djacobson

We can check your machine, but what I've found with other customers, is if the the cloud backend is not accessible, the program will run on with a default last known, which has shown to not include a few items in people's ignore list. We'd need new client logs to see if this is the case for you.

The original false positive for 255.255.255.255 was fixed. New detection's of that hit are a problem within the program itself, it will be fixed in an upcoming update. It will be posted on the thread sticky here once it releases -

Update revisions have since become a feature within the endpoint's viewable properties in the cloud.

Sometimes fixing one thing can break another, it is the nature of software and needing to support fragmented Windows' OS ecosystems. The service failure property edits have since become part of new installs performed from a brand new download of the agent installer as of March 26th.

Hi @dlox, has this been taken care of? We have a reset process but it will only be shared via a ticket, I have no public KB that goes over the process.

@ricmitch do you have an example?

This is not from an attack or part of an infection, this is just a standard policy flag on whether to show the warning in Windows action center if you have anti-virus installed or not. MBAM agent 1.80.x is indiscriminate when it comes to any registry modifications. It will hit on your legitimate changes and GPO enforcement's. Additionally, the legacy MB products do not register as an AV, so there is an incentive to set this registry key so that you are not seeing a notification to find an AV every time you start Windows. You can add this key to be ignored, since it is a registry key, you will need to use the API through command line, open an admin elevated CMD and use the following commands: CD C:\Program Files (x86)\Malwarebytes' Anti-Malware mbamapi /ignore –add value "HKLM\SOFTWARE\MICROSOFT\SECURITY CENTER|UpdatesDisableNotify" I've also attached the MBAM admin guide, which goes over even more API commands available to you. Anti-Malware for Business 1.80 Administrator Guide.pdf

See my post where you asked this same question on another thread, I encountered that reply before this topic of your own -

Eeek, we'll need to check your installation to be sure you have the right items installed. What you listed uses these versions: Anti-Malware 1.80.2.1012 Anti-Exploit 1.11.2.55 Qt5Widgets.dll is a piece of the consumer MB3 product, so either the wrong product is installed, or you have a double install causing a conflict. Frst Log I would like to have you run a tool known as frst. frst will help provide me with a list of installed programs and other information about your computer that will help me see if there are any other problems that are not being detected. Please follow the steps below to run frst. 1.) Please download frst and frst64 from the link below and save it to your desktop: FRST 32-bit version: https://downloads.malwarebytes.com/file/FRST FRST 64-bit version: https://downloads.malwarebytes.com/file/FRST64 Note: You need to download the version compatible with your system. If you are not sure which version applies to your system, download both of them and try to run them. Only one of them will run on your computer; that will be the right version. Some traditional Anti-Viruses may false positive the download or running frst, I can assure you it is safe. If this happens, please temporarily disable the AV. 2.) Double-click the purple frst or frst64 icon to run the program. Click Yes when the disclaimer appears. 3.) Click the Scan button 4.) When the scan has finished, it will make 2 log files in the same directory the tool is located, frst.txt and Addition.txt. Please attach frst.txt and Addition.txt in your reply.

Roaming and remote clients are not supported by MBMC, yes there are a few tricks you can try with where the client points, like Andrew showed, and I've seen some customers pull it off using VPN, Microsoft Direct Access or DMZ's, but at the end of the day, it is not supported. You are also placing your network at risk since the MBMC console hosts an IIS 7.5 website, 7.5 is not secure enough to be externally accessible and/or public facing anymore. If you need the program to be set up this way, you must understand you do this at your own risk and it is dependent upon your own skills as an admin to make it happen. Alternatively, also as Andrew pointed out, we have a Cloud product that was meant to support roaming and remote clients.

This issue is currently under investigation. Other customers using Cisco Meraki VPN have encountered the same issue and the cases are currently in the hands of our engineering dept. to be fixed. Consumer 3.4 does not fix it. We are awaiting a new build that will fix it.

@JeffMoyer BusinessMessaging.exe denotes a warning that you are using the consumer product on a business machine in a domain. The warning has been hidden put the program that controls it still creates an event. Is there a particular reason you are using consumer MB3 on a business environment?

