Making iSBEM and Jet Reports work in Windows 10

This may be quite a niche post, but if it helps just one person overcome a “run-time error 5” whenever they try to run one of the iSBEM databases or an “Access Denied”1 error when trying to run a report powered by Jet Reports then it’s worth it!

In Windows 10 the built-in antimalware solution, Windows Defender, has a feature known as Windows Defender Exploit Guard. You can read up about this feature in more detail here, but one of its features in particular, the attack surface reduction rules, can sometimes prevent certain behaviour working in Microsoft Office applications.

Looking more closely at the attack surface reduction rules, you can see that a few of them are tailored specifically at Microsoft Office applications. In my experience the rule “Block all Office applications from creating child processes” can prevent the external processes needed by iSBEM and Jet Reports from running, which causes the errors mentioned above. You can quite easily check if this is the case by attempting to run an iSBEM database or Jet Report and getting the error, then open the Event Viewer and navigate to Applications and Services Logs > Microsoft > Windows > Windows Defender > Operational and looking for any warning or error level events that indicate that Windows Defender blocked the process from running.

If you do find the block event in the Event Viewer, you can create an exclusion to prevent it from being blocked. This can either be done in Group Policy or PowerShell. Open Group Policy editor and navigate to Computer Configuration > Administrative Templates > Windows Components > Windows Defender Antivirus > Windows Defender Exploit Guard > Attack Surface Reduction. In here, one of the policies that can be configured is “Exclude files and paths from Attack Surface Reduction rules”, and you can use this to add your exclusions. You can use wildcards and environment variables to ensure the exclusions you add will work regardless of where they apply (for more details on that see this article). Try to make your exclusions as specific as possible so that you still get as much protection from Windows Defender Exploit Guard as possible!

If you wish to add exclusions using PowerShell, you should use the following command:

Add-MpPreference -AttackSurfaceReductionOnlyExclusions "Path to exclude"

For example, to unblock the iSBEM database you may use the following exclusion:

Add-MpPreference -AttackSurfaceReductionOnlyExclusions "%SYSTEMDRIVE%\NCM\iSBEM_v5.6.a\iSBEM_v5.6.a.mdb"

With that in place, test running the database again and continue to monitor the logs in  Event Viewer until all blocks have been identified and exclusions created.

1Of course an error like Access Denied isn’t necessarily being caused by Windows Defender, it could actually be a permission issue.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s