Jump to content


  • Content count

  • Joined

  • Last visited


About djacobson

  • Rank

Recent Profile Visitors

5,753 profile views
  1. djacobson

    EPP installation problem

    The pre-reqs seem like they are not met on these machines, they are failing as access denied due to RPC and WMI being closed. If you have your Windows firewall disabled and these rules were not set beforehand, they will still be closed with the Windows firewall off. What happens if you run an install package directly on the machines? I am also seeing HTTPS failures, make sure you have TLS 1.1 and 1.2 enabled on the workstations and that no SSL filtering or SSL proxy is in place against the URL's in our exclusion KB here - https://support.malwarebytes.com/docs/DOC-1652 Error in deployment for target: "Host name: [redacted]36936.[redacted]; IP Address(es): IP Address: [redacted], ; " Error: System.AggregateException: One or more errors occurred. ---> System.ApplicationException: Error copying files out to the admin share of: Host name: [redacted]36936.[redacted]; IP Address(es): IP Address: [redacted], ; : Error: Access Denied 2018-05-10 12:31:40,257 pid:11644 [13] ERROR WMIDetector - Connection to WMI scope failed on "[redacted]27388[redacted]" - System.UnauthorizedAccessException: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED)) 2018-05-10 12:31:05,989 pid:11644 [14] ERROR WMIDetector - Connection to WMI scope failed on "[redacted].33" - System.UnauthorizedAccessException: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED)) 2018-05-10 12:31:12,170 pid:11644 [8] ERROR WMIDetector - Connection to WMI scope failed on "[redacted].197" - System.Runtime.InteropServices.COMException (0x800706BA): The RPC server is unavailable. (Exception from HRESULT: 0x800706BA) 2018-05-10 12:30:58,552 pid:11644 [14] ERROR WMIDetector - Connection to WMI scope failed on "[redacted]24225[redacted]" - System.UnauthorizedAccessException: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))
  2. We don't have any public roadmaps which I could share but I can share that you will see something for MBMC around Q3.
  3. djacobson

