pbust

March 5, 2018

Thanks Noctsol.

Unfortunately there is no way to exclude individual scripts like these. Allowing Excel or Excel macros to execute a scripting program is a very large security hole which is currently abused by malware writers as an infection vector. The only other way is to create a new Policy with the anti-exploit shield disabled for Excel, and add only the machines that need to execute this script to that particular Policy.

March 2, 2018

Re: MBAM and Defender, they are 100% compatible. We are using the interfaces available only to AV to manage the registrations and status updates of MBAM in the Windows Security Center. Only Microsoft approved antivirus providers can do this. The difference is that by default we install side-by-side with Defender (even though this behavior can be changed under Settings) as we've always believed that a layered approach is always preferable to relying on a single product.

Re: testing methodologies, we've also always been up front about our disagreement with third party testing vendors (and AMTSO). We disagree with the fact they don't test vector blocking defenses (i.e. not full product), we disagree with their selection of samples (most of the times older than 1 month, no real focus on 0-day effectiveness), we disagree with the "pay to see misses" business model, and we disagree with the use of simulators which do not behave like real malware does nor does it simulate the infection vector. These are typical practices found in most if not all of the 3rd party testing companies, where each testing company incorporates at least two of the above practices. AMTSO, since its inception, hasn't been able to influence any significant change in AV testing in its entire lifespan. AMTSO doesn't have teeth and has failed on its original mission of improving and evolving AV testing.

None of the above should be news to anybody. We've been pretty open and upfront about our views all along. We don't expect everybody to agree with us, but this has been the position since the beginning of Malwarebytes and, even though we will be participating shortly in 3rd party testing, our views about their business model still remain the same.

In summary, if you're a troll, move on and stop spreading FUD. You're not welcomed here. To everybody else, if you have questions or concerns about how Malwarebytes replaces and improves your AV, or our views on AV testing, we have been and remain open to having an honest and transparent conversation. Feel free to PM me and I will gladly try to answer any and all concerns you might have about our technologies or our views on testing.

March 1, 2018

18 minutes ago, TempLost said:

For myself, I'd be disappointed if Malwarebytes felt they had to go down that route - it would be a retrograde step.

Thank you, I feel the same way. We're being extra careful of not just adding blot to meet the test demands. In most cases, the samples tested by 3rd party labs are samples which have long been dead. We'll play the game, but without adding unnecessary bloat.

March 1, 2018

Ahh, sorry, I thought you were also called Sveta (I've spoken to Sveta @ MRG few times before).

March 1, 2018

Hi Sveta,

as we've said many times, we don't agree with most testing methodologies out there as they consistently don't test any of the vector blocking capabilities of security products. MB3 relies heavily on vector blocking for early detecting and blocking of modern threats. Yet most labs, including MRG, grab the last stage payload and funk around with it and just test it against the on-access and post-execution protection layers, completely bypassing the vector blocking capabilities which could have stopped the threat in the real world. Malware spreads using certain techniques which are blocked by MB3, and neither MRG nor any of the other labs replicate those real-world environments, and ergo do not test the full product, only portions thereof.

We will be participating in more lab tests shortly and biting the bullet of adding unnecessary bloat to the product to entertain these unrealistic tests and test fanboys, but that doesn't mean that we agree with them. Their testing methodologies are all ~10 years old.

March 1, 2018

Just send everything within C:\ProgramData\Malwarebytes\MBAMService\Logs\

(path may vary depending on the product version)

February 25, 2018

Hi. Please attach your endpoint detection logs. There are two advanced settings that can be tweaked to allow these type of actions. But we'll need the logs to figure out which one it is.

January 29, 2018

Glad to hear about the offline updater fixing it.

As for deleting *.ref(s), the machine will need a reboot to recover after that. Simply deleting it won't solve the problem in most cases.

January 29, 2018

29 minutes ago, TheMSBob said:

I had to modify the mbes-fixer.bat for corporate use to use C$ and not C% in the line, "net use Z: "\\%%a\C$" /user:"%%a\%LOCALADMIN%" "%PASSWORD%""

Good catch, I fixed it already.

Are you seeing the script delete the *.ref file successfully or is it failing in that step?

January 29, 2018

17 minutes ago, AJaxStudy said:

I've opened a ticket - but is there anyway of removing all the threats identified and logged within the MalwareBytes Management Console?

In the documentation you can find this. http://downloads.malwarebytes.com/file/mbes_for_business

Go to \Managed\Documentation\Managing MWB in Large Networks Best Practices.pdf

Read Section 5

January 29, 2018

Updated guidance, tools, and processes have been posted in the following post:

Please refer to the new guidance for any and all situations where the previous guidance was failing.

Thanks and again, sorry for all the troubles this is causing people. We are deeply sorry and continue to work throughout the weekend and night to make things right. If you are still affected, please feel free to reach out to me directly at pbustamante@malwarebytes.com.

Posted January 29, 2018 · January 29, 2018

In the early morning of Saturday, January 27, 2018, a faulty Web Protection update was released which caused a connection issue for many of our customers. As a side effect of the web protection blocks, the product also spiked memory usage and possibly caused a crash. We triaged the issue quickly and pushed a protection update on Saturday, January 27, 2018 at 10:48a PST.

The affected products were Malwarebytes 3 Premium, Malwarebytes Management Console (MBMC), and Malwarebytes Endpoint Protection (aka Malwarebytes Cloud Console). Malwarebytes for Mac, Android, AdwCleaner, Incident Response and Breach Remediation were not and are not affected. For a complete description and root cause analysis please click here.

Please note endpoints were not affected if they were turned off before Saturday, Jan 27, 2018 and then were not turned back on until after Saturday, Jan 27, 2018 at 11am PST. For affected endpoints, this thread is intended as recovery guidance.

Guidance below applies to corporate customers using the on-premise Malwarebytes Management Console (MBMC) as well as corporate customers using the cloud-based Malwarebytes Endpoint Protection (aka Malwarebytes Cloud Console). If you're a home user and/or Malwarebytes 3 Premium user, click here for details on how to recover your systems.

For corporate customers running the on-premise Malwarebytes Management Console (MBMC)

In the Malwarebytes Management Console, edit the Policy and disable real-time protection
Once real-time is protection is disabled and your clients can communicate, highlight the endpoints on the Client tab and click the Update Database button at the top. This should fix it for most endpoints.
If any endpoints fail to get the update, you will have to force an update. This can be done locally on the endpoint or remotely over the network.
- Locally on the endpoint (logged in to the machine). You can point your endpoint users to do this themselves:
  1. Download and execute MBAM Rules Offline Updater
  2. Reboot the computer
- Remotely over the network
  1. Make sure your machine is on a non-blocked IP (i.e. 10.x.x.x or 192.x.x.x). Blocked IP ranges are from 128.x.x.x to 191.x.x.x.
    *NOTE* It is recommended to not use your MBMC server for this task
  2. Download the following script and extract it to a folder on your computer
  3. Create a file named hostnames.txt in the same folder, adding one IP per line for each of your endpoint IPs. You can export a list of IPs with the faulty update from the Management Console (sort by update version, select affected ones, copy, and paste into notepad).
  4. If your internal DNS is not on a blocked IP range, you can feed hostnames.txt with hostnames instead of IPs
  5. Edit the script and type in the *LOCAL* admin username and password for endpoints (i.e. NOT the domain admin) in the first 2 lines
  6. Run the batch file, which will delete the faulty database file and schedule a reboot in 30 seconds
Once all the machines are updated, turn on real-time protection in the Management Console Policy settings.
If the Management Server SQL database grows heavily and takes up too much space, feel free to truncate the contents of the TBL_ClientSecurityLog and TBL_ClientSystemLog SQL tables. Detailed instructions can be found in this document. IMPORTANT: this will remove ALL detection history and is irreversible.

For corporate customers running the cloud-based Malwarebytes Endpoint Protection (aka Malwarebytes Cloud Console)

In the Malwarebytes Cloud Console, go to Settings -> Policy and disable Web Protection and Self-Protection (if enabled). Do this for all the Policies
On the Endpoints section, choose "select all" and choose "Check for Protection Updates" from the Actions button. This should fix it for most endpoints.
If any endpoints fail to get the protection updates, you will have to force an update. This can be done locally on the endpoint or remotely over the network.
- Locally on the endpoint (logged in to the machine). You can point your endpoint users to do this themselves:
  1. Login to the machine and start a scan by right-clicking on the Malwarebytes traybar icon. This will force an update and fix the issue.
  2. Cancel the scan and reboot the machine. This should fix the problem in most cases.
  3. If the above doesn't work or the machine is unresponsive, download mbep-fixer.exe to your Desktop.
    1. If you want to deploy this over the network using SCCM or other similar platforms, you can use instead use mbep-fixer.msi.
  4. Execute mbep-fixer.exe. You will need to execute this as admin.
  5. Reboot.
- Remotely over the network
  1. Make sure your machine is on a non-blocked IP (i.e. 10.x.x.x or 192.x.x.x). Blocked IP ranges are from 128.x.x.x to 191.x.x.x.
  2. Download the following script and extract it to a folder on your computer
  3. Create a file named hostnames.txt in the same folder, adding one IP per line for each of your endpoint IPs
  4. If your internal DNS is not on a blocked IP range, you can feed hostnames.txt with hostnames instead of IPs
  5. Edit the script and type in the *LOCAL* admin username and password for endpoints (i.e. NOT the domain admin) in the first 2 lines
  6. Run the batch file, which will delete the faulty database file and schedule a reboot in 30 seconds
Once all machines are updated and connecting correctly, go to the Cloud Console, Settings, Policy, and enable Web Protection and Self-Protection again.

If the above guidance does not help and you are a corporate customer, please contact corporate-support@malwarebytes.com for further support.

January 17, 2018

MBAE does prevent script-based drive-by downloads. If that's the method of distribution of the Meltdown/Spectre payloads, then MBAE should block it.

January 12, 2018

Try creating a separate policy and assign just this server to the new policy. In the policy set the check-in interval to something like an hour or two. Does that alleviate the problem?

January 11, 2018

Hi BRAM.

The MBAE CLI are the configuration commands being executed from the Management Server. Those should only show up momentarily and then disappear by themselves. Try changing the check-in internal in the Management Console policy to something greater. That should ease up on the amount of commands being sent to the machine.

December 31, 2017

This is probably due to anti-cheat protection system of Zula.

If you added a custom shield for Zula, you can configure the shield to use the "Other" family, and turn off the ROP techniques for that shield family.

November 3, 2017

What's the pop-up you are seeing? Is it a balloon notification from the system tray saying that "XYZ application is protected" or something to that effect? If this is the popup you are referring you, please check the Anti-Exploit settings, specifically the "Show system tray notification tooltips" checkbox.

image.png.c0191e08c31683fe237281e547825026.png

October 31, 2017

From here: https://forums.malwarebytes.com/topic/191650-malwarebytes-3-frequently-asked-questions/#comment-1077438

Quote

What is an antivirus replacement, and how can Malwarebytes 3.0 replace my antivirus?
Antivirus replacements utilize signature-less and behavior-based detection technologies to catch the latest and most relevant threats, as opposed to anti-virus programs that rely on large databases of signatures that can quickly become outdated and are typically ineffective against many modern threats. In combination, all of our technologies can replace antivirus if a customer wishes to do so. Over 50% of our home user customers have already replaced their Symantec, McAfee, etc. with Malwarebytes Anti-Malware Premium. We believe in layered defense and built Malwarebytes 3.0 Premium to provide the right mix of proactive and signature-less technologies to combat modern threats and zero-day malware. The combination of our Anti-Malware, Anti-Exploit, Anti-Ransomware, Website Protection, and Remediation technologies provides better coverage against modern and zero-day threats than the traditional antivirus companies that charge more for less effective protection.

Traditional antivirus vendors have struggled to keep pace with rapidly-changing malware, especially ransomware and data breaches where 0-hour protection has become the only meaningfully-relevant protection. In today’s modern threat world, where professional malware writers make their living engineering new ways to bypass protection, it is more important than ever to utilize signature-less technology and layered security to provide the greatest possible chance of defense. It is just as important to provide comprehensive remediation capabilities to clean up active malware when all else fails.

Prior to Malwarebytes 3.0, our software was intended to be layered together with a traditional antivirus. Malwarebytes 1.x and 2.x contained only two primary layers of defense (Malware Protection and Website Protection) plus remediation, none of which is fully signature-less. But in Malwarebytes 3.0, with the addition of the three signature-less anti-exploit layers and the signature-less anti-ransomware layer, Malwarebytes defense against real-world threats has finally surpassed that of the traditional AVs.

We didn’t originally expect to draw this conclusion. But after we developed the anti-exploit, anti-ransomware, and other Application Behavioral Protection technology in Malwarebytes 3.0, our researchers tested our performance against the full landscape of real-world threats and found we offered our users more comprehensive protection at a better price with Malwarebytes 3.0 than by recommending you buy a separate traditional AV. So we did it.

For our users who do prefer to continue using a traditional antivirus alongside Malwarebytes, by all means please continue to do so. Malwarebytes will always maintain compatibility with all major security software on the market, both free and paid. In particular, Microsoft’s traditional antivirus Windows Defender is included by default and for free with Windows 8 and 10, and is a useful additional layer alongside Malwarebytes 3.0.

So in summary, our recommendations are:

If you would prefer to use only one security product, choose Malwarebytes 3.0 Premium. Based on our testing, Malwarebytes 3.0 alone provides excellent protection against today’s threat landscape.

If you would prefer to pay for only one security product, choose Malwarebytes 3.0 Premium and add a free traditional antivirus like Windows Defender (pre-installed for free in Windows 8 and 10). Malwarebytes installs alongside Windows Defender by default, so this is the default configuration in Windows 8 and 10.

If you would prefer to pay for two security products, by all means feel free to do so. Malwarebytes is compatible with all major security products on the market.

October 19, 2017

You don't have to change the server executable or its execution method through UNC.

All you have to change is the anti-exploit settings. Go to MBAE advanced settings, Application Behavior Protect, and disable the LoadLibrary Protection for Browsers.

October 14, 2017

Unfortunately, you cannot exclude by MD5 for files executed through UNC.

The workaround is to go to MB3 Protection settings, advanced anti-exploit settings, and disable the UNC LoadLibrary technique. This technique is disabled by default in our corporate products, so this problem should only appear in the consumer builds of Malwarebytes.

October 3, 2017

The latest is 1.10.

Go to the Management Console -> Policies -> Anti-Exploit -> enable the checkbox "automatically upgrade MBAE agents". The agents will then upgrade themselves from the Internet to the latest version.

October 3, 2017

This should have been fixed a while back. Please update your MBAE version to the latest available to verify the fix.

September 19, 2017

Try upgrading to 1.10 to see if the problem persists:

https://forums.malwarebytes.com/topic/208007-betapreview-malwarebytes-anti-exploit-110-build-24/

August 31, 2017

Yes, I know. All efforts lately by the bad guys are focusing on malspam tricks. Make sure anti-exploit is turned on.

Profiles

Forums

Posts posted by pbust

Important Information