Thursday, November 19, 2020

Another service to block VBA

Got i from friend of mine, be aware of this CylancePROTECT Script Control...

Hi Everyone

I spent a frustrating five hours yesterday tracking down a problem on some (but not all) of one of my clients’ workstations, and I hope I might save some of you from a similar waste of time.

Attempts to open their Access application (an ACCDR) with the /runtime switch gave:

               Execution of this application has stopped due to a run-time error.

               The application can’t continue and will shut down.

Further investigation, running it as an ACCDB, showed that any attempt to touch the ErrEx class (Wayne Philips’ vbWatchdog) gave:

               Run-time error '453':

               Can't find DLL entry point VirtualAlloc in kernel32

This was from a call to VirtualAlloc from the Class_Initialize event procedure of ErrEx.

My initial thought was that a Microsoft update over the weekend had installed something that was interfering with vbWatchdog, so I was composing as email to Wayne when I thought to try some other calls to Kernel32 functions.  They all failed with Error 453, as did calls to User32 procedures.

I then spent considerable time uninstalling updates and reverting to restore points, without any success.  While googling for ideas, I found this:

https://stackoverflow.com/questions/56201309/need-to-fix-this-error-cant-find-dll-entry-point-getsysteminfo-in-kernel32

Note the final comment by the OP.

Sure enough, I checked and there was a service named “CylancePROTECT” running on the workstation I was looking at.

I called their IT “support” company and finally found somebody who knew that they were trialling new “security software” on some of their customers’ workstations.  I googled it, and it includes a “script control” feature which blocks certain functions in “scripts”, which apparently include VBA code:

https://www.blackberry.com/content/dam/cylance/documents/pdf/pdf-feature-focus-protect-script-control.pdf

In this document, it recommends “that administrators initially enable CylancePROTECT Script Control in Alert Mode to monitor and observe all scripts running in their environment.”  Then later, “Once administrators have a good understanding of all scripts running in their environment, they can change their settings to block mode and only allow scripts to run out of specified folders.”  Of course, these idiots had not followed these recommendations.

Anyway, I hope this is useful knowledge to put in the toolbox if ever you are diagnosing Error 453.

Cheers,

Graham


2 comments:

  1. OmarASLAOUI3:42 PM

    thanks

    good to know

    ReplyDelete
  2. Anonymous2:53 AM

    Please send me a return label I do not want these testers

    ReplyDelete