    License Retention MBMC

    No problem @syntaxerror, thanks for the update.
  4. djacobson

    EPP installation problem

    I got you! Use this uploader link, once you do, send me a pm with the email you used and I'll go find it in our queue. https://www.malwarebytes.com/support/business/businessfileupload/ For the case number, use this - "229701-epp-installation-problem"
  5. The VB6 needed is shipped with the MBAM installer but looks to be broken here in your case. The MSVB file is most likely in syswow64. Uninstall the Malwarebytes agent on the server Use this installer to repair the VB6 - https://www.microsoft.com/en-us/download/details.aspx?id=24417 Restart Reinstall the Malwarebytes agent Let me know if that helps the loading situation, if not, capture a new log set. Thanks @codesmithery
  6. The second copy of mbam.exe could be a scan that is running, it handles that and the interface. There's something else going on here, this performance problem you are having doesn't look like it's MBAM's fault, it looks like there's a conflict or the run-time is broken. Are either of the servers, from which you captured those logs, in an RDS, Terminal or some other shared resource role? They are filled with VB6 related errors against the MBAM process, historically that points to a possible problem with the VB6 run-time install or MBAM's real-time against an RDS role, or some other role these servers are in. You could try reinstalling VB6 runtime in the meantime: https://docs.microsoft.com/en-us/previous-versions/visualstudio/visual-basic-6/visual-basic-6-support-policy https://support.microsoft.com/en-us/help/957924/description-of-the-cumulative-update-rollup-for-the-visual-basic-6-0-s Error: (05/17/2018 01:15:05 PM) (Source: Application Error) (EventID: 1000) (User: ) Description: Faulting application name: mbam.exe, version:, time stamp: 0x56ba3282 Faulting module name: MSVBVM60.DLL, version:, time stamp: 0x49b01fc3 Exception code: 0xc0000005 Fault offset: 0x000da280 Faulting process id: 0x1464 Faulting application start time: 0x01d3edf81bf9db62 Faulting application path: C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe Faulting module path: C:\Windows\SYSTEM32\MSVBVM60.DLL
  7. The profile folders in C:\users are not important. It is the system and local profiles in HKU and the domain profiles in HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList. Every profile listed in these locations will be enumerated on disk prior to the GUI opening as the engine loads. If this server happens to be a VM, you will also be at the mercy of your storage latency for this process. This process can also be made worse by other security programs watching us as we do this enumeration, adding time by inspecting each file we create and touch. If you have not yet set up exclusions of our processes to be ignored in the other security software you have, I would make sure to do that. Even for MSE, Defender, MCEP solutions. MBMC Managed and Unmanaged file/folder locations are here in this KB - https://support.malwarebytes.com/docs/DOC-1236 While 2 minutes to start is on the higher end, Anti-Malware 1.x is no speed demon, 10 to 60 seconds is in the realm of normal (depending on profile #). The test VM I used, which has 3 system accounts, 1 local account and 5 domain accounts, 9 total, loads within an average of 15 seconds over ten timed openings. You can watch the behavior I am talking about by opening this folder - C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware, leave it open while you try to start MBAM's GUI. You'll see what I am talking about. Here's a capture from mine...
  8. For upgrading your MBMC console, follow these two KB's: https://support.malwarebytes.com/docs/DOC-1043 https://support.malwarebytes.com/docs/DOC-1161 The console can only deploy the MBAE it has within it, which will not be the latest anymore. To let MBAE upgrade to the latest, you need to enable it in your policy. Policy -> Edit -> your policy -> Anti-Exploit - > Automatically Upgrade Anti-Exploit on Clients. Note that some machines may need to restart to complete their upgrades, they will report the correct version number once the restart has taken place.
  9. Are there a lot of profiles on this server? It has to enumerate all user profiles before it can open, that's something that stands out based on your question.
  10. Hi @ERockZab, do you have a case open for this issue at all?
  11. @kmerolla I was able to, sort of, repro. My Win 10 Enterprise's Defender is turning itself off if MBEP is set to always register with Windows Action Center. I am not getting the pop up you are seeing but I am getting the effect on Defender. I guess Microsoft has changed it through an update, having it disable itself, and now adding an extra message, if another AV is registering with WAC. I do not get the problem if I set WAC register to "Let Malwarebytes apply", or "Never Register".
  12. djacobson

    EPP installation problem

    The log you posted doesn't look like a successful agent install, it does look like a successful attempt to use WMI to connect to that machine and begin the installer transfer but does not continue from there. May I have you zip up your D&D folder from the machine with which you were conducting the installs and paste it in your reply? C:\ProgramData\Malwarebytes Discovery and Deployment
  13. djacobson

    EPP installation problem

    This tool is installing the communication agent, not the protection plugin. The agent will need to be able to reach the cloud URL's in order to check-in, receive your policy and download the rest of its pieces and set itself up. Once that is done, then it will show the tray icon. But if it never is able to check into your cloud portal, it will not be complete. I'll need the info inside - C:\ProgramData\Malwarebytes Endpoint Agent Make sure your network appliance / firewall has these URL's allowed outbound on port 443, also disable any SSL filtering or deep packet inspection against those URL's. https://cloud.malwarebytes.com https://data.service.malwarebytes.com https://telemetry.malwarebytes.com https://data-cdn.mbamupdates.com https://data-cdn-static.mbamupdates.com https://keystone.mwbsys.com https://meps.mwbsys.com https://keystone-akamai.mwbsys.com https://socket.cloud.malwarebytes.com https://sirius.mwbsys.com https://hubble.mb-cosmos.com https://blitz.mb-cosmos.com https://cdn.mwbsys.com https://ark.mwbsys.com
  14. Disabling the firewall doesn't really work on modern OS, it would need all the remote admin, WMI, RPC and NETBT port rules opened first, then disabled. Follow this guide to know what needs to be opened - https://support.malwarebytes.com/docs/DOC-2237 You may find better results using a local Administrator account for the push logon instead of domain creds. The offline installation package needs to be copied to and ran from a local drive, as admin, to be successful. Running un-elevated or from a network share will not work. The MSI version needs to be ran within an elevated CMD prompt using standard msiexec commands in order to work.
  15. Hi @met, it's a little confusing but this option is not user configurable, it will be automatically engaged if the -ark determines that it is necessary. Otherwise, it is defaulted to disabled.

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.