.jpg.9677e5689bab176f751e57ec4ce6e9a4.jpg)
Rsullinger
-
Posts
533 -
Joined
-
Last visited
Content Type
Events
Profiles
Forums
Posts posted by Rsullinger
-
-
Hello Brainerdmobil,
I asked for the e-mail so I could take it into a private message since it dealt with AD information of that customer. I didn't want to post anything public facing about their AD if that was a cause for the issue. While I understand you were looking for a quick answer for it, I wanted to keep privacy concerns a top priority on this.
As for a fix, if you do not have ad groups added, please right click and remove the client from the client pane. That will clear it from the console and free up the license. If it is in an added AD/OU group, you will need to wait for the server to remove obsolete clients. You can change how often this is done by going to the admin pane>database settings tab and click on the 'change...' button under the clean up settings area. From there, you should see the delete obsolete clients option and the time frame it waits before it deletes them.
To cleanly remove the client in the future, it is best that you un-install it first from the management console. That will remove it from the client and free up the license from the server instantly.
-
Hello Rgam,
You are correct. It got combined under our FAQ. You can find the same instructions here:
-
Hey Aroberge,
It should only exclude the script that CMD was calling at that time. However, if it still gets prevented, I want to see the logs for that. Can you reproduce the issue again and when you do, collect these logs for me:
C:\ProgramData\Malwarebytes\MBAMService\mbae-default.log
C:\ProgramData\Malwarebytes\MBAMService\logs\MBAMSERVICE.log
The directory is hidden by default so you might have to click on "View -> Hidden items" in Explorer to see it. There is also a post here from Microsoft on how to do this for the more recent OS: https://support.microsoft.com/en-us/help/14201/windows-show-hidden-files
-
Hey Trevoralf,
There is not unfortunately. The anti-exploit automatic update can only be pulled through or CDN's. So the only other option would be taking the install package and deploying it through sccm/gpo to the clients if that is an option to you.
The .exe and .msi can be found here for it:
1.09.2.1291 exe:
https://malwarebytes.box.com/s/7gbe30azrsfof7v2poithvvda2huu1w9
1.09.2.1291 msi:
https://malwarebytes.box.com/s/6m519c2yvtlkioeryzsbu1t8ueons8mf
-
Hello Aroberge,
To do this, open up the ui and then go to settings -> Exclusions-> Add Exclusion-> Exclude a previously detected Exploit-> Select the program you want to exclude and hit OK.
Can you try that on that detection and see if it will allow you to exclude it? -
Hello John,
Thank you for the logs. I will get this over to our team right away!
-
Hello Fred,
Thank you for the information. That is the report we have been seeing as well. I will update you when I get some more information from our development team on this.
-
Hello Fred,
That was my mistake. The log file type is different in the standalone version compared to mb3. However, thank you for those logs. I am getting this sent over to our development team to look into this further. Just as additional information from another thread, can you find what build of power-point you are on currently? We have been seeing reports of this happening on the latest version so I want to confirm that information from you.
-
20 hours ago, John L. Galt said:
@Rsullinger - Just finished installing Office 365 Home & Family (had a spare install left) on a VM with the following details:
- Host: Windows 10 x64 Pro Insider Preview build 14986
- Guest: Windows 10 x64 Pro Insider Preview build 14986
- MB3: licensed Premium version (all protections enabled)
Here is what I found. (I'll update this post as I install other versions and keep testing).
- Installing Office365 x64 version 1610 [PowerPoint Version 1610 (build 7466.2038)] Causes 0 issues
- Updating to Powerpoint x64 version 1611 (build 7571.2075) Causes PowerPoint to not load unless AE protection for PP is disabled.
- Updating to PowerPoint x64 Version 1612 (build 7628.1000) Causes PowerPoint to not load unless AE protection for PP is disabled.
- Installing Office365 x86 version 1610 [PowerPoint Version 1610 (build 7466.2038)] Causes 0 issues
- Updating to Powerpoint x86 version 1611 (build 7571.2075) Causes PowerPoint to not load unless AE protection for PP is disabled.
- Updating to PowerPoint x86 Version 1612 (build 7628.1000) Causes PowerPoint to not load unless AE protection for PP is disabled.
Attached is the service log.
Hey John,
Do you mind getting the C:\ProgramData\Malwarebytes\MBAMService\mbae-default.log file as well after you reproduced the issue? I am having our development team looking into this with the information you provided and they will need that log as well.
-
Hello Preyash,
Thank you for those. Do you mind grabbing me the event viewer logs as well? If it is due to windows update, that should have a bit more information on it. While FRST does show some event viewer information, it doesn't show all of it and I want to see all the events that occurred on that startup. This will give a bit of information to do this:
https://technet.microsoft.com/en-us/library/cc749339(v=ws.11).aspx
I will want to see the system, application, and security logs. Go ahead and send those to me in a PM if you do not want them posted publicly.
-
Hello Fred,
Do you mind grabbing that log for me still? Also, if you are looking in the logs folder for the mbae-default, it will not be in that directory. It is just in the root C:\ProgramData\Malwarebytes\MBAMService\ which is a bit different from the MBAMSERVICE.LOG
-
Hello FredGreco,
We have been seeing a few reports of this. Do you mind collecting some logs for our developers to take a closer look into this?
I want to have you collect two logs from these directories after you trigger the alert again:
C:\ProgramData\Malwarebytes\MBAMService\mbae-default.txt
C:\ProgramData\Malwarebytes\MBAMService\logs\MBAMSERVICE.txt
The directory is hidden by default so you might have to click on "View -> Hidden items" in Explorer to see it. There is also a post here from Microsoft on how to do this for the more recent OS: https://support.microsoft.com/en-us/help/14201/windows-show-hidden-files
Along with that we want to collect some more information from the computer to see what else is installed. We want to rule out any conflicts. To do this:
1: Please download FRST from the link below and save it to your desktop:
http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/
2: Double-click the purple FRST icon to run the program. Click Yes when the disclaimer appears.
3: Click the Scan button
4: When the scan has finished, it will make 2 log files in the same directory the tool is run, FRST.txt and Addition.txt. Please attach both files in your reply.
-
Hello Acrobaze,
I am going to send you a PM to get some debug logging for mbae. I want to get this information over to our development team.
-
Hey Acrobaze,
Can you happen to grab the C:\ProgramData\Malwarebytes\MBAMService\mbae-default.txt log as well? I am not seeing it attached with the other logs.
-
Hello Everyone,
I want to have you collect a few logs for me. First I want to have you collect two logs from these directories:
C:\ProgramData\Malwarebytes\MBAMService\mbae-default.txt
C:\ProgramData\Malwarebytes\MBAMService\logs\MBAMSERVICE.txt
The directory is hidden by default so you might have to click on "View -> Hidden items" in Explorer to see it. There is also a post here from Microsoft on how to do this for the more recent OS: https://support.microsoft.com/en-us/help/14201/windows-show-hidden-files
Along with that we want to collect some more information from the computer to see what else is installed. We want to rule out any conflicts. To do this:
1: Please download FRST from the link below and save it to your desktop:
http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/
2: Double-click the purple FRST icon to run the program. Click Yes when the disclaimer appears.
3: Click the Scan button
4: When the scan has finished, it will make 2 log files in the same directory the tool is run, FRST.txt and Addition.txt. Please attach both files in your reply.
-
Hello All,
I want to have you collect a few logs for me. First I want to have you collect two logs from these directories:
C:\ProgramData\Malwarebytes\MBAMService\mbae-default.txt
C:\ProgramData\Malwarebytes\MBAMService\logs\MBAMSERVICE.txt
The directory is hidden by default so you might have to click on "View -> Hidden items" in Explorer to see it. There is also a post here from Microsoft on how to do this for the more recent OS: https://support.microsoft.com/en-us/help/14201/windows-show-hidden-files
Along with that we want to collect some more information from the computer to see what else is installed. We want to rule out any conflicts much like what Aura was asking for the Kaspersky conflict. To do this:
1: Please download FRST from the link below and save it to your desktop:
http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/
2: Double-click the purple FRST icon to run the program. Click Yes when the disclaimer appears.
