djacobson

April 13, 2018

Thanks Tony, I've seen this sometimes when the agent looses connection to the cloud and is unable to finish setting exclusions after starting, allowing a few of the ignored items to get caught. The effect is temporary but the issue is being tracked and we're going to get it fixed in a later update.

April 13, 2018

2 hours ago, shadowwar said:

This only hit on one file though. win10 insider preview version.

Whoops! Went too hard.

April 13, 2018

Hi @colacommo, check out this post where I go over what you need to check on the endpoint for this scenario -

April 12, 2018

For the MBAM side, standalone and managed have many differences, though because the engine is unchanged, they both will have the same known issues. For MBAE, standalone and managed are one in the same, however if the Managed Client agent is present, MBAE will automatically go into MBMC managed mode. Standalone MBAE installers can be used to repair/upgrade MBAE, independent of the console. Only MBAE can do this, MBAM cannot.

April 12, 2018

Hi @bhabelfor the MBAE portion, the known issues are here -

MBMC's and MBAM's are not posted on this forum, but I can summarize here...

MBAM:

The scan engine can fail to load on machines with excessive local and roaming profiles. Fix is to reduce the amount of profiles or discontinue using MBAM 1.x scanning engine. Popular choices are to use MBBR tool if you wish to continue using the On-Prem product or move to the Cloud product.
The scan engine can also fail to load due to desktop heap memory limitations, this happens when around 80-100 total scans have been performed during a single Windows session. Machines with very long up times can hit this error, mostly servers since they can be up for weeks and months at a time before a reboot. Reboot fixes this error.
MBAM can sometimes encounter issues around Windows Prefetch. Solution is to disable Prefetch or the same as number #1; use MBBR, or move to the Cloud product.
MBAM malicious website blocking real-time engine can encounter conflicts, and cause hangs/lockups, with logon scripts that assign drive shares and/or applications that run from or write to drive shares. The workarounds for this are varied and it is best to open a support ticket if you come across this issue.
Scheduled scan threads can fail to close if another scheduled scan kicks off while the first scheduled scan is still running. Solution is to reduce the recover if missed scan property or alter the other scan's schedule to not overlap with others.

MBMC:

Users can sometimes encounter an inability to add AD accounts to MBMC Administrators. Solution is to use local MBMC accounts.
Users can also encounter a failure to log on with AD accounts/groups even if successfully added to the Administrators area, most often following upgrading MBMC. Solution is to use local MBMC accounts.
Reports can fail to load if user's decide to not install the IIS 7.5 Express pre-req; either because a newer IIS Express was in place (an example being Server 2012 has IIS 8 Express as default, which is a conflict) or a full IIS instance already in place. Solution is to choose another server where you are free to install IIS 7.5 Express, or uninstall the conflicting IIS 8 Express on the one you are using. IIS 7.5 Express can live along side full IIS 7.5 without conflicts.
Ignore list cannot use wildcards in the middle of a folder path.
Ignore list cannot honor UNC paths.
Ignore list cannot honor user path variables, i.e. %userprofile%, %systemroot%, and so on.
Language options in the policy do not work for anything other than English.
User's who have setup MBMC to connect to an external SQL can get locked out of MBMC if their SQL logon's password expires. There is no place outside of MBMC to change the account and you need the account to logon, catch 22. You must change the SQL logon's password back to what was originally used, or uninstall/reinstall MBMC and use the new SQL logon creds during the external SQL connection step. If you have change control in place that requires the SQL logon to expire, it is best to create two SQL accounts to be assigned to the MBMC database and switch between those accounts before the SQL logon in use has its password set to expire.
Using Windows credentials to connect to external SQL, full or express, is not supported, SQL must be in mixed mode and you must use an SQL logon. Windows creds are only supported when using the embedded SQL Express option.
Roaming and remote clients are not supported, if you wish to support roaming and remote clients, the Cloud product is the correct one to choose.

MBMC Managed Client agent:

MEEClientService, which controls client communication to the MBMC console, can fail to be loaded by Windows during startup or restarts. Issue is mostly on Windows 10 but can affect others. Solution is to change the service's failure condition properties with this command:
```
sc failure "SCCommService" actions= restart/6000/restart/6000/""/6000 reset= 120
```
This command will restart the service if it has failed for longer than 6000 ms, which is 6 seconds, it will do that once more on the second failure, the third failure will take no action so that the service doesn't end up in a start stop loop. If the first and second restarts are successful and the service remains up for at least 2 minutes, the failure count is reset. Here's an article that explains the sc failure command set in more detail - https://technet.microsoft.com/en-us/library/cc742019(v=ws.11).aspx
Windows 10 Laptops with Fastboot enabled can shutdown faster than the MEEClientService can send the "I'm offline" signal to MBMC. Results are that the client will show online when it is, in fact, offline. Solution is to disable Fastboot.

That's all I can think of off the top of my head.

April 12, 2018

I would recommend that you get yourself an ad-blocker extension for your Chrome.

