Imperator
-
Posts
17 -
Joined
-
Last visited
Recent Profile Visitors
2,454 profile views
-
I heard back from Malwarebytes Support. The Malwarebytes engineering team is aware of this issue and are working on "deprecating the TLS 1.0 dependencies" of the product that are causing these event errors to be logged. They emphasize that TLS 1.0/1.1 is not needed for the product to "work as intended". There's no ETA on when this will be completed. However, I'm confident they will be ultimately successful in resolving this issue.
-
Good idea and I have done so. I will post any relevant info here once I hear back from support.
-
We're experiencing this issue as well. Through process of elimination and many different configuration scenarios, I determined the Malwarebytes agent is attempting a TLS 1.0 connection to one of your backend servers. When Schannel client support for TLS 1.0 is disabled and the MBAM agent is installed (and all other software/services are stopped or disabled) the event log is flooded with the Schannel error the OP indicated. The errors are generated every 30 seconds, like clockwork. After enabling TLS 1.0 these errors cease entirely. The specific error appears in the "System" log: Schannel, Event 36871 A fatal error occurred while creating a TLS client credential. The internal error state is 10013. This issue occurs across all of our Windows 10 systems - v1809 LTSC through v21H1 (2009). Each system is properly configured for TLS 1.2 in regards to Schannel and .NET (v2.x & v4.x) following Microsoft's published guides and aided by IISCrypto by Nartac. I'm ready to provide whatever further information you require to find a resolution to this issue - that doesn't involve enabling TLS 1.0 for the Schannel client or disabling Schannel logging or ignoring the log.
-
That seems to have worked. No block occurs with either gsyncit version when running v1.10 of AE. Thanks for the help. -
When I open Outlook 2013 with the gsyncit add-in enabled an AE block occurs. Running Outlook in safe mode or disabling the add-in produces no block. This occurs on the version of gsyncit that I had installed (v.4.2.292) and the latest (v.5.0.72). Logs attached. Win10 Pro x64, fully updated as of 9/18 PS - Not sure if this is related but it appears to be: mbae-userdata.zip
-
Exclude specific PUM object type: NoSMHelp
Imperator replied to Imperator's topic in Malwarebytes Anti-Malware for Business
As an update, this is working as intended; no issues to report. Thanks again! -
Exclude specific PUM object type: NoSMHelp
Imperator replied to Imperator's topic in Malwarebytes Anti-Malware for Business
Hello Rsullinger, Thank you for taking the time to address my question. We are running MBMC version 1.6.0.2816. I will upgrade to 1.6.1 as you suggested and will report back my findings. -
Is it possible to exclude the PUM object type 'NoSMHelp' from being flagged and removed? Our current policies have the scanner action for PUMs set to 'Show in results and check for removal'. I of course understand that changing the action to 'Show in results list and do not check for removal' or 'Do not show in results list' will exclude it, but this is undesired as we do want PUMs to be logged and flagged for removal; just not 'PUM.Optional.NoSMHelp'. I also understand that we could find the object in the threat list and right-click the object and select 'exclude this object' or manually add it to the ignore list. However, the object itself is going to be for the specific user account, with a unique SID, under which the scanner detected the setting. With this scenario, the exclusion would only apply to that specific user account on that specific machine. The exclusion would not apply to other machines or accounts as the SID in the registry entry would be different for every user on every machine. This is simply unsustainable over time. Even though I am fairly certain this wouldn't work... could editing the ignore list entry to replace the SID with an asterisk work? e.g. HKEY_USERS\*\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER|NoSMHelp Or would simply adding 'PUM.Optional.NoSMHelp' to the ignore list accomplish it? Any assistance will be greatly appreciated.
-
After upgrading to 1.07 and changing the profile to 'browser' there are no longer any issues with opening/using spotify. Thank you very much for your assistance, it is much appreciated!
-
Hi pbust, I've sent you a PM with an archive of the mbae data directory. As for the profile, I had set it to use the 'mediaplayer' profile. When looking through the profile list I only see a profile for 'browser' and not 'ChromeBrowser'... I assume that profile doesn't exist in the 1.05 version of MBAE (which is what I am currently running). I will upgrade to the newer 1.07 release of MBAE and recreate the custom shield with the profile you indicated. After which I will provide an update on the situation.
-
As the title states, MBAE for Business is detecting and blocking exploit code in Spotify. I just installed MBAE on the test system so this is the first run of the program. I have the latest version of both MBAE and Spotify. I've had no issues with Spotify in the past and MBAM and Symantec Endpoint Protection have not found anything malicious on the system or with Spotify. Would this be a false positive? I'd rather not make an exception for Spotify so it can be protected in the event of a real threat. Furthermore, Spotify is installed on many machines in the company so it could prove to be a likely vector for exploitation. I've attached the alert log for the event. Note: I did remove the username information. archived-1892-mbae-alert.log
-
What a shame. Here is my +1 vote in favor of this feature to be added in a future release. All I can do I guess. Thank you for the clarification!
-
Hello, I am wondering if there is a way to adjust the duration of inactivity before the logged in user's session expires. I have not been able to find this in the documentation or on the forums. Any help will be appreciated.
-
Registration failed: WSE910
Imperator replied to Imperator's topic in Malwarebytes Anti-Malware for Business
Hello Lazz, Your first inclination was "right on the money". The client clock was 6 minutes fast, as compared to the server. When I read that last snippet of the log the time issue didn't stand out to me but once you brought it up, it was a "duh" moment for me. I synced the client clock to match the server and presto! No error message & the client appears in the console now. I can certainly still send you the sccomm.log file if wish, but the I believe the issue has been resolved. Thank you very much for the quick response/resolution! -
Hello, I am trying to remotely deploy the client to a machine (through the management console) but I receive the follow message after the deployment "completes": I am deploying the client to a W7 Pro, fully updated, fresh install, no odd configurations, etc. I re-imaged the PC a 2nd time, but I still get this error. I have tried a local manual install, using an msi package created by the management console. but I still end up with the same error. I imaged a different workstation (same base image) before attempting this deployment and that first deployment had no issues. So the client appears to be installed but it fails to register with the server and doesn't show up in the console. I'm not sure what log file would be needed to help resolve this issue, but point me in the right direction and I can get it. Here is another snippet from the mee-log.txt file that may be relevant:
