Jump to content

Imperator

Members
  • Posts

    17
  • Joined

  • Last visited

Posts posted by Imperator

  1. I heard back from Malwarebytes Support. The Malwarebytes engineering team is aware of this issue and are working on "deprecating the TLS 1.0 dependencies" of the product that are causing these event errors to be logged. They emphasize that TLS 1.0/1.1 is not needed for the product to "work as intended".

    There's no ETA on when this will be completed. However, I'm confident they will be ultimately successful in resolving this issue.

  2. We're experiencing this issue as well. Through process of elimination and many different configuration scenarios, I determined the Malwarebytes agent is attempting a TLS 1.0 connection to one of your backend servers. When Schannel client support for TLS 1.0 is disabled and the MBAM agent is installed (and all other software/services are stopped or disabled) the event log is flooded with the Schannel error the OP indicated. The errors are generated every 30 seconds, like clockwork. After enabling TLS 1.0 these errors cease entirely.

    The specific error appears in the "System" log:

    Schannel, Event 36871
    A fatal error occurred while creating a TLS client credential. The internal error state is 10013.

    This issue occurs across all of our Windows 10 systems - v1809 LTSC through v21H1 (2009). Each system is properly configured for TLS 1.2 in regards to Schannel and .NET (v2.x & v4.x) following Microsoft's published guides and aided by IISCrypto by Nartac.

    I'm ready to provide whatever further information you require to find a resolution to this issue - that doesn't involve enabling TLS 1.0 for the Schannel client or disabling Schannel logging or ignoring the log.

  3. Is it possible to exclude the PUM object type 'NoSMHelp' from being flagged and removed?

     

    Our current policies have the scanner action for PUMs set to 'Show in results and check for removal'. I of course understand that changing the action to 'Show in results list and do not check for removal' or 'Do not show in results list' will exclude it, but this is undesired as we do want PUMs to be logged and flagged for removal; just not 'PUM.Optional.NoSMHelp'.

     

    I also understand that we could find the object in the threat list and right-click the object and select 'exclude this object' or manually add it to the ignore list. However, the object itself is going to be for the specific user account, with a unique SID, under which the scanner detected the setting. With this scenario, the exclusion would only apply to that specific user account on that specific machine. The exclusion would not apply to other machines or accounts as the SID in the registry entry would be different for every user on every machine. This is simply unsustainable over time.

     

    Even though I am fairly certain this wouldn't work... could editing the ignore list entry to replace the SID with an asterisk work? e.g.



    HKEY_USERS\*\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER|NoSMHelp


    Or would simply adding 'PUM.Optional.NoSMHelp' to the ignore list accomplish it?

     

    Any assistance will be greatly appreciated.

  4. Hi pbust,

     

    I've sent you a PM with an archive of the mbae data directory. As for the profile, I had set it to use the 'mediaplayer' profile.

     

    When looking through the profile list I only see a profile for 'browser' and not 'ChromeBrowser'... I assume that profile doesn't exist in the 1.05 version of MBAE (which is what I am currently running). I will upgrade to the newer 1.07 release of MBAE and recreate the custom shield with the profile you indicated. After which I will provide an update on the situation.

  5. As the title states, MBAE for Business is detecting and blocking exploit code in Spotify. I just installed MBAE on the test system so this is the first run of the program. I have the latest version of both MBAE and Spotify. I've had no issues with Spotify in the past and MBAM and Symantec Endpoint Protection have not found anything malicious on the system or with Spotify.

     

    Would this be a false positive? I'd rather not make an exception for Spotify so it can be protected in the event of a real threat. Furthermore, Spotify is installed on many machines in the company so it could prove to be a likely vector for exploitation.

     

    I've attached the alert log for the event. Note: I did remove the username information.

    archived-1892-mbae-alert.log

  6. Hello Lazz,

     

    Your first inclination was "right on the money". The client clock was 6 minutes fast, as compared to the server. When I read that last snippet of the log the time issue didn't stand out to me but once you brought it up, it was a "duh" moment for me.

     

    I synced the client clock to match the server and presto! No error message & the client appears in the console now. I can certainly still send you the sccomm.log file if wish, but the I believe the issue has been resolved.

     

    Thank you very much for the quick response/resolution!

