Showing results for 
Show  only  | Search instead for 
Did you mean: 

Word Macro Vulnerability

We are receiving the below alerts for Word Macro Vulnerability in Mcafee. Need some help with the analysis of these and if these alerts are relevant Threat Source Process Name: WINWORD.EXE Threat Source URL: Threat Target Host Name: CPHLX8646 Threat Target IPv4 Address: Threat Target IP address: Threat Target File Path: C:\Users\25461\AppData\Local\Packages\oice_16_974fa576_32c1d314_a4a\AC\Temp\26C4CF75.docm Event Category: 'File' class or access Event ID: 18060 Threat Severity: Critical Threat Name: Vulnerability in Microsoft Word Macro Security Threat Type: Exploit Prevention Action Taken: Blocked Threat Handled: True Analyzer Detection Method: Exploit Prevention Events received from managed systems Event Description: Exploit Prevention Files/Process/Registry violation detected Endpoint Security Module Name: Threat Prevention Analyzer Content Version: Analyzer Rule ID: 3821 Analyzer Rule Name: Vulnerability in Microsoft Word Macro Security Source Process Hash: eca05a8e751065d43b5f3f789cd15dc2 Source Process Signed: Yes Source Process Signer: C=US, S=WASHINGTON, L=REDMOND, O=MICROSOFT CORPORATION, CN=MICROSOFT CORPORATION Source File Path: C:\Program Files (x86)\Microsoft Office\root\Office16 Source File Size (Bytes): 1972152 Source Modify Time: 10/17/19 11:13:25 AM CEST Source Access Time: 10/17/19 11:13:25 AM CEST Source Create Time: 1/8/18 10:26:22 PM CET Source Description: "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /Embedding Target Hash: 9ee54b5ddfb9b4fe9c4a8324712083bb Target Signed: No Target Name: 26C4CF75.docm Target Path: C:\Users\25461\AppData\Local\Packages\oice_16_974fa576_32c1d314_a4a\AC\Temp Target File Size (Bytes): 41367 Target Modify Time: 1/5/15 3:10:26 PM CET Target Access Time: 9/24/20 1:57:55 PM CEST Target Create Time: 9/24/20 1:57:55 PM CEST First Action Status: Not available Second Action Status: Not available Description: SAS\25461 ran C:\Program Files (x86)\Microsoft Off
2 Replies
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 3

Re: Word Macro Vulnerability

Hello , 

I see the Rule ID 3821 is enabled for in ENS Exploit Prevention and thus triggering these alerts .

Kindly disable this rule . By default McAfee offers to disable this Rule . Is there is any specific reason this Rule is enabled . These would not be of any security Risk as we have a wide range of coverage of these vulnerabilities in our EP contents .  

Was my reply helpful?

If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?


Re: Word Macro Vulnerability

Hi , This rule has not been specifically enabled, however it is related to Macros and Macros can cause execution of some suspicious tasks. Will disabling the rule reduce the security. Do we have all the related required coverage in current EP signatures? 

Is it also related to applicability of MS Office versions as some similar rules are related to older versions of MS Office as well. We are currently using Office 16.

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community