djacobson

Moderators
  • Content count

    400
  • Joined

  • Last visited

About djacobson

  • Rank
    Staff

Recent Profile Visitors

2,717 profile views
  1. @bigjohn888jb, may I have you run an FRST on one of these machines? I was not able to find anything definitive in the MBAE logs. Frst Log Please follow the steps below to run frst. 1.) Please download frst and frst64 from the link below and save it to your desktop: FRST 32-bit version: https://downloads.malwarebytes.com/file/FRST FRST 64-bit version: https://downloads.malwarebytes.com/file/FRST64 Note: You need to download the version compatible with your system. If you are not sure which version applies to your system, download both of them and try to run them. Only one of them will run on your computer; that will be the right version. Some traditional Anti-Viruses may false positive the download or running frst, I can assure you it is safe. If this happens, please temporarily disable the AV. 2.) Double-click the purple frst or frst64 icon to run the program. Click Yes when the disclaimer appears. 3.) Click the Scan button 4.) When the scan has finished, it will make 2 log files in the same directory the tool is located, frst.txt and Addition.txt. Please attach frst.txt and Addition.txt in your reply.
  2. Here's a list of most everything, just in case: C:\Program Files (x86)\Malwarebytes' Managed Client\SCComm.exe C:\Program Files\Malwarebytes’ Anti-Malware\mbam.exe C:\Program Files (x86)\Malwarebytes’ Anti-Malware\mbam.exe C:\Program Files\Malwarebytes’ Anti-Malware\mbamgui.exe C:\Program Files (x86)\Malwarebytes’ Anti-Malware\mbamgui.exe C:\Program Files\Malwarebytes’ Anti-Malware\mbamapi.exe C:\Program Files (x86)\Malwarebytes’ Anti-Malware\mbamapi.exe C:\Program Files\Malwarebytes’ Anti-Malware\mbamhelper.exe C:\Program Files (x86)\Malwarebytes’ Anti-Malware\mbamhelper.exe C:\Program Files\Malwarebytes’ Anti-Malware\mbampt.exe C:\Program Files (x86)\Malwarebytes’ Anti-Malware\mbampt.exe C:\Program Files\Malwarebytes’ Anti-Malware\mbamscheduler.exe C:\Program Files (x86)\Malwarebytes’ Anti-Malware\mbamscheduler.exe C:\Program Files\Malwarebytes’ Anti-Malware\mbamservice.exe C:\Program Files (x86)\Malwarebytes’ Anti-Malware\mbamservice.exe C:\Program Files\Malwarebytes Anti-Exploit\mbae.exe C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.exe C:\Program Files\Malwarebytes Anti-Exploit\mbae64.exe C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.exe C:\Program Files\Malwarebytes Anti-Exploit\mbae-cli.exe C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae-cli.exe C:\Program Files\Malwarebytes Anti-Exploit\mbae-svc.exe C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae-svc.exe
  3. Hi @CleanupCrew, try adding MEEClientService's process, C:\Program Files (x86)\Malwarebytes' Managed Client\sccomm.exe to the exclusion/whitelisting function of your other in-place security software, including Windows Defender if you still have that enabled. Besides security software interference, Windows Updates may stop the service as well, setting up recovery options for the service is a good practice. You can also set the recovery options for the service using the following command: sc failure "SCCommService" actions= restart/6000/restart/6000/""/6000 reset= 120 Or you can do this via the services GUI:
  4. May I have you try to disable Anti-Ransomware and see if the shutdown issue goes away? I'll review your Anti-Exploit logs in the meantime.
  5. Are you also using Anti-Ransomware?
  6. My bad @md111, I forgot a part of the URL. Use this address: https://192.0.0.21:18457/SCClientService/ It should look like this at first (I'm using an FQDN for my test environment so my address is going to be different): If you click to continue, you should hopefully get the page that the client's see:
  7. Hi @StroTech, if the Managed Client version does not match you Console version, the clients will not report correct information. Your check-in interval can also affect whether correct information is displayed as the client pane will not change the data about that client until that client check-in has taken place. For the upgrade piece, when your Anti-Malware portion moves from 1.75.0.1300 to 1.80.2.1012 or 1.80.0.1010/1.80.1.1011 to 1.80.2.1012, a reboot is required to load the new drivers.
