Jump to content

Imperator

Members
  • Posts

    17
  • Joined

  • Last visited

Everything posted by Imperator

  1. I heard back from Malwarebytes Support. The Malwarebytes engineering team is aware of this issue and are working on "deprecating the TLS 1.0 dependencies" of the product that are causing these event errors to be logged. They emphasize that TLS 1.0/1.1 is not needed for the product to "work as intended". There's no ETA on when this will be completed. However, I'm confident they will be ultimately successful in resolving this issue.
  2. Good idea and I have done so. I will post any relevant info here once I hear back from support.
  3. We're experiencing this issue as well. Through process of elimination and many different configuration scenarios, I determined the Malwarebytes agent is attempting a TLS 1.0 connection to one of your backend servers. When Schannel client support for TLS 1.0 is disabled and the MBAM agent is installed (and all other software/services are stopped or disabled) the event log is flooded with the Schannel error the OP indicated. The errors are generated every 30 seconds, like clockwork. After enabling TLS 1.0 these errors cease entirely. The specific error appears in the "System" log: Schannel, Event 36871 A fatal error occurred while creating a TLS client credential. The internal error state is 10013. This issue occurs across all of our Windows 10 systems - v1809 LTSC through v21H1 (2009). Each system is properly configured for TLS 1.2 in regards to Schannel and .NET (v2.x & v4.x) following Microsoft's published guides and aided by IISCrypto by Nartac. I'm ready to provide whatever further information you require to find a resolution to this issue - that doesn't involve enabling TLS 1.0 for the Schannel client or disabling Schannel logging or ignoring the log.
  4. That seems to have worked. No block occurs with either gsyncit version when running v1.10 of AE. Thanks for the help.
  5. When I open Outlook 2013 with the gsyncit add-in enabled an AE block occurs. Running Outlook in safe mode or disabling the add-in produces no block. This occurs on the version of gsyncit that I had installed (v.4.2.292) and the latest (v.5.0.72). Logs attached. Win10 Pro x64, fully updated as of 9/18 PS - Not sure if this is related but it appears to be: mbae-userdata.zip
  6. Hello Rsullinger, Thank you for taking the time to address my question. We are running MBMC version 1.6.0.2816. I will upgrade to 1.6.1 as you suggested and will report back my findings.
  7. Is it possible to exclude the PUM object type 'NoSMHelp' from being flagged and removed? Our current policies have the scanner action for PUMs set to 'Show in results and check for removal'. I of course understand that changing the action to 'Show in results list and do not check for removal' or 'Do not show in results list' will exclude it, but this is undesired as we do want PUMs to be logged and flagged for removal; just not 'PUM.Optional.NoSMHelp'. I also understand that we could find the object in the threat list and right-click the object and select 'exclude this object' or manually add it to the ignore list. However, the object itself is going to be for the specific user account, with a unique SID, under which the scanner detected the setting. With this scenario, the exclusion would only apply to that specific user account on that specific machine. The exclusion would not apply to other machines or accounts as the SID in the registry entry would be different for every user on every machine. This is simply unsustainable over time. Even though I am fairly certain this wouldn't work... could editing the ignore list entry to replace the SID with an asterisk work? e.g. HKEY_USERS\*\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER|NoSMHelp Or would simply adding 'PUM.Optional.NoSMHelp' to the ignore list accomplish it? Any assistance will be greatly appreciated.
  8. After upgrading to 1.07 and changing the profile to 'browser' there are no longer any issues with opening/using spotify. Thank you very much for your assistance, it is much appreciated!
  9. Hi pbust, I've sent you a PM with an archive of the mbae data directory. As for the profile, I had set it to use the 'mediaplayer' profile. When looking through the profile list I only see a profile for 'browser' and not 'ChromeBrowser'... I assume that profile doesn't exist in the 1.05 version of MBAE (which is what I am currently running). I will upgrade to the newer 1.07 release of MBAE and recreate the custom shield with the profile you indicated. After which I will provide an update on the situation.
  10. As the title states, MBAE for Business is detecting and blocking exploit code in Spotify. I just installed MBAE on the test system so this is the first run of the program. I have the latest version of both MBAE and Spotify. I've had no issues with Spotify in the past and MBAM and Symantec Endpoint Protection have not found anything malicious on the system or with Spotify. Would this be a false positive? I'd rather not make an exception for Spotify so it can be protected in the event of a real threat. Furthermore, Spotify is installed on many machines in the company so it could prove to be a likely vector for exploitation. I've attached the alert log for the event. Note: I did remove the username information. archived-1892-mbae-alert.log
  11. What a shame. Here is my +1 vote in favor of this feature to be added in a future release. All I can do I guess. Thank you for the clarification!
  12. Hello, I am wondering if there is a way to adjust the duration of inactivity before the logged in user's session expires. I have not been able to find this in the documentation or on the forums. Any help will be appreciated.
  13. Hello Lazz, Your first inclination was "right on the money". The client clock was 6 minutes fast, as compared to the server. When I read that last snippet of the log the time issue didn't stand out to me but once you brought it up, it was a "duh" moment for me. I synced the client clock to match the server and presto! No error message & the client appears in the console now. I can certainly still send you the sccomm.log file if wish, but the I believe the issue has been resolved. Thank you very much for the quick response/resolution!
  14. Hello, I am trying to remotely deploy the client to a machine (through the management console) but I receive the follow message after the deployment "completes": I am deploying the client to a W7 Pro, fully updated, fresh install, no odd configurations, etc. I re-imaged the PC a 2nd time, but I still get this error. I have tried a local manual install, using an msi package created by the management console. but I still end up with the same error. I imaged a different workstation (same base image) before attempting this deployment and that first deployment had no issues. So the client appears to be installed but it fails to register with the server and doesn't show up in the console. I'm not sure what log file would be needed to help resolve this issue, but point me in the right direction and I can get it. Here is another snippet from the mee-log.txt file that may be relevant:
  15. Hello! A colleague of mine uses a toolbar in Firefox called SEO Toolbar by SEOmoz which when enabled is producing IP block messages from Malwarebytes for the IP: 199.15.234.7 independent of the actual web page he is on. When the toolbar is disabled, no block messages are produced. I believe this is a false positive as I am under the impression this IP is an "authorization" server for the toolbar or something along those lines. Any help would be appreciated. Thank you! protection-log-2012-10-10.zip
  16. Imperator

    putty.exe

    I too have begun to receive warnings from Malwarebytes for PuTTY 0.62 beta across our network. A fresh copy of PuTTY still gets flagged. Every time the alert is warning that PuTTY.exe is infected with Trojan.Swrort. Malwarebytes Anti-Malware (PRO) 1.61.0.1400 Malwarebytes Anti-Malware (Corporate) 1.61.0.1400 Database version: v2012.05.01.05 Windows 7 SP1 x64 & x32
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.