Thread Info
  • State Not Answered
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 4 replies
  • Subscribers 16 subscribers
  • Views 24763 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

False Positive? CryptoGuard detected ransomware in WINWORD.EXE

Solomon Horn

We just received an alert for one of our machines: CryptoGuard detected ransomware in C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

However, we can find no evidence of ransomware and believe this is a false positive. Has anyone else had issues with WINWORD.EXE? 



This thread was automatically locked due to age.
  • 0

    Hi,

    Can you provide the details in the event log? You're looking at event id 911 in the application event log.

    Regards,

    Jak

  • 0 in reply to jak

    Mitigation CryptoGuard

    Platform 6.1.7601/x64 v593 06_3f
    PID 6484
    Application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    Description Microsoft Word 14

    Filename C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

    \Device\Mup\domain.local\Shares\folder\~$filename.docx
    \Device\Mup\domain.local\Shares\folder\~$filename.docx
    \Device\Mup\domain.local\Shares\folder\~$filename.docx


    Process Trace
    1 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE [6484]
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "\\domain.local\Shares\folder\filename.docx"
    2 C:\Windows\explorer.exe [6736]
    3 C:\Windows\System32\userinit.exe [9012]
    4 C:\Windows\System32\winlogon.exe [6180]
    winlogon.exe
    5 C:\Windows\System32\smss.exe [6360]
    \SystemRoot\System32\smss.exe 00000000 00000048
    6 C:\Windows\System32\smss.exe [356]
    \SystemRoot\System32\smss.exe
    7 [4]

    Thumbprint
    caeb57822b00e79db13bf82c0dfe9ea02a3b138d02d953058cf89a29da7077c2

  • 0

    We just had the same thing happen, opening a PDF in word 2010 triggers it.

  • 0

    Had the same issue for Excel for  the pass two weeks.

Unfiltered HTML