  8. May I have you zip up the entire “C:\ProgramData\Malwarebytes Anti-Exploit” folder from a client and attach it here?
  9. Hey @bigjohn888jb, which Anti-Exploit version is in use on those machines right now?
  10. Hi @indomanna, Endpoint Security is just an umbrella term for Anti-Malware and Anti-Exploit, together, under the Management Console. Input your new MBAE license in the Admin area, and when you make an offline package or perform a new push, just select the Anti-Exploit portion to get it out to your machines.
  11. There are a lot of instances in the logs where machines being scanned and installed to already have the software installed, here's one example out of hundreds: Info 2017-06-12 13:17:27.0125 3376 55 IP Address 192.0.0.181 remote service control log: Remote client IP address: 192.0.0.181 Remote client hostname: CCARE6-CD Process username: administrator NetUse: 0 ServiceIsInstalled: 1060. The specified service does not exist as an installed service. SetNTService: 0 StartNTService: 0 DeleteNTService: 0 Passed Info 2017-06-12 13:17:27.0255 3376 55 IP Address 192.0.0.181 execution log: 12/06/2017 13:17:12 =============== Remote Install Service Log Begin ============== 12/06/2017 13:17:12 Service started. 12/06/2017 13:17:12 Start program: C:\scclientinstall_de23163f_99b0_4467_ab73_a1454f39ff14\sctest.exe 12/06/2017 13:17:12 sctest version: 1.8.3443 12/06/2017 13:17:12 Process id: 4240 12/06/2017 13:17:18 The new sccomm version: 1.8.0.3443 12/06/2017 13:17:18 The new coreclient version: 1.80.2.1012 12/06/2017 13:17:18 The new MBAE version: 1.9.2.1291 12/06/2017 13:17:18 The IP address: 12/06/2017 13:17:18 Check operating system. 12/06/2017 13:17:18 OS version detected: 6.1 12/06/2017 13:17:18 Check .NET Framework 3.5. 12/06/2017 13:17:18 .NET Framework 3.5 is installed. 12/06/2017 13:17:18 Check the windows installer version. 12/06/2017 13:17:18 The windows installer version: 5.0.7601.23593 12/06/2017 13:17:18 Check coreclient is installed. 12/06/2017 13:17:18 The coreclient version: 1.80.2.1012 12/06/2017 13:17:18 The MBAE version: 1.09.2.1413 12/06/2017 13:17:18 Check sccomm is installed. 12/06/2017 13:17:18 The sccomm version: 1.8.0.3443 12/06/2017 13:17:18 ****ERROR*****: The sccomm was already installed. 12/06/2017 13:17:18 The sccomm server address: 192.0.0.21 12/06/2017 13:17:18 The sccomm server port: 18457 12/06/2017 13:17:18 Program finished. 12/06/2017 13:17:18 Service stopped. 12/06/2017 13:17:18 =============== Remote Install Service Log End ============== Info 2017-06-13 17:07:53.5809 3376 44 There was a problem scanning 192.0.0.181:137 () (): System.Net.Sockets.SocketException (0x80004005): A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond I would advise you to stop using the "simulation" function, it's not really worthwhile. A normal push, if/when it fails will provide much more useful data. Line 22773: Info 2017-06-13 10:45:26.7602 3376 34 Failed to connect to 192.0.0.131: System error 67 has occurred. The network name cannot be found. Line 22774: Info 2017-06-13 10:45:26.7602 3376 34 IP 192.0.0.131 simulation result: System error 67 has occurred. The network name cannot be found. Line 22931: Info 2017-06-13 10:45:40.2282 3376 40 Failed to connect to 192.0.0.82: System error 67 has occurred. The network name cannot be found. Line 22932: Info 2017-06-13 10:45:40.2711 3376 40 IP 192.0.0.82 simulation result: System error 67 has occurred. The network name cannot be found. Line 23079: Info 2017-06-13 10:45:54.1272 3376 40 Failed to connect to 192.0.0.86: System error 67 has occurred. The network name cannot be found. Line 23080: Info 2017-06-13 10:45:54.1272 3376 40 IP 192.0.0.86 simulation result: System error 67 has occurred. The network name cannot be found. Line 23145: 13/06/2017 10:45:48 ****ERROR*****: The sccomm was already installed. Line 23192: 13/06/2017 10:45:49 ****ERROR*****: The sccomm was already installed. Line 