Jump to content


  • Content Count

  • Joined

  • Last visited

Posts posted by djacobson

  1. Hi @Sergio_CRF, your screenshot is showing the scheduled scan item and the date of that scan item's creation, not the last time it had been ran. The clients themselves will individually show the last time they ran the scheduled scan item in their row, and details tabs, when you are looking at the Client View area.

  2. I can see the picture now :) it doesn't look so bad. MBMC has a hardcoded timer within which it expects the client to respond back. The install might be ok, we'll need to grab some client logs to verify

    Step A – Malwarebytes Client Log Set
    On the client go to C:\Program Files (x86)\Malwarebytes' Managed Client and run the tool CollectClientLog.exe as an admin.

    Step B – FRST Log
    Please follow the steps below to run frst.

    1.) Please download frst and frst64 from the link below and save it to your desktop:

    frst 32 Bit
    frst 64 Bit

    Note: You need to download the version compatible with your system. If you are not sure which version applies to your system, download both of them and try to run them. Only one of them will run on your computer; that will be the right version. Some traditional Anti-Viruses may false positive the download or running frst, I can assure you it is safe. If this happens, please temporarily disable the AV.

    2.) Double-click the purple frst or frst64 icon to run the program. Click Yes when the disclaimer appears.
    3.) Click the Scan button
    4.) When the scan has finished, it will make 2 log files in the same directory the tool is located, frst.txt and Addition.txt.

    Please attach MBMC Client log, frst.txt and Addition.txt in your reply.

  3. @StroTech Thanks for the screenshots, I do have info for you, that this is real and not an FP. It is a browser search object hijack that landed on our radar due to aggressive and misleading advertising tactics. Users are responsible for installing it, and since this one is part of Chrome, it is highly likely that it came from this employee's home machine by way of Chrome auto-sync. If this is true, the detection is likely to repeat, with MB removing it and Chrome browser sync putting it back. You can easily see how this functionality allows a user's home habits to come to roost on your enterprise network. I also doubt that cleaning of an employee's home machine falls within your scope. Chrome can have its auto-sync property disabled via GPO since it poses a decent risk to a business' network. Removing the actual item for good or leaving it be is up to you. Check out the detection details here - https://blog.malwarebytes.com/detections/pup-optional-spigot/

  4. The picture didn't make it so I am going off of common reasons why no machines would show up. Do you have netbios enabled (Microsoft has had it turned off via updates since Nov 2016) and are you trying to push across to another subnet? Netbios protocol going across subnets will require you to have a server in a WINS server role in order for the information to be able to make back from the subnet. Other items that needs to be open through the Windows firewall (including when it is "disabled"); WMI, remote administration and ports 135, 137 and 445 must be open. A machine being able to pinged does not mean the traffic can flow. Try to net use the workstations harddrive from the server, and that should give you a better approximation of potential discovery and install success.

  5. It has to do with the cert the appliance is using when the program tries to connect to the backend.

    Download this certificate package - https://malwarebytes.app.box.com/s/lhd76bqvur0gqtr2sfs30safdjjjtm9f

    Import the certificates for Malwarebytes to the Sonicwall so that it serves the correct one for the handshake when the application tries to dial out - https://www.sonicwall.com/en-us/support/knowledge-base/170505885674291

    Following that, make sure the external access URL's from this KB - https://support.malwarebytes.com/docs/DOC-1652 - are allowed past Sonicwall's Content Filter  - https://www.sonicwall.com/en-us/support/knowledge-base/170505604252027


  6. The pre-reqs seem like they are not met on these machines, they are failing as access denied due to RPC and WMI being closed. If you have your Windows firewall disabled and these rules were not set beforehand, they will still be closed with the Windows firewall off.

    What happens if you run an install package directly on the machines? I am also seeing HTTPS failures, make sure you have TLS 1.1 and 1.2 enabled on the workstations and that no SSL filtering or SSL proxy is in place against the URL's in our exclusion KB here - https://support.malwarebytes.com/docs/DOC-1652


    Error in deployment for target: "Host name: [redacted]36936.[redacted]; IP Address(es): IP Address: [redacted], ; " Error: System.AggregateException: One or more errors occurred. ---> System.ApplicationException: Error copying files out to the admin share of: Host name: [redacted]36936.[redacted]; IP Address(es): IP Address: [redacted], ;  : Error: Access Denied

    2018-05-10 12:31:40,257 pid:11644 [13] ERROR WMIDetector - Connection to WMI scope failed on "[redacted]27388[redacted]" - System.UnauthorizedAccessException: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))

    2018-05-10 12:31:05,989 pid:11644 [14] ERROR WMIDetector - Connection to WMI scope failed on "[redacted].33" - System.UnauthorizedAccessException: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))

    2018-05-10 12:31:12,170 pid:11644 [8] ERROR WMIDetector - Connection to WMI scope failed on "[redacted].197" - System.Runtime.InteropServices.COMException (0x800706BA): The RPC server is unavailable. (Exception from HRESULT: 0x800706BA)

    2018-05-10 12:30:58,552 pid:11644 [14] ERROR WMIDetector - Connection to WMI scope failed on "[redacted]24225[redacted]" - System.UnauthorizedAccessException: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))

  7. The VB6 needed is shipped with the MBAM installer but looks to be broken here in your case. The MSVB file is most likely in syswow64.

    1. Uninstall the Malwarebytes agent on the server
    2. Use this installer to repair the VB6  - https://www.microsoft.com/en-us/download/details.aspx?id=24417
    3. Restart
    4. Reinstall the Malwarebytes agent

    Let me know if that helps the loading situation, if not, capture a new log set.

    Thanks @codesmithery

  8. The second copy of mbam.exe could be a scan that is running, it handles that and the interface. There's something else going on here, this performance problem you are having doesn't look like it's MBAM's fault, it looks like there's a conflict or the run-time is broken. Are either of the servers, from which you captured those logs, in an RDS, Terminal or some other shared resource role? They are filled with VB6 related errors against the MBAM process, historically that points to a possible problem with the VB6 run-time install or MBAM's real-time against an RDS role, or some other role these servers are in.


    You could try reinstalling VB6 runtime in the meantime:




    Error: (05/17/2018 01:15:05 PM) (Source: Application Error) (EventID: 1000) (User: )
    Description: Faulting application name: mbam.exe, version:, time stamp: 0x56ba3282
    Faulting module name: MSVBVM60.DLL, version:, time stamp: 0x49b01fc3
    Exception code: 0xc0000005
    Fault offset: 0x000da280
    Faulting process id: 0x1464
    Faulting application start time: 0x01d3edf81bf9db62
    Faulting application path: C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe
    Faulting module path: C:\Windows\SYSTEM32\MSVBVM60.DLL




  9. The profile folders in C:\users are not important. It is the system and local profiles in HKU and the domain profiles in HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList. Every profile listed in these locations will be enumerated on disk prior to the GUI opening as the engine loads. If this server happens to be a VM, you will also be at the mercy of your storage latency for this process.

    This process can also be made worse by other security programs watching us as we do this enumeration, adding time by inspecting each file we create and touch. If you have not yet set up exclusions of our processes to be ignored in the other security software you have, I would make sure to do that. Even for MSE, Defender, MCEP solutions. MBMC Managed and Unmanaged file/folder locations are here in this KB - https://support.malwarebytes.com/docs/DOC-1236

    While 2 minutes to start is on the higher end, Anti-Malware 1.x is no speed demon, 10 to 60 seconds is in the realm of normal (depending on profile #). The test VM I used, which has 3 system accounts, 1 local account and 5 domain accounts, 9 total, loads within an average of 15 seconds over ten timed openings.

    You can watch the behavior I am talking about by opening this folder - C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware, leave it open while you try to start MBAM's GUI. You'll see what I am talking about. Here's a capture from mine...


  10. For upgrading your MBMC console, follow these two KB's:

    The console can only deploy the MBAE it has within it, which will not be the latest anymore. To let MBAE upgrade to the latest, you need to enable it in your policy. Policy -> Edit -> your policy -> Anti-Exploit - > Automatically Upgrade Anti-Exploit on Clients. Note that some machines may need to restart to complete their upgrades, they will report the correct version number once the restart has taken place.


  11. @kmerolla I was able to, sort of, repro. My Win 10 Enterprise's Defender is turning itself off if MBEP is set to always register with Windows Action Center. I am not getting the pop up you are seeing but I am getting the effect on Defender. I guess Microsoft has changed it through an update, having it disable itself, and now adding an extra message, if another AV is registering with WAC. I do not get the problem if I set WAC register to "Let Malwarebytes apply", or "Never Register".

  12. The log you posted doesn't look like a successful agent install, it does look like a successful attempt to use WMI to connect to that machine and begin the installer transfer but does not continue from there. May I have you zip up your D&D folder from the machine with which you were conducting the installs and paste it in your reply?

    C:\ProgramData\Malwarebytes Discovery and Deployment

  13. This tool is installing the communication agent, not the protection plugin. The agent will need to be able to reach the cloud URL's in order to check-in, receive your policy and download the rest of its pieces and set itself up. Once that is done, then it will show the tray icon. But if it never is able to check into your cloud portal, it will not be complete.

    I'll need the info inside - C:\ProgramData\Malwarebytes Endpoint Agent

    Make sure your network appliance / firewall has these URL's allowed outbound on port 443, also disable any SSL filtering or deep packet inspection against those URL's.


Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.