@turbote1 @SPIINC issues with browsers, office and MB is usually centered on Anti-Exploit. We wouldn't get very far if our solution that is meant to all run together, is not working when running together! If your MBAE is conflicting with a browser/office add-on or a script you use to open things like printers and doc functions, we will need to review the MBAE logs to see if you are facing a known issue and need to upgrade to a later build where the conflict is fixed, or you're the first one and your data will help write a new version to fix a conflict. At any rate, we'll need you guys zip up the entire “C:\ProgramData\Malwarebytes Anti-Exploit” folder from the client with the issue and attach it to your reply.

This can also happen if you deploy with "do not create start menu and desktop items" and then re-install and not use that option (also happens vice versa), it breaks the system tray icon and the desktop items.

When I encounter this with customers who already have 443 in use by another application, I have them change the port to 9443. Basically, I just add an extra number ahead of 443, so you remember that it is supposed to be an https secure port channel.

It's the assignment of the network shares that trip up MBAM's real-time protection engine, it has known issues with logon scripts assigning drive shares and applications that run from or write to drive shares.

No action taken means the PUP item was ignored in the results screen or PUP items are not set to be detected and removed.

You need to restart the machine after cleaning for the add/remove entry to be removed.

There is no /noreboot switch, the switch is /silentnoreboot See this KB article - https://support.malwarebytes.com/docs/DOC-2333

If the MSI installer cache has been removed by any popular desktop cleanup utility, this option will not be available to you. It would be best for you to use the cleaning tools we have made for this purpose. See this KB article - https://support.malwarebytes.com/docs/DOC-2333

Hi @PCJedi, it looks like KDawg was on the right track, most of your scans kick off at 22:59:59, with outliers happening at 15:20 outside of that. I would recommend changing your scan settings to allow the machine to wake from sleep, if that is not set, to not miss the scans. Your recover if missed by is already set to 0 or 1 hours. Another item to make sure you do not have enabled is to run a flash scan after successful update. Scheduled Item: Update Schedule Options: | Daily | Wake From Sleep Start Time: 2015-11-10 21:00 Repeating Every: 1 Recover if missed by: 23 Scheduled Item: Scan Schedule Options: Quick Scan | Daily | Scan Remove | Scan Terminate Start Time: 2018-02-06 23:00 Repeating Every: 1 Recover if missed by: 0

There's nothing to really configure for this forwarding function. You can try adjusting the facility and severity to get a more immediate response from your reporting siem. Maybe change CEF to JSON or vice versa? You can test the results by generating an event, like going to https://iptest.malwarebytes.org.

There are no custom reports within the application but you can "sort" the view by the status column. Alternatively, if you are good at SQL, you can use SQL Management Studio to run queries directly to the MBMC database and output results to a CSV file.

Win32 codes are permissions errors, make sure you are using a domain account who's primary group is domain admins, not domain users, even if the account is a domain admin, the GROUP must be set. Also make sure to complete the pre-reqs for client push to be successful, don't just disable the Windows Firewall, that will do nothing to help you except "lock" the settings it has adn continue erroring out. You need to specifically allow the netbios ports 135, 137 and 445, then allow remote administration and file and print sharing. See this KB for how to open these items via GPO - https://support.malwarebytes.com/docs/DOC-2237 Machines not showing up at all during the scan are likely to be machines on another subnet, Microsoft has deprecated the usage of netbios (the protocol our push tool uses) to no longer function across subnets. You could setup a WINS server role to ensure that the netbios traffic returns from the subnet, or even easier, use the push option for serial client IP, that will make the tool attempt to match the netbios name up to an IP and use the IP to query instead.

Hi @bclevenger, on the client, check your sccomm setup file. C:\programdata\sccomm\sccomm.xml, if this is corrupt or incomplete, the machine will not check back in after install to register. this file can become corrupted if the destination client does not have .Net 3.5 installed and enabled (common on Win 10) and when other AV interferes with the files during the install. The contents of the sccomm.xml should look like this: <?xml version="1.0" encoding="utf-8"?> <configuration> <appSettings> <add key="ServerRef" value="https://[SERVER-IP-or-FQDN]:18457/SCClientService/" /> <add key="Group" value="[GUID of chosen group]" /> <add key="Client" value="[Assigned GUID of the client]" /> <add key="Policy" value="[GUID of the chosen policy]" /> <add key="RegisterResult" value="[Plain text message for the registration result]" /> </appSettings> </configuration>