Rsullinger

Hello Mihnehtoox, Pinging is fine if you can make those sites. As long as you don't have any network firewall that would block that as well on port 443, the one other thing you would want to check is see if anything (network firewall again) would block the downloading of .exe packages. It will download the .exe and run it on the machine.

Hey Clint, I am going to send you a PM with some instructions I want you to run. Go ahead and send the logs back in that pm!

Hey Mihnehtoox, Can you confirm that these urls are allowed on the clients that are having this update issue: data-cdn.mbamupdates.comsirius.mwbsys.com both on port 443 Any network firewall, proxy, or next gen firewall. If you confirmed that it is not being blocked, can you restart the service once on the machine and collect the C:\ProgramData\Malwarebytes anti-exploit directory again.

Hello Mihnehtoox, I am noticing something in the log that I want to have you confirm, on the endpoint itself, can you go into the anti-exploit client and see if the checkbox for automatic updates is enabled? I am not seeing it even attempt to go out which makes me think it may not even be receiving that setting.

Helo Mihnehtoox, I should have specified better on that. I do apologize. The mbae logs and FRST will need to come from a client machine having issues with the upgrade to 1334. The logs from the mbae folder will show me what is happening when it is trying to update.

Hello Mihnehtoox, For clients that are not upgrading using the automatic updater, we can look into that and see why it is not occurring. I would just need the logs from this link: https://forums.malwarebytes.com/topic/191468-readme-first-posts-here-need-to-include-mbae-logs/ However, that is unfortunately correct. The management server will push out .1291 and your clients will upgrade after they are installed.

Hello Sh73312, Do you mind getting the alert log so I can see what the block was? You can find it by collecting the logs from this directory: C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\logs If it is incoming on that port, it could be someone is trying to ping addresses to see if they are open. However, I want to see if what the IP address is to get a better idea as the source.

Hello vs2016sv, That sounds like your clients may be having an issue reaching out to whatever was set for the database updates. Are you using the standalone anti-malware client or are you using the management console? If you are using the standalone client, can you please collect the logs from this directory: C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\logs If you are using the managed client, I want to have you collect these logs: -Locate the this folder on the client computer: C:\Program Files (x86)\Malwarebytes' Managed Client -In this folder, right click the 'CollectClientLog.exe' utility and run it as admin. -Save these logs to the desktop of the computer. -Zip up this folder and attach it to the next reply. Go ahead and attach those logs and I can see what is occurring.

Hello Mihnehtoox, Unfortunately you are seeing an issue that occurs when swapping that specific 1334 package into the management console. So it is not recommenced you swap the package so you do not have deployment issues. You can instead use the automatic update feature that is found under the Policy> policy client is on> anti-exploit tab or you can deploy the 1334 build through any other package deployment as well.

Hello Bjohnson, It does require a separate key from that of the anti-malware key. If only Malwarebytes anti-malware for business was purchased, then you would have only received the key for that. If you would like, you can send me a PM with the purchase information and I can confirm what was purchased.

Hey Clint, I want to have you confirm something. Can you go into Malwarebytes 3.0 and go to the settings pane on the left. From there, click on the protection tab at the top and disable the section that says 'exploit protection'. Once you do that, can you test and see if you run into that issue? I want to confirm if that protection is what is causing this issue.

Hello Ajwh, Sorry for the delay in this. I want to first make sure you have the link to our admin guide. This goes into a bit of where to find the exclusions in the policy and how to configure them: https://www.malwarebytes.com/pdf/guides/MBMCGuide.pdf?d=2017-03-23-14-00-30--0700 For the maximum entries, are you receiving an error when putting in exclusions? If possible, can you send me a screenshot of what you are seeing? For recommendation of Kaspersky exclusions, it is usually best to reach out to them for the most up to date list of exclusions for their product. For reccomendations, excluding their program files directory and any related driver they have is usually the best option. I don't have a list of those, so simply ignoring the program files directory of kaspersky is a good step until you can confirm with them on exclusions.

Hey Kieferschild, For mbae's ignore list, we only accept md5's for the exclusion and they only need to be inserted if a block occurs to prevent it from occurring once more. We don't scan the file system directory with mbae like with MBAM so you wouldn't need to add those anywhere. We just monitor what tries to hook or interact with our protected processes.