23193: 13/06/2017 10:45:49 ****ERROR*****: The sccomm register result: Line 23216: Info 2017-06-13 10:45:57.8593 3376 37 Failed to connect to 192.0.0.28: System error 86 has occurred. The specified network password is not correct. Line 23217: Info 2017-06-13 10:45:57.8593 3376 37 IP 192.0.0.28 simulation result: System error 86 has occurred. The specified network password is not correct. Line 23258: Info 2017-06-13 10:46:00.9086 3376 40 Failed to connect to 192.0.0.88: System error 67 has occurred. The network name cannot be found. Line 23259: Info 2017-06-13 10:46:00.9086 3376 40 IP 192.0.0.88 simulation result: System error 67 has occurred. The network name cannot be found. Line 23321: 13/06/2017 10:45:59 ****ERROR*****: The sccomm was already installed. Line 23428: 13/06/2017 10:45:59 ****ERROR*****: The sccomm was already installed. Line 23480: Info 2017-06-13 10:46:09.4072 3376 71 Failed to connect to 192.0.0.105: System error 67 has occurred. The network name cannot be found. Line 23481: Info 2017-06-13 10:46:09.4072 3376 71 IP 192.0.0.105 simulation result: System error 67 has occurred. The network name cannot be found. Line 23492: Info 2017-06-13 10:46:09.6842 3376 71 Failed to connect to 192.0.0.106: System error 86 has occurred. The specified network password is not correct. Line 23493: Info 2017-06-13 10:46:09.7102 3376 71 IP 192.0.0.106 simulation result: System error 86 has occurred. The specified network password is not correct. Line 23598: Info 2017-06-13 10:46:16.2286 3376 33 Failed to connect to 192.0.0.67: System error 67 has occurred. The network name cannot be found. Line 23599: Info 2017-06-13 10:46:16.2286 3376 33 IP 192.0.0.67 simulation result: System error 67 has occurred. The network name cannot be found. Line 23778: Info 2017-06-13 10:46:31.4487 3376 33 Failed to connect to 192.0.0.71: System error 67 has occurred. The network name cannot be found. Line 23779: Info 2017-06-13 10:46:31.4487 3376 33 IP 192.0.0.71 simulation result: System error 67 has occurred. The network name cannot be found. Line 23913: 13/06/2017 10:46:32 ****ERROR*****: The sccomm was already installed. Line 23987: 13/06/2017 10:46:34 ****ERROR*****: The sccomm was already installed. For all these machines that are failing to install because the software is already installed, these must be some sort of permission or network setting preventing them from accessing and communicating to the server's hosted IIS website: 192.0.0.21:18457 What does it look like if you put 192.0.0.21:18457 in the browser on a client that cannot register?
  12. Hi @Kip, you can install the Anti-Exploit portion but Anti-Ransomware does not support server OS. Additionally, if there is a crypto event stemming from a workstation and hitting a server share, and the server had Anti-Ransomware on it, it wouldn't be able to kill the process anyway as it is running on a different machine. Protect your servers by protecting your endpoints.
  13. Hi @Stan408, technically yes, however the standalone build does not have the keystone license enforcement portion, only the management console does. At this time, it does not restrict you going over, it merely tells you how many seats are in use for the machines which are managed by the console. Managed versus standalone, the difference lies within visibility of the systems to the admin, and the centralized management, detection and remediation capabilities within the console. All system controllable from a single place, or systems that will require remote or deskside visits to setup.
  14. You are free to use the software in that way, under 10 seats using the consumer product installer instead of business. It is up to you whether you want to engage the sales team and return your product and re-buy the home version. The purchase cannot be converted.
  15. I could check the server side, but if SSL has not been disabled then I do not quite know why you are getting errors that point to it being disabled. On the server, go to Start > All Programs > Malwarebytes Management Server and run Collect System Information. Zip the folder up and attach it to the post.