Jump to content

djacobson

Staff
  • Content Count

    1,298
  • Joined

  • Last visited

Posts posted by djacobson

  1. Give the API a try. Tool location - C:\Program Files (x86)\Malwarebytes' Anti-Malware. Tool is named MBAMAPI.exe. Open an admin elevated CMD prompt. Something like:

    CD "C:\Program Files (x86)\Malwarebytes' Anti-Malware"
    mbamapi /quarantine -restore file "C:\Windows\Temp\wbxtra_05312018_221755.wbt"


    Formatting the command is as follows:

    Restore Items from Quarantine
    Usage:
    mbamapi /quarantine –restore <class> [specification]

    Purpose:
    This command restores items which have been quarantined by Malwarebytes Anti-Malware. Please note that a reboot is usually required before a quarantined item may be restored, due to Delete On Reboot technology used by the program.

    Parameters:

    • all
      • All quarantined threats
    • file
      • File “<drive>\<dir>\<file>”, where string is enclosed in double quotes.
    • folder
      • Folder “<drive>\<dir>”, where string is enclosed in double quotes.
    • key
      • Registry entry “<hive>\<key>”, where string is enclosed in double quotes.
    • value
      • Registry value “<hive>\<key>|<value>”, where string is enclosed in double quotes.

    Examples:
    mbamapi /quarantine -restore file "C:\Windows\file.exe"
    mbamapi /quarantine -restore folder "C:\Windows\folder"
    mbamapi /quarantine -restore key "HKLM\Software\key"
    mbamapi /quarantine -restore value

  2. RPC and WMI appear to be closed. The push installer is also failing to obtain IP's from every machine on your subnets. The MBMC console uses netbios, in order to receive traffic back from subnets other than the one the server is on, there needs to be a WINS server role setup. We'll go over more of this in your pre-sales meeting today with Jacob.

    Error    2018-06-04 15:25:26.5559    3992    40    System.Exception: The RPC server is unavailable. Please allow WMI through Windows Firewall. ---> System.Runtime.InteropServices.COMException: No such interface supported
     

  3. That is correct, MBAM is at 1.80.2.1012, and will stay that way within the current MBES product as it is mature and stable. Its known issues were what the MB3 within the cloud product has addressed. The on-premises version's management console will continue to receive updates until it is able to deploy an equivalent agent as the cloud product does in the future.

  4. Is the .net 3.5 feature enabled on the endpoints? The logs are filled with the clients failure to respond to the server, the logs are also still showing lots of connection failures as if the network is still not open and access denied on the endpoints. Other than the ports, make sure those firewall predefined roles are open for WMI and remote administration, the open ports will not work without these.

    Info    2018-05-28 16:06:40.6189    4628    90    IP Address 192.168.123.35 remote service control log: Remote client IP address: 192.168.123.35
    Remote client hostname: ELIZABETH-HP-7
    Process username: SYSTEM
    ServiceIsInstalled: 1060. The specified service does not exist as an installed service.
    SetNTService: 5
    System error 5 has occurred. Access is denied. Failed to create remote service.
    Info    2018-05-28 16:06:40.6189    4628    90    Delete folder: \\192.168.123.35\C$\scclientinstall_81f2e6ff_c17a_46b4_8dfe_41f276bab37a
    Error    2018-05-28 16:06:40.6189    4628    90    There was an error deleting that folder: System.UnauthorizedAccessException: Access to the path '\\192.168.123.35\C$\scclientinstall_81f2e6ff_c17a_46b4_8dfe_41f276bab37a' is denied.
       at System.IO.__Error.WinIOError(Int32 errorCode, String maybeFullPath)
       at System.IO.Directory.Delete(String fullPath, String userPath, Boolean recursive, Boolean checkHost)
       at SC.Server.WindowsService.ComputerTest.TestIPAddress(RemoteInstallClientInfo clientInfo, String originAdminName, String& newAdminName, String adminPassword, Boolean isSupportSignleCancel, String curSccommVersion, String curMbamVersion, String curMbaeVersion, String localDomain, String localNetBiosDomain, String localAdminName, String localAdminPassword, Boolean useWMI)
    Info    2018-05-28 16:06:40.6502    4628    90    IP 192.168.123.35 simulation result: System error 5 has occurred. Access is denied. Failed to create remote service.
    Info    2018-05-28 16:06:40.6502    4628    90    IP 192.168.123.35 simulation result: Detection failed. Access is denied. Failed to create remote service.
    Info    2018-05-28 16:06:40.6502    4628    90    Modify remotely install client: ELIZABETH-HP-7    0 ms
    Info    2018-05-28 16:06:40.6658    4628    90    Thread [90] scan task exited.

     

    Could you run these tools on an example client instead of the server?

  5. Add the following process to be excluded by whatever other security software you have:

    C:\Programdata\Sccomm\Sccomm.exe

     

     

    Then, open an admin elevated CMD prompt and enter this command:

    sc failure "SCCommService" actions= restart/6000/restart/6000/""/6000 reset= 120

     

    This command will restart the service if it has failed for longer than 6000 ms, which is 6 seconds, it will do that once more on the second failure, the third failure will take no action so that the service doesn't end up in a start stop loop. If the first and second restarts are successful and the service remains up for at least 2 minutes, the failure count is reset. 

    Here's an article that explains the sc failure command set in more detail - <https://technet.microsoft.com/en-us/library/cc742019(v=ws.11).aspx>

      

  6. Hi @Tommyb2010, the pup detected here is from the ads that are shown as part of Teamviewer's setup, not the Teamviewer itself. Many companies do this to subsidize cost, however not all ad partners are honest. Item's end of being tagged as pups due to them doing one or more of the following:

    • obtrusive, misleading, or deceptive advertising, branding, or search practices
    • using pop-ups, pop-unders, ad-insertion, ad-overlays, ad replacement
    • excessive or deceptive distribution, affiliate or opt-out bundling practices which may or may not include SEO poisoning techniques
    • aggressive or deceptive behavior especially surrounding purchasing or licensing, including using affiliates & third parties who use different tactics or techniques to get users to purchase, than what is available from the manufacturer's website
    • unwarranted, unnecessary, excessive, illegitimate, or deceptive modifications of system settings, security settings or configuration (including browser settings and toolbars that bring no additional value over standard Operating System and legitimate application settings)
    • using fake installers for commonly used software (such as Adobe Flash Player) to push your product
    • using exaggerated findings (such as claiming temp files, cookies, registry entries, etc are harmful) as scare tactics to get users to purchase
    • using technical support scam tactics
    • difficulty uninstalling or removing the software
    • predominantly negative feedback or ratings from the user community
    • in general hurting or diminishing end user experience
    • other practices generally accepted as riskware, scareware, adware, greyware, or otherwise commonly unwanted software by the user community

    Here is more information on PUP.Optional.installcore - https://blog.malwarebytes.com/detections/pup-optional-installcore/

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.