Hey Kieferschild, Thank you for the logs. Just to confirm, can you make sure these are in Symantec, don't want this to be because of our normal files: C:\Program Files\Malwarebytes Anti-Exploit\mbae.exe C:\Program Files\Malwarebytes Anti-Exploit\mbae-svc.exe C:\Program Files\Malwarebytes Anti-Exploit\mbae-cli.exe For x64 installations: C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.exe C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae-svc.exe C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae-cli.exe Since it is crashing, do you know if these are creating memory dump files? If possible, can you use the instructions here to get one to generate on the on one of the processes that is crashing: https://technet.microsoft.com/en-us/sysinternals/dd996900.aspx?f=255&MSPPError=-2147217396

Hey Malcom, Thank you for the logs. I am going to have you collect me some debug logging for this type of alert. I will be sending you a PM with the instructions.

Hey Kieferschild, I am assuming they are not causing an alert when this occurs, correct? If possible, can you collect the logs from this link: https://forums.malwarebytes.com/topic/191468-readme-first-posts-here-need-to-include-mbae-logs/ If you are not comfortable posting the FRST logs in the post, feel free to PM me them.

Hey Maxamillion, I want to have you collect a couple of logs from our program that will give me a bit more information on that alert. To do this, collect these two files from these locations: C:\ProgramData\Malwarebytes\MBAMService\mbae-default.log C:\ProgramData\Malwarebytes\MBAMService\logs\MBAMSERVICE.log The directory is hidden by default so you might have to click on "View -> Hidden items" in Explorer to see it. There is also a post here from Microsoft on how to do this for the more recent OS: https://support.microsoft.com/en-us/help/14201/windows-show-hidden-files Go ahead and attach them here and I will take a look at them further!

Hey Castleton, Anti-exploit will protect your computer from being hit by a exploit and then infecting those drives. Anti-exploit is more about protecting the shielded applications that the computer uses on a daily basis. So as long as the computer you are on is protected, your drives won't be hit by exploits we prevent. However, as not all infections are done with exploit based attacks, it is recommenced you use the anti-malware and anti-ransomware products as well so you are fully covered.

Hello Winter, Go ahead and collect these before you do a re-install: C:\ProgramData\Malwarebytes\MBAMService\mbae-default.log C:\ProgramData\Malwarebytes\MBAMService\logs\MBAMSERVICE.log

Hello Chris, Just to clarify, have you tried rebooting the computer after the update was applied and see if you had this issue after reboot? If you do, please collect the log mentioned earlier in the thread and please take a screenshot of the Programfiles (or programfiles (x86)) directory of anti-exploit so I can confirm if the update happened correctly.

Hey Kieferschild, Its no problem! It is only in certain cases that a reboot is needed when a upgrade of the anti-exploit client is done. So there may have just been something loaded in which anti-exploit couldn't unhook during that time. Please let me know if you have any other questions!

Hello Everyone, Just to clarify, have you tried rebooting the computer after the update was applied and see if you had this issue after reboot? If you do, please collect the log mentioned earlier in the thread and please take a screenshot of the Programfiles (or programfiles (x86)) directory of anti-exploit so I can confirm if the update happened correctly.

Hello Kieferschild, Thank you for the screenshot and the log. If you notice in the screenshot, there is ._'s on some of the files. Those are actually the update files for the new 1334 version. Something prevented them from being swapped out when the upgrade was done so those files are created and will be swapped out on the next reboot. At that time, our program will remove the old ones, rename the new ones and the service should start. Have you rebooted this particular computer since the initial incident?

Hello Kieferschild, Do you mind taking a screenshot of the anti-exploit program files (or programfiles(x86) directory. I want to see if the files are being swapped correctly for the upgrade. Also, there was an additional log I needed from that forum post. I want to see what is installed on the machine that may be preventing our service from starting. To get these logs: 1: Please download FRST from the link below and save it to your desktop: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/ 2: Double-click the purple FRST icon to run the program. Click Yes when the disclaimer appears. 3: Click the Scan button 4: When the scan has finished, it will make 2 log files in the same directory the tool is run, FRST.txt and Addition.txt. Please attach both files in your reply.

Hello Kieferschild, I want to have you collect me some logs from one of the machines experiencing this issue. To do this, follow the instructions from this post: