Blocked by Malwarebytes

Add-in Express™ Support Service
That's what is more important than anything else

Blocked by Malwarebytes
 
Abdullah Alharbi




Posts: 4
Joined: 2020-02-05
Hello,

We have an Excel add-in and one of our users reported that their protection software (Malwarebytes) is blocking Excel when having our add-in loaded. Could you please guide us as to how to fix this?

Abdullah Alharbi (Excelguru.ca)
Posted 28 Oct, 2020 03:10:00 Top
Andrei Smolin


Add-in Express team


Posts: 17502
Joined: 2006-05-11
Hello Abdullah,

I assume the antivirus produces some records related to this issue. Do these records suggest anything? What are the records?

In case you use Add-in Express panes (ADXExcelTaskPane), try to deploy {Add-in Express installation folder}\Redistributables\{IntResource.dll and IntResource64.dll} along with other files of your add-in.

Regards from Belarus (GMT+3),

Andrei Smolin
Add-in Express Team Leader
Posted 28 Oct, 2020 03:28:57 Top
Abdullah Alharbi




Posts: 4
Joined: 2020-02-05
Hello Andrei,

Thank you for your response. Our user provided the following log.

Log from end user:

-Log Details-

Protection Event Date: 10/16/20

Protection Event Time: 7:00 PM

Log File: 61d48cb0-1003-11eb-b636-4845206bb6f5.json

 

-Software Information-

Version: 4.2.1.89

Components Version: 1.0.1070

Update Package Version: 1.0.31468

License: Premium

 

-System Information-

OS: Windows 10 (Build 18362.1139)

CPU: x64

File System: NTFS

User: System

 

-Exploit Details-

File: 0

(No malicious items detected)

 

Exploit: 1

Malware.Exploit.Agent.Generic, C:WindowsSysWOW64
undll32.exe C:WindowsSysWOW64
undll32.exe C:WindowsSystem32dfshim.dll,ShOpenVerbShortcut C:UsersmitchAppDataLocalApps.0QY16ZPAH.GYPVR6REKBX.AYGmonk..ools_4dc9f9b35674fc44_0001.0000_5b219144505ba773Monkey Tools.appref-ms|, Blocked, 0, 392684, 0.0.0, , 

 

-Exploit Data-

Affected Application: Microsoft Office Excel

Protection Layer: Application Behavior Protection

Protection Technique: Exploit payload process blocked

File Name: C:WindowsSysWOW64
undll32.exe C:WindowsSysWOW64
undll32.exe C:WindowsSystem32dfshim.dll,ShOpenVerbShortcut C:UsersmitchAppDataLocalApps.0QY16ZPAH.GYPVR6REKBX.AYGmonk..ools_4dc9f9b35674fc44_0001.0000_5b219144505ba773Monkey Tools.appref-ms|

URL: 


I'm not sure if this is what we're looking for

Abdullah Alharbi (Excelguru.ca)
Posted 18 Nov, 2020 05:52:49 Top
Andrei Smolin


Add-in Express team


Posts: 17502
Joined: 2006-05-11
Hello Abdullah,

Thank you. It looks like your ClickOnce installer creates a shortcut (desktop icon) and the antivirus doesn't like it. I think you have two ways: 1) avoid creating it or 2) contact the antivirus vendor.

Regards from Belarus (GMT+3),

Andrei Smolin
Add-in Express Team Leader
Posted 19 Nov, 2020 01:27:59 Top