URLDownloadtoFile library causing Malwarebytes Malware.Exploit.Agent.Generic Error

inxlsplot

New Member
Joined
Mar 8, 2021
Messages
3
Office Version
  1. 365
Platform
  1. Windows
Hello,
I've researched this and I was wondering if I'm the only one going through this error. Eveyrone seems to have success with this library but me because I've been searching for anyone else having the problem to no avail.


I posted on Malwarebytes forum. I haven't had an answer back from MBAM support.

Here's the problem:

I'm using the library:

VBA Code:
  Private Declare PtrSafe Function URLDownloadToFile Lib "urlmon" _
    Alias "URLDownloadToFileA" (ByVal pCaller As Long, ByVal szURL As String, _
    ByVal szFileName As String, ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long

And I'll be looping through a range in an Excel sheet, but thought I might try it with just one to make sure it works:

VBA Code:
Sub DownloadFilefromWeb()
    Dim strSavePath As String
    Dim URL As String, ext As String
    Dim buf, ret As Long
    URL = Worksheets("SheetName").Range("H3").Value 'Getting the URL from here at this point
    buf = Split(URL, ".")
    ext = buf(UBound(buf))
    strSavePath = "C:\loremipsumfilepath" & "DownloadedFile." & ext
    ret = URLDownloadToFile(0, URL, strSavePath, 0, 0)

End Sub

And EACH and everytime it opens the window to the directory to save the file in the designated directory, MalwareBytes blocks an Exploit:


-Log Details-
Protection Event Date: 3/8/21
Protection Event Time: 3:59 PM
Log File: 172cc7b8-8051-11eb-b2c6-841b7727a569.json

-Software Information-
Version: 4.3.0.98
Components Version: 1.0.1173
Update Package Version: 1.0.37885
License: Trial

-System Information-
OS: Windows 10 (Build 19041.610)
CPU: x64
File System: NTFS
User: System

-Exploit Details-
File: 0
(No malicious items detected)

Exploit: 1
Malware.Exploit.Agent.Generic, , Blocked, 0, 392684, 0.0.0, ,

-Exploit Data-
Affected Application: Microsoft Office Excel
Protection Layer: Malicious Memory Protection
Protection Technique: Exploit code executing from Heap memory blocked
File Name:
URL: - URL - (I took it out for privacy purposes)


And Excel closes. (no crash indicated by Windows 64 Pro)
  • Yes, file name is blank as listed by the MBAM error.
  • The URL DOES have '?' and '&' in it. It is an aspx page that refers to a PDF document. looks something like: list.aspx/GetSomeFile?derpy_id=546516565484844848441&year=2020. Unsure if that's tripping up MBAM.
  • This machine is new as of yesterday (03.07.21)

I want the user to be able to use their default browser. I'm using Chrome right now.

Please advise.

Much appreciated, community.
 

Excel Facts

Workdays for a market open Mon, Wed, Friday?
Yes! Use "0101011" for the weekend argument in NETWORKDAYS.INTL or WORKDAY.INTL. The 7 digits start on Monday. 1 means it is a weekend.
Hi also I am a programmer in VBA. I see no one is responding to you, so I don't know if this will console you but yesterday I had the same experience of error with exploits. I have installed the same version of Malwerbytes on my PC. I assume it is a false positive but it is rather annoying and you do not understand why since it is a very normal automation function. It also aborts the entire understood Excel process in a brutal way (with possible data loss). To solve this problem I am looking for workarounds in VBA but so far I have not found any. In the meantime if you have solved it please let me know how. Thanks and greetings
 
Upvote 0
Hi - I also get dinged by my antivirus software - all the time. It's very annoying, but to be fair, a lot of malware is circulated by way of Office Documents, and they're coded in VBA, so it's not an unreasonable assumption that an Excel spreadsheet that is downloading something from the web could be suspicious. As the output states, no malicious code found, so I expect that it is a false positive.

As an alternative, the following code also downloads files from the web - this version below can download and write binary data (pictures, etc.) I've adapted it to your code above. Hope this helps, but let me know if you have any problems:

VBA Code:
Sub DownloadFileFromWeb()

    Dim strSavePath As String
    Dim URL As String, ext As String
    Dim buf, ret As Long
    URL = Worksheets("SheetName").Range("H3").value 'Getting the URL from here at this point
    buf = Split(URL, ".")
    ext = buf(UBound(buf))
    strSavePath = "F:\loremipsumfilepath" & "DownloadedFile." & ext

    Dim objXMLHTTP As Object
    Set objXMLHTTP = CreateObject("Microsoft.XMLHTTP")
    objXMLHTTP.Open "GET", URL, False
    objXMLHTTP.send

    If objXMLHTTP.Status = 200 Then
        Set oStream = CreateObject("ADODB.Stream")
        oStream.Open
        oStream.Type = 1
        oStream.Write objXMLHTTP.responseBody
        oStream.SaveToFile strSavePath, 2 ' 1 = no overwrite, 2 = overwrite
        oStream.Close
    End If

End Sub
 
Upvote 0
Apologies, I forgot to Dim the oStream variable. Revised code below, along with two other options for modes to download files - MSXML2.serverXMLHTTP and MSXML2.XMLHTTP. It is just a matter of uncommenting the relevant line and replace it with the current line.


VBA Code:
Sub DownloadFileFromWeb()

    Dim strSavePath As String
    Dim URL As String, ext As String
    Dim buf, ret As Long
    URL = Worksheets("SheetName").Range("H3").value 'Getting the URL from here at this point
    buf = Split(URL, ".")
    ext = buf(UBound(buf))
    strSavePath = "F:\loremipsumfilepath" & "DownloadedFile." & ext

    Dim objXMLHTTP As Object, oStream As Object
    Set objXMLHTTP = CreateObject("Microsoft.XMLHTTP")
    'Set objXMLHTTP = CreateObject("MSXML2.ServerXMLHTTP")
    'Set objXMLHTTP = CreateObject("MSXML2.XMLHTTP")
    objXMLHTTP.Open "GET", URL, False
    objXMLHTTP.send

    If objXMLHTTP.Status = 200 Then
        Set oStream = CreateObject("ADODB.Stream")
        oStream.Open
        oStream.Type = 1
        oStream.Write objXMLHTTP.responseBody
        oStream.SaveToFile strSavePath, 2 ' 1 = no overwrite, 2 = overwrite
        oStream.Close
    End If

End Sub
 
Upvote 0

Forum statistics

Threads
1,224,815
Messages
6,181,136
Members
453,021
Latest member
Justyna P

We've detected that you are using an adblocker.

We have a great community of people providing Excel help here, but the hosting costs are enormous. You can help keep this site running by allowing ads on MrExcel.com.
Allow Ads at MrExcel

Which adblocker are you using?

Disable AdBlock

Follow these easy steps to disable AdBlock

1)Click on the icon in the browser’s toolbar.
2)Click on the icon in the browser’s toolbar.
2)Click on the "Pause on this site" option.
Go back

Disable AdBlock Plus

Follow these easy steps to disable AdBlock Plus

1)Click on the icon in the browser’s toolbar.
2)Click on the toggle to disable it for "mrexcel.com".
Go back

Disable uBlock Origin

Follow these easy steps to disable uBlock Origin

1)Click on the icon in the browser’s toolbar.
2)Click on the "Power" button.
3)Click on the "Refresh" button.
Go back

Disable uBlock

Follow these easy steps to disable uBlock

1)Click on the icon in the browser’s toolbar.
2)Click on the "Power" button.
3)Click on the "Refresh" button.
Go back
Back
Top