3: Click the Scan button
4: When the scan has finished, it will make 2 log files in the same directory the tool is run, FRST.txt and Addition.txt. Please attach both files in your reply.
Thank you,
-
Hey Alex,
Hard to say. From what I am seeing, it may be something they are doing. I am going to send you a PM to collect some debug information.
-
Hello Alex,
Thank you for that. IT is the log I was looking for and it is encrypted. So it looks like it may be comming from this file:
C:\Program Files\Managed Antivirus\Managed Antivirus Master Service\powershell.exe
Is that something you have on the computer? It seems to be the way it is calling the powershell script may be the reason it is being blocked. If you do know what that script is, do you know what it is attempting to do?
-
Hello AlexLeadingEdge,
I want to have you collect me another log that has a bit more information on that block as I want to see what protection layer it is hitting. The log is called mbae-default.txt and it is found under the C:\ProgramData\Malwarebytes\MBAMService. I would replicate the block again before you grab that log so it is at the bottom. Once you do that, get it over to me and I should be able to see what is happening in this instance.
-
Hello Mikolajek,
This seems to be a conflict with Kaspersky. We have a list of known conflicts for mbae here:
We do have a fix comming soon to MB3 for this issue but at this time it is not available yet. Please keep the settings disabled for MBAE until we can get this fix rolled out for you!
-
Hello Mikolajek,
In addition to the information that Lisa wanted, we want to have you collect some logs for us. We want to get more information on what anti-exploit is doing when this is occurring.
You can find the logs in the following locations:
c:\programdata\Malwarebytes\MBAMService\logs\MBAMService.log
c:\programdata\Malwarebytes\MBAMService\mbae-default.logThe directory is hidden by default so you might have to click on "View -> Hidden items" in Explorer to see it.
Along with this, we want to get a diagnostic log of the system to rule out any conflicts. To do this:
1: Please download FRST from the link below and save it to your desktop:
http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/
2: Double-click the purple FRST icon to run the program. Click Yes when the disclaimer appears.
3: Click the Scan button
4: When the scan has finished, it will make 2 log files in the same directory the tool is run, FRST.txt and Addition.txt. Please attach both files in your reply.
Thank you,
Ron S
-
Hello Ed,
I am going to get sending you some instructions that will give us more information. This will be coming in a PM so you can send the logs back to me in there.
-
Hello EdAinWestOC,
Unfortunately anti-exploits exclusions are only able to take the md5 of the program that we are blocking to allow it through our program. So if anti-exploit is the root cause of this, you would not be able to exclude the wireless drivers like that. Just for more information, have you tried un-installing anti-exploit and see if the issue stopped? You mentioned you loaded both programs on to both laptops when this issue occurred so I want to eliminate if it is anti-exploit, anti-malware, or both.
-
Hello Bumskull,
Since this alert has occurred, has it happened more then once?
This is what is happening with the alert:
"2016-12-02T09:54:33.494-06:00";"tboehm";"6276";"C:\Windows\system32\cmd.exe";"3200";"C:\Windows\system32\cmd.exe";"3";"701";"207";"";"";"";"";"";"";"C:\Windows\system32\cscript.exe cscript.exe \nologo \(blocking out the name).local\SysVol\(blocking out the name).local\Policies\{52D9B9E8-9131-4138-A8EA-C597B562796F}\User\Scripts\Logon\gpo.vbs";"";"";"";""
Just based on that, it seems like it may be something we block due to the nature of it opening up cmd to launch vbs via cscript. But if this is the only computer having the issue then it may be something else that we need to look into.
PowerPoint does not work with MB 3.0
in Malwarebytes for Windows Support Forum
Posted
Hello Fred,
That is correct. We have a fix for the issue that is currently being tested. So it was not able to make it into that 3.0.5 version. We should have more information on this soon.