We are receiving the below alerts for Word Macro Vulnerability in Mcafee. Need some help with the analysis of these and if these alerts are relevant
Threat Source Process Name: WINWORD.EXE
Threat Source URL:
Threat Target Host Name: CPHLX8646
Threat Target IPv4 Address: 10.34.144.35
Threat Target IP address: 10.34.144.35
Threat Target File Path: C:\Users\25461\AppData\Local\Packages\oice_16_974fa576_32c1d314_a4a\AC\Temp\26C4CF75.docm
Event Category: 'File' class or access
Event ID: 18060
Threat Severity: Critical
Threat Name: Vulnerability in Microsoft Word Macro Security
Threat Type: Exploit Prevention
Action Taken: Blocked
Threat Handled: True
Analyzer Detection Method: Exploit Prevention
Events received from managed systems
Event Description: Exploit Prevention Files/Process/Registry violation detected
Module Name: Threat Prevention
Analyzer Content Version: 10.6.0.10549
Analyzer Rule ID: 3821
Analyzer Rule Name: Vulnerability in Microsoft Word Macro Security
Source Process Hash: eca05a8e751065d43b5f3f789cd15dc2
Source Process Signed: Yes
Source Process Signer: C=US, S=WASHINGTON, L=REDMOND, O=MICROSOFT CORPORATION, CN=MICROSOFT CORPORATION
Source File Path: C:\Program Files (x86)\Microsoft Office\root\Office16
Source File Size (Bytes): 1972152
Source Modify Time: 10/17/19 11:13:25 AM CEST
Source Access Time: 10/17/19 11:13:25 AM CEST
Source Create Time: 1/8/18 10:26:22 PM CET
Source Description: "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /Embedding
Target Hash: 9ee54b5ddfb9b4fe9c4a8324712083bb
Target Signed: No
Target Name: 26C4CF75.docm
Target Path: C:\Users\25461\AppData\Local\Packages\oice_16_974fa576_32c1d314_a4a\AC\Temp
Target File Size (Bytes): 41367
Target Modify Time: 1/5/15 3:10:26 PM CET
Target Access Time: 9/24/20 1:57:55 PM CEST
Target Create Time: 9/24/20 1:57:55 PM CEST
First Action Status: Not available
Second Action Status: Not available
Description: SAS\25461 ran C:\Program Files (x86)\Microsoft Off
I see the Rule ID 3821 is enabled for in ENS Exploit Prevention and thus triggering these alerts .
Kindly disable this rule . By default McAfee offers to disable this Rule . Is there is any specific reason this Rule is enabled . These would not be of any security Risk as we have a wide range of coverage of these vulnerabilities in our EP contents .
Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?
Hi , This rule has not been specifically enabled, however it is related to Macros and Macros can cause execution of some suspicious tasks. Will disabling the rule reduce the security. Do we have all the related required coverage in current EP signatures?
Is it also related to applicability of MS Office versions as some similar rules are related to older versions of MS Office as well. We are currently using Office 16.
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.
Community Help Hub
New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.