Jump to content

djacobson

Staff
  • Content Count

    1,298
  • Joined

  • Last visited

Posts posted by djacobson


  1. Disabling the firewall doesn't really work on modern OS, it would need all the remote admin, WMI, RPC and NETBT port rules opened first, then disabled. Follow this guide to know what needs to be opened - https://support.malwarebytes.com/docs/DOC-2237

    You may find better results using a local Administrator account for the push logon instead of domain creds. The offline installation package needs to be copied to and ran from a local drive, as admin, to be successful. Running un-elevated or from a network share will not work. The MSI version needs to be ran within an elevated CMD prompt using standard msiexec commands in order to work.


  2. @kieferschild Got the info from research. This is a variant of backdoor.nanocore, it is a Trojan meant for gathering information from a Windows system and can modify settings, gather data and send it to a remote remote threat actor. Two stand out things to check for this guy; double check what your web homepages and search engines have been set to, they could be pointing to compromised sites. And change your passwords for domain and the local accounts, this is likely going to need to be done site-wide, the actor that gained access to your machine could've gotten more info and credentials than what was just on that box alone.

    The original author of this is serving prison time, here is an article that talks about that and some of the main functions of this Trojan - https://arstechnica.com/tech-policy/2018/02/developer-of-the-prolific-nanocore-backdoor-gets-prison/

    An extra definition for this variant is going to be added in the next signature update since my test MBES was unable to detect this, very happy that MBEP was able to catch it for you. Thanks for bringing this to our attention!

     

     


  3. I asked because you will see that first one often on server's since ARW is disabled for servers, you will also see it on other machines where ARW cannot apply an exclusion for a path that doesn't exist on that particular machine, this is normal and a non-critical failure.

    The MBAE portion looks unable to apply one of its techniques, hard to say which one with just this log excerpt. The mbamservice log may help identify the particular technique that is not loading, which could be a failure, or it could be a technique that is not supported on this machine, and is being automatically disabled. I would bring this up to the agent whom you have working on your exclusion ticket.


  4. Great catch by that agent. The folder by path function can be used for that path if you leave the wildcard off the end. Ignoring folder by path already implies everything within that folder, making the wildcard unneeded. Save the wildcard usage for items in the middle of the path string. MBMC needed the * to the end of a path, so I know it is a hard habit to break :) 


  5. On 4/24/2018 at 8:07 AM, bhabel said:

    Can you quantify "excessive"?

    I am not able to be exact, it can vary due to the size of the contents within the user profile. All profiles are attempted to be enumerated before a scan begins. For light size profiles, around 50 to 80. For larger profiles, it can be a fair amount less.

     

    The Kaspersky issue, I am not sure, I would need to ask.


  6. The MBMC console will remove the entry from the client view only, it does not uninstall the agent. The settings to control this is the "delete obsolete clients", when client has not checked in in _____day(s) settings, in Admin \ Database Settings \ Cleanup Settings \ Change. Automatic tasks that the console performs will be in the Admin log section.


  7. Yes, this issue is part of the MBAM 1.x engine in its entirety, from at least 1.43 to 1.80.2.1012. 1.80.1.1011 was also replaced by 1.80.2.1012 due to a potential vulnerability to man in the middle attacks via the updating mechanism, I would advise you to upgrade your console and clients to the latest to gain the MitM protection.

     

    https://www.malwarebytes.com/support/releasehistory/business/

    1.80.2 / May 26, 2016

    Stability/Issues fixed

    Fixed security vulnerability to ensure database updates are downloaded over SSL connections only

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.