djacobson

@Eleanor67 just saw your new reply, try out some of those items I bulleted for JPerez, sounds like you have comm interference. Perhaps even something going on with the database itself. Do you have a ticket opened already?

@Eleanor67 The push tool status is inconsequential, it is not live data. It shows what was the last result of you using the push tool. A machine being pushed to in that moment has a set hardcoded timer that it must reply back within or it will get tagged as unregistered, it is not a "smart" enough app to know more than that about a client during install; even if the client successfully registers anytime after the timer. The client view online/offline status has nothing to do with the 'client has not been registered' execution result of the push tool. If you do not wish to see the push tool results say 'client has not been registered', I can write an SQL query to delete them for you. @JPerez1969 Use all three to restart the service, it is why they are there. It is also likely you are experiencing an entirely different client issue than eleanor, the thing you have in common so far is the push tool results. Clients flipping offline/online in client view when the actual machine is the opposite of what it says can be a myriad of items. The MEEClientService being off when you go check on it has two or three causes. Other items that can help: Disable Windows fastboot. Try setting MEEClientService from Automatic to Automatic (delayed start) - this is the "Start Up Type" option in policy or can be done directly in Windows Services.msc. Exclude "C:\Program Files (x86)\Malwarebytes' Managed Client\sccomm.exe" from Windows Firewall, Windows Defender, and any other security or access restricting programs you may have in place. Ensure C:\Program Files (x86)\Malwarebytes' Managed Client\sccomm.exe.config is not blank. Also ensure that C:\ProgramData\sccomm\SCComm.xml is not blank and contains the correct server address.

Logging in as an admin or user in an admin group with modern Windows does not give you administrative permissions directly. If you have not yet tried this, right click the exe and run as admin. The MSI needs to be ran with an msiexec command from an admin elevated CMD. Also make sure the installers are copied locally to the machine being installed, they do not work reliably, if at all, over network drives and shares.

Please fill them all out to restart the service.

Usually with servers, it's best to use the Windows Admin account as the logon for the push tool rather than your domain admin creds. Temporarily enable it if you have it off, and give it a password. Even when you are the AD admin, often times that is not enough to give the push tool the ability to access the another server.

Hi @Eleanor67, please use your service failure options in Policy -> your policy -> Edit -> General -> Enable Service Recovery Options. Set the options, changing the "None" to "Restart Service", use an initial time of 2 minutes.

I got you bud!

Hi @wep, if the endpoint has the installation already, you can right click the system tray icon and start a scan. This will follow whatever is set in the policy, so if you do not have an installation on that machine or are disconnected from the network and need to use a more customizable scan, grab your MBBR (Malwarebytes Breach Remediation) tool. This is a cmd tool for Windows, terminal and gui for Macs. You can find it in your Endpoints -> Add Endpoints -> Dissolvable Unmanaged Remediation Tool. Instructions on how to use and the scan switches available are contained within a PDF guide that is inside the download. Let me know if you need any help.

Problem was identified and fix is rolling out. The page should be available now if not shortly.

There is one in the works though paused as development resources are being utilized on a migration tool for MBES 1.9 to MBEP Cloud.

Hi Steve, I created a case for you so that our L1 team can take care of finding this information. You should see an email confirmation of the ticket shortly.

Hi @Steve_Grande, yup, no problem! We can pull this from your database or look it up by the email used to make the purchase.

Are these a list you made or file you suspect are infected?

*.belairinternet.com is blocked for a string of trojan downloaders in March on that domain. This link shows some of the hashes for the offending files - https://www.virustotal.com/en/domain/belairinternet.com/information/ - if the site gets cleaned up, a request for review and release can be done.

Your attachment is corrupted and unreadable.