion-prevention-v8-0-0-product/resource/PD22894.pdf

I hope this helps.

Regards,
Daya
ktankink
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 3 of 3

Re: Host Intrusion Buffer Overflow - Illegal Execution in Microsoft Excel

Jump to solution

Hi @User57094076 This is a Signature 3922 violation that occurred within Excel.exe.  If you review this signature number in your ENS Exploit Prevention policy on the ePO server (or ENS client), you will see details of what this signature covers.  By it's description, it covers this http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0081 vulnerability.  Based on the CVE details provided by Microsoft at https://docs.microsoft.com/en-us/security-updates/securitybulletins/2008/ms08-014, this signature is only applicable for older Office versions; ref the "Affected Software" section on Microsoft's website. 

  • If you are running that older software, and haven't patched the systems, then the signature event is valid. 
  • If you are not running that older software, or have patched your systems, then it's a false positive.
    • To resolve this, either create an exception or disable the signature.

 

The HIPS KB article here can also be used for (most of the) ENS Exploit Prevention signatures since most of them are similar and covers how to generally investigate and manage IPS/Exploit Prevention signature events.

https://kc.mcafee.com/corporate/index?page=content&id=KB73399
Section: "Client IPS and IPS events".

 

Summarized:


Use the following general method when you assess IPS signature events:
  1. Identify the signature number that is being triggered.
  2. Review the IPS Signature number description information from the IPS Rules policy in ePolicy Orchestrator (ePO).
  3. Review the reference CVE description links, if any are included in the description information for that signature.
  4. Identify whether any Microsoft TechNet Security Bulletins are linked for the applicable vulnerability. And, identify whether there are Microsoft security updates available that resolve the vulnerability.
  5. Verify whether systems reporting the IPS event have any applicable Microsoft Security Updates applied, as noted above:
    • If so, the applicable IPS Signature might be disabled on the systems that have the associated Microsoft Security Updates applied.
    • If not, McAfee recommends that you apply the applicable Microsoft Security Updates to the affected systems at your earliest convenience.
  6. If no CVE description links are noted for the triggering IPS signature, review all advanced details for the received IPS event.
  7. Identify whether the event triggers correlate to normal business use or process.
  8. Identify whether the systems experiencing the event have the latest Microsoft Security Updates applied.
  9. Identify whether the IPS event is specific for a third-party process such as Adobe, a process, or another tool. If so, review all applicable security updates from the vendor and make sure they are applied on the systems.
  10. If the signature still triggers after an applicable vendor security update has been applied, consider the event a false positive. Either disable the signature on the updated systems, or create an IPS exception for the updated systems to stop all further signature detections.
  11. If there is no applicable vendor security update available, determine whether the affected systems have current antivirus and antimalware definitions for VirusScan or other installed endpoint protection application. Perform a full scan on the affected systems.
  12. Determine whether the affected systems are protected by other perimeter security measures, such as Network Intrusion Detection.


 

View solution in original post

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community