  7. Hello,

     

    I am trying to remotely deploy the client to a machine (through the management console) but I receive the follow message after the deployment "completes":

     

     

    Computer Name Domain/Workgroup IP Address Execution Result Client Version Last Detection Time

    pc-name workgroup ipaddress Installed successfully, but registration failed. WSE910: An error happened during the processing of a response message, and you can find the error in the inner exception.  You can also find the response message in the Response property. 1.75.0.1300 6/3/2014 12:08:31 PM

     

    I am deploying the client to a W7 Pro, fully updated, fresh install, no odd configurations, etc. I re-imaged the PC a 2nd time, but I still get this error. I have tried a local manual install, using an msi package created by the management console. but I still end up with the same error. I imaged a different workstation (same base image) before attempting this deployment and that first deployment had no issues. So the client appears to be installed but it fails to register with the server and doesn't show up in the console.

     

    I'm not sure what log file would be needed to help resolve this issue, but point me in the right direction and I can get it.

     

    Here is another snippet from the mee-log.txt file that may be relevant:

     

     

    2014-06-28 12:19:06.780: ****ERROR*****: Failed to register client.

    2014-06-28 12:19:06.795: ****ERROR*****: Microsoft.Web.Services3.ResponseProcessingException: WSE910: An error happened during the processing of a response message, and you can find the error in the inner exception.  You can also find the response message in the Response property. ---> Microsoft.Web.Services3.Security.SecurityFault: Message Expired ---> System.Exception: WSE066: Timestamp is expired. This indicates a stale message but may also be caused by lack of synchronization between sender and receiver clocks. Make sure the clocks are synchronized or use the timeToleranceInSeconds element in the microsoft.web.services3 configuration section to adjust tolerance for lack of clock synchronization. 
       --- End of inner exception stack trace ---
       at Microsoft.Web.Services3.Security.Utility.Timestamp.CheckValid()
       at Microsoft.Web.Services3.Security.Utility.Timestamp.LoadXml(XmlElement element)
       at Microsoft.Web.Services3.Security.Utility.Timestamp..ctor(XmlElement element)
       at Microsoft.Web.Services3.Security.Security.LoadXml(XmlElement element)
       at Microsoft.Web.Services3.Security.SecurityInputFilter.ProcessMessage(SoapEnvelope envelope)
       at Microsoft.Web.Services3.Security.Wse2PipelinePolicy.LegacyFilterWrapper.ProcessMessage(SoapEnvelope envelope)
       at Microsoft.Web.Services3.Pipeline.ProcessInputMessage(SoapEnvelope envelope)
       at Microsoft.Web.Services3.Xml.SoapEnvelopeReaderWrapper..ctor(SoapClientMessage message, String messageContentType)
       --- End of inner exception stack trace ---
       at Microsoft.Web.Services3.Xml.SoapEnvelopeReaderWrapper..ctor(SoapClientMessage message, String messageContentType)
       at Microsoft.Web.Services3.WebServicesClientProtocol.GetReaderForMessage(SoapClientMessage message, Int32 bufferSize)
       at System.Web.Services.Protocols.SoapHttpClientProtocol.ReadResponse(SoapClientMessage message, WebResponse response, Stream responseStream, Boolean asyncCall)
       at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters)
       at SC.Client.SCComm.SCClientService.RegisterClientEx(ClientInfo clientInfo, Nullable`1 recommendedPolicyID, String ouFullPath)
       at SC.Client.SCComm.ClientCommunicator.RegisterClient(ClientInfo clientInfo, Nullable`1 recommendedPolicyID, String ouFullPath, Boolean useIEProxy)
       at SC.Client.SCComm.ClientCommService.RegisterClient(Guid& clientID)

     

  8. Hello! A colleague of mine uses a toolbar in Firefox called SEO Toolbar by SEOmoz which when enabled is producing IP block messages from Malwarebytes for the IP: 199.15.234.7 independent of the actual web page he is on. When the toolbar is disabled, no block messages are produced. I believe this is a false positive as I am under the impression this IP is an "authorization" server for the toolbar or something along those lines.

    Any help would be appreciated.

    Thank you!

    protection-log-2012-10-10.zip

  9. I too have begun to receive warnings from Malwarebytes for PuTTY 0.62 beta across our network. A fresh copy of PuTTY still gets flagged. Every time the alert is warning that PuTTY.exe is infected with Trojan.Swrort.

    Malwarebytes Anti-Malware (PRO) 1.61.0.1400

    Malwarebytes Anti-Malware (Corporate) 1.61.0.1400

    Database version: v2012.05.01.05

    Windows 7 SP1 x64 & x32

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.