djacobson

Hi @BenCunn, the cloud product has no UI for the endpoints at this time. The 3 products you are familiar with; MBAM, MBAE and MBARW, that are all separate pieces with MBES are combined into one footprint with MBEP, there is no need to download and run anything else. Everything about how the program runs, what protections are enabled, scan schedule etc, is controlled by the settings and policies within your cloud console portal. Licenses are controlled by the account email you set up, it doesn't use a license key like the consumer side, you cannot use the consumer MB3 with a cloud trial or purchase.

We will need to look at the MBAE logs surrounding the event, most times the MD5's need to be generated on your own, but in order to work the hit must act upon a specific layer of MBAE's protection. May I have you zip up the entire “C:\ProgramData\Malwarebytes Anti-Exploit” folder from the client showing the block and attach it here?

The process that runs the realtime is unable to run because there are portions of the program missing. Missing portions of the product during install happen due to other security software deleting them via some intrusion protection function in that other security software. I would suggest ignoring Malwarebytes' processes in your Avast and Windows Defender and reinstalling. R2 MB3Service; C:\Program Files\Malwarebytes\Anti-Ransomware\mb3service.exe [6054352 2017-07-25] (Malwarebytes) R2 MbaeSvc; C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae-svc.exe [155080 2017-05-15] (Malwarebytes Corporation) R2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [452576 2016-02-09] (Malwarebytes Corporation) S2 MBAMService; C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [901088 2016-02-09] (Malwarebytes Corporation) R1 ESProtectionDriver; C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.sys [77408 2017-05-15] () R3 MB3SwissArmy; C:\WINDOWS\system32\drivers\MB3SwissArmy.sys [253888 2017-08-03] (Malwarebytes) R3 MBAMFarflt; C:\WINDOWS\system32\DRIVERS\farflt.sys [101824 2017-08-03] (Malwarebytes) Missing MBAM.sys entry! Error: (08/03/2017 10:20:35 PM) (Source: Service Control Manager) (EventID: 7001) (User: ) Description: The MBAMService service depends on the MBAMProtector service which failed to start because of the following error: The system cannot find the file specified. Error: (08/03/2017 10:20:35 PM) (Source: Service Control Manager) (EventID: 7000) (User: ) Description: The MBAMProtector service failed to start due to the following error: The system cannot find the file specified. Error: (08/03/2017 10:20:33 PM) (Source: Service Control Manager) (EventID: 7001) (User: ) Description: The MBAMService service depends on the MBAMProtector service which failed to start because of the following error: The system cannot find the file specified. Error: (08/03/2017 10:20:33 PM) (Source: Service Control Manager) (EventID: 7000) (User: ) Description: The MBAMProtector service failed to start due to the following error: The system cannot find the file specified. Error: (08/03/2017 10:20:33 PM) (Source: Service Control Manager) (EventID: 7001) (User: ) Description: The MBAMService service depends on the MBAMProtector service which failed to start because of the following error: The system cannot find the file specified.

It's a whole separate product, not an upgrade to the existing standalone or on-prem. You can find out more here - https://www.malwarebytes.com/business/endpointprotection

Have you added the external access URL prerequisites to your network appliance? There are a lot of unable to resolve errors on the required URL's for the licensing backend in your posted logs.

What version were you using?

It was already released in June. It is the Cloud console product.

@droberts, reviewing your case on our ticket system, and the logs you have submitted, this is most likely due to the disk encryption in use, causing a failure to fully enumerate the file system. For now, continue to use just the quick scan setting until the agent you are working with, KLatimore, comes to a resolution for your issue. I am locking this thread to avoid double work since you have an actual ticket open.

One of the first ones in that list associated with that IP, eastsideanimalhospital, has GoDaddy as the registrar. Many others in that list do as well. https://www.virustotal.com/en/domain/eastsideanimalhospital.com/information/ Domain Name: EASTSIDEANIMALHOSPITAL Registrar: GODADDY.COM, LLC

I see a lot of subdomains on that IP, the host looks to be GoDaddy - https://www.virustotal.com/en/ip-address/162.144.218.223/information/ It's not uncommon for one of those other sites to cause the hit on yours. GoDaddy will need to identify and remediate.

Hi @bzielinski, run this diag tool and we'll dive in. Frst Log Please follow the steps below to run frst. 1.) Please download frst and frst64 from the link below and save it to your desktop: FRST 32-bit version: https://downloads.malwarebytes.com/file/FRST FRST 64-bit version: https://downloads.malwarebytes.com/file/FRST64 Note: You need to download the version compatible with your system. If you are not sure which version applies to your system, download both of them and try to run them. Only one of them will run on your computer; that will be the right version. Some traditional Anti-Viruses may false positive the download or running frst, I can assure you it is safe. If this happens, please temporarily disable the AV. 2.) Double-click the purple frst or frst64 icon to run the program. Click Yes when the disclaimer appears. 3.) Click the Scan button 4.) When the scan has finished, it will make 2 log files in the same directory the tool is located, frst.txt and Addition.txt. Please attach frst.txt and Addition.txt in your reply.

It's been optimized and the signatures have received some pruning but it should be that quick. Could I have you get an FRST log from an example machine? Frst Log Please follow the steps below to run frst. 1.) Please download frst and frst64 from the link below and save it to your desktop: FRST 32-bit version: https://downloads.malwarebytes.com/file/FRST FRST 64-bit version: https://downloads.malwarebytes.com/file/FRST64 Note: You need to download the version compatible with your system. If you are not sure which version applies to your system, download both of them and try to run them. Only one of them will run on your computer; that will be the right version. Some traditional Anti-Viruses may false positive the download or running frst, I can assure you it is safe. If this happens, please temporarily disable the AV. 2.) Double-click the purple frst or frst64 icon to run the program. Click Yes when the disclaimer appears. 3.) Click the Scan button 4.) When the scan has finished, it will make 2 log files in the same directory the tool is located, frst.txt and Addition.txt. Please attach frst.txt and Addition.txt in your reply.

I'm not asking you to uninstall it, I want you to disable HIPS and test a scan, eliminating a known incompatibility caused by HIPS. If this allows your scan to run as normal and not be interfered with, then you have your answer.

@Porthos, those are program version numbers, not the signature revision. This ticket was also submitted to the corporate side before I moved it to the FP section. If the hit still happens but only on the home consumer version of Anti-Malware, then let a staff member that supports the consumer product address the issue.

The 1 of 66 engines still having a hit is Emsisoft.