April 12, 2018

@Thoroar Since no one from malware removal has answered yet, I'll chime in. Based on your scans coming back clean and the connection attempt being a high port outbound through your browser, I'd say this is just a simple ad that loaded in your browser session.

hxxp://*.umekana.ru itself is blocked for being a compromised website.

April 12, 2018

Hey guys, here's a link to a Box folder with an autochk from a variety of Window's OS - https://malwarebytes.box.com/s/38029s7dk27lb7ksiszkrbqlh83kxonr

April 12, 2018

1 hour ago, Angus_MacGyver said:

Thanks a lot for the answer. but how do I restore?

Which product version do you have? Another thing to consider is if the item is marked as delete on reboot, that reboot needs to happen first before the item can be restored from either product versions menus.

April 11, 2018

No worries @Thoroar, I'll merge it for you

April 11, 2018

@TonyCummins is this still happening to you?

April 11, 2018

Hi @JessePereboom, apologies for this post falling through the cracks. Have any of the newer updates to the clients since your post help at all?

April 10, 2018

@Andreas_Mi is there a chance that the ones here had a consumer version of Malwarebytes already installed?

We can investigate further still, on one of those machines without MBAM, run this tool...

Frst Log
Please follow the steps below to run frst.

1.) Download frst and frst64 from the link below and save it to your desktop:

FRST 32-bit version: https://downloads.malwarebytes.com/file/FRST
FRST 64-bit version: https://downloads.malwarebytes.com/file/FRST64

Note: You need to download the version compatible with your system. If you are not sure which version applies to your system, download both of them and try to run them. Only one of them will run on your computer; that will be the right version. Some traditional Anti-Viruses may false positive the download or running frst, I can assure you it is safe. If this happens, please temporarily disable the AV.

2.) Double-click the purple frst or frst64 icon to run the program. Click Yes when the disclaimer appears.
3.) Click the Scan button
4.) When the scan has finished, it will make 2 log files in the same directory the tool is located, frst.txt and Addition.txt.

Please attach Frst.txt and Addition.txt in your reply.

April 10, 2018

@BillHi what OS is this and does it have FIPS enabled?

April 9, 2018

Hey @spnkzss, thanks, it has been a bit! We were struggling to get our ticket backlog down since the Jan 27th event, the issue had many reverberations across our customer base that took months to finally reign back in, all just for the few hours that the FP happened. Our ticket backlog is now back to normal, so I've been focusing on getting the forums caught up. It's pretty painful to see so many folks waiting since Feb for a reply to their post.

I'm going to move your posts here to their own thread in the feature request spot, you've got some good ones in there.

April 9, 2018

Hey StroTech, apologies for not seeing this the day of, good catch on your exception. To make generic files, SCComm.exe.config only needs the correct IP. Sccomm.xml will need the editing to make it generic. You leave your connection string, but all other values, blank them out to be 'value = ""'. Here's how that looks...

<?xml version="1.0" encoding="utf-8"?>
<configuration>
    <appSettings>
        <add key="ServerRef" value="https://SERVER-IP-or-FQDN:18457/SCClientService/" />
        <add key="Group" value="" />
        <add key="Client" value="" />
        <add key="Policy" value="" />
        <add key="RegisterResult" value="" />
    </appSettings>
</configuration>

Note that the lines can have 'value' before 'key', that's totally fine if your sccomm.xml happens to be that way. Turn the MEEClientService off then edit or swap the file. The file will need to be saved to the desktop first, or pre-edited, then dropped in the location to overwrite the existing one.

Once that is done, start the service again and it will connect and populate the rest of the values.

April 9, 2018

Hi @kmcphail, on the workstation, is the MEEClientService running in services.msc? In C:\programdata\sccomm, is the file sccomm.xml present, and does it have your correct server address?

April 9, 2018

Hi @Silko, this block is legitimate. One of your workstations is attempting to resolve 167.114.154.30 through your DNS server. That IP is blocked due to NetWire malware using it to communicate.

April 9, 2018

Thanks for the assist Kalrand. 100% spot on.

The 255 block is a UI issue that will be fixed in a Malwarebytes build update in the future, the blocks are not actually happening. VPN traffic getting blocked is known, add your VPN's URL and IP to the Exclusions list. Anti-Ransomware standalone is unneeded for cloud, it is already part of its protections, if enabled.

April 9, 2018

Cloud platform update for April 12th, 2018 at 8pm ET / 5pm PT

New Features:

Added Syslog support. Now the Malwarebytes cloud console can transmit detections with Syslog servers and SIEM solutions capable of receiving Syslog messages. This allows organizations to centralize Malwarebytes’ threat detections with their existing threat data. All of this is accomplished without the need to install any additional software. Administrators can enable Syslog support by clicking on the Settings tab in the cloud console, select Syslog Logging, and then pick an existing Windows endpoint to be the communication proxy. Syslog Settings include specifying the IP address/host, port, and protocol along with options for message severity and communication interval (default 5 minutes)

Improvements:

Updated and redesigned Policies page to improve usability and match ongoing UI improvements. Policy settings are now feature-based vs. product-based:
Updated Policies page to inform Malwarebytes Incident Response customers of features available with Malwarebytes Endpoint Protection:
Enhanced Detection notification emails to include additional information about detections
Events are now recorded for Scheduled Scans, regardless if the scans were successful or failed
Added text field validation (character count) in Policies for custom reboot messages
Improved pagination performance for organizations with thousands of paginated pages of data
Fixed: Tray icon would not appear for some users of Terminal Services
Fixed: When a modal dialogue was open and an automatic log-out occurred, the modal was still visible
Fixed: Some administrators were receiving their scheduled reports twice
Fixed: Advanced Anti-Exploit settings dialog was saving changes even when the dialog was dismissed or canceled
Fixed: Upon logging into the console, a large number of “Unable to retrieve one or more dashboard data summaries” errors were displayed
Malwarebytes Endpoint Protection for Mac: Not sending up Agent Information

Known Issues:

The tray icon is not visible for the builtin\Administrator user on Windows platforms
Malwarebytes Endpoint Protection for Mac: Non-administrative users are unable to interact with the tray icon
Malwarebytes Endpoint Protection for Mac: Scheduled scans can be triggered incorrectly
Malwarebytes Endpoint Protection for Mac: For scans initiated from the endpoint, the cancel button loses focus
Malwarebytes Endpoint protection for Mac: Scan History tab does not get information populated if threat scan does not detect any threats
Malwarebytes Endpoint Protection for Mac: Shows enabled/disabled notification even if tray icon is not present
Malwarebytes Endpoint Protection for Mac: Protection update version is reporting SDK version instead of DB version in Scan History, not reporting in Endpoint Details
Malwarebytes Endpoint Protection for Mac: Timestamps in Scan History tab for macOS endpoints is in GMT and not the web browser’s locale
Malwarebytes Endpoint Protection for Mac: Free Physical memory is being reported as “0” in the Overview tab of Endpoint Properties

Our next cloud platform update is scheduled for May 2018.

April 6, 2018

The update revisions were not available before, it was just the engine and EP or IR version. I mistook what you were saying, regarding the version list, for being about what it contained rather than your qualm being with where it is displayed, I get what you mean now. I know the development team is planning UI enhancements but I am not privy to what they will be or when they will come, we'll have to wait.

April 5, 2018

On the client itself ensure that its communication service is on and running, in services.msc you'll see it as "MeeClientService", if it is not running, start it. If it is running, bounce it. If it is not there, the install is broken and we'll need to change tactics.

Still on the client, check that its SCComm files are ok:
C:\ProgramData\sccomm\SCComm.xml
C:\Program Files (x86)\Malwarebytes Managed Client\SCComm.exe.config

If these are missing or corrupt, let me know. We'll take them from another machine that is checking in and make them generic to be able to fix the endpoint that is not communicating.

On your server, check that the communication file being sent along in the push or offline installer has the correct address, C:\Program Files (x86)\Malwarebytes Management Server (Malwarebytes Enterprise Edition for older installs)\Package Template\SCComm.xml. These files get reverted back to your originals if you restore the old database on a new server using the built-in tool.

April 5, 2018

I can tell you what parts of Malwarebytes to check for to determine installation. How you go about implementing that is up to you as the admin of the environment.

You want to use an outside tool to find what's installed and that's perfectly fine, but I can't support SCCM, while it may be common, it's a paid product Microsoft sells versus includes within Windows (as opposed to GPO), and so it is outside of our scope. But I'm not here to tell you 'sorry we can't help, you're using a tool we do not support', I am here to give you whatever you need within my means to help make it happen, no matter what you use.

To that end, I was meaning to create a script for SCCM send out or use SCCM itself to check for those keys. They are for the services the program uses and a reliable way to check for an install, while Windows uninstaller can miss some directories, it doesn't often miss the services. You can even check their running state value in that same key path. Say your SCCommService key is present but the start value shows the service is in a stopped state. Boom, you just found out that the product is installed but not communicating because the comm service is not running. Simple and effective.

To circle back on the inaccurate last scan status you're experiencing, have you done the FP record maintenance on the SQL side and deleted the client archive and pending log areas? Removing clients from the client view is just a deletion of the client's entry on the dbo.tbl_Client table, having that work out for you suggests to me that there are still concerns around your MBMC's database.

April 5, 2018

On 2/5/2018 at 6:56 AM, roryschmitz said:

On a side note, when I make a change to the policy, how long does it take for the client PC's to see that change? I'm wondering if I'm being too impatient with the changes I have been making?

Rory, to answer this portion of your question, if your machines are connected over the boomerang service (socket.cloud.malwarebytes.com), the communication is real time. If the real-time communication is unavailable we fall back to a 5min polling period (through sirius.mwbsys.com). Processing the actual change will depend on what's been changed, like something in the exclusions versus disabling an RTP protection, exclusions will be faster. Or swapping which plugin is installed EP versus IR, that'll need some time to uninstall one and install the other.

April 5, 2018

Are you guys using VPN or a proxy? Is the agent installed on your DNS server? Are these normal webpages or intranet sites/portals?

Events

Profiles

Forums

Posts posted by djacobson

Important Information