This is all the information I see in the log. Is there something specific I need to provide as the OnAccessScan log doesn't give any information that I can see? The other log gives some more information I didn't provide before.

OnAccessScan_Activity log

2020-12-01 10:00:45.460Z|Activity|oasbl |mfetp | 2512| 3064|OAS |oasbl.cpp(2594) | AMCore content version = 4273.0

ExploitPrevention_Activity log

2020-11-20 13:02:51.668Z|Activity|ApBl |mfeesp | 2576| 11620|BOPAP |XModuleEvents.cpp(844) | first user ran C:\Program Files\Microsoft Office\Office15\WINWORD.EXE, which accessed the process wmiutils.dll, violating the rule "T1047 - Weaponized OLE object infection via WMI". Access was allowed because the rule wasn't configured to block.

2020-11-24 13:03:35.643Z|Activity|ApBl |mfeesp | 2184| 6092|BOPAP |XModuleEvents.cpp(844) | First User ran C:\Program Files\Microsoft Office\Office15\WINWORD.EXE, which accessed the process wmiutils.dll, violating the rule "T1047 - Weaponized OLE object infection via WMI". Access was allowed because the rule wasn't configured to block.

2020-12-01 13:08:24.145Z|Activity|ApBl |mfeesp | 2168| 4660|BOPAP |XModuleEvents.cpp(844) |

the first user ran C:\Program Files\Microsoft Office\Office15\WINWORD.EXE, which accessed the process wmiutils.dll, violating the rule "T1047 - Weaponized OLE object infection via WMI". Access was allowed because the rule wasn't configured to block.

2020-12-02 14:25:33.932Z|Activity|ApBl |mfeesp | 6168| 14164|BOPAP |XModuleEvents.cpp(844) | Second user ran C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE, which accessed the process wmiutils.dll, violating the rule "T1047 - Weaponized OLE object infection via WMI". Access was allowed because the rule wasn't configured to block.

2020-12-02 14:25:33.934Z|Activity|ApBl |mfeesp | 6168| 4428|BOPAP |XModuleEvents.cpp(844) | 

The second user ran C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE, which accessed the process WMIUTILS.DLL, violating the rule "T1047 - Weaponized OLE object infection via WMI". Access was allowed because the rule wasn't configured to block.

Hi @User30073109 

Thanks for providing us with details.

I understand the issue is happening with Exploit prevention and not on access scan. 

This rule is marked medium and is not blocked by default. 

Hence you see this report. 

Please refer to the screenshot attached. 

You can decide on your environment if this needs to be blocked or allowed. 

This does not looks like False positive but you can block by following the screenshot. 

Kindly let me know if I have answered your query. 

If yes, Kindly Mark as solution so that together we can help other community members. 

If no, please post your queries and we can assist you again. 

Hello,

There was no screenshot provided for me to follow. I would like to block this for my environment.

Hi @User30073109 

Unfortunately, it looks like screenshot is not coming  through. I am not too sure exactly. 

However, you can go to the Exploit prevention policies and search for this rule. 

You can block and report accordingly and give a Wake up call for Agent. 

Was my reply helpful?

If yes, please provide me with Kudo. If this resolves your issue, then kindly mark this as solution so that together we can help other community members. 

HI @User30073109 

Kindly find the attached screenshot now. 

I believe this gives you more input on blocking this rule. 

Curious after two years was there any answer on this?

I am not a security expert and would like guidance on how to handle these without crippling operations.