Jump to content

djacobson

Staff
  • Content Count

    1,298
  • Joined

  • Last visited

Posts posted by djacobson

  1. This is not from an attack or part of an infection, this is just a standard policy flag on whether to show the warning in Windows action center if you have anti-virus installed or not. MBAM agent 1.80.x is indiscriminate when it comes to any registry modifications. It will hit on your legitimate changes and GPO enforcement's. Additionally, the legacy MB products do not register as an AV, so there is an incentive to set this registry key so that you are not seeing a notification to find an AV every time you start Windows.

    You can add this key to be ignored, since it is a registry key, you will need to use the API through command line, open an admin elevated CMD and use the following commands:

    CD C:\Program Files (x86)\Malwarebytes' Anti-Malware
    mbamapi /ignore –add value "HKLM\SOFTWARE\MICROSOFT\SECURITY CENTER|UpdatesDisableNotify"

    I've also attached the MBAM admin guide, which goes over even more API commands available to you.

    Anti-Malware for Business 1.80 Administrator Guide.pdf

  2. Eeek, we'll need to check your installation to be sure you have the right items installed. What you listed uses these versions:
    Anti-Malware 1.80.2.1012
    Anti-Exploit 1.11.2.55

    Qt5Widgets.dll is a piece of the consumer MB3 product, so either the wrong product is installed, or you have a double install causing a conflict.

    Frst Log
    I would like to have you run a tool known as frst. frst will help provide me with a list of installed programs and other information about your computer that will help me see if there are any other problems that are not being detected. Please follow the steps below to run frst.

    1.) Please download frst and frst64 from the link below and save it to your desktop:

    FRST 32-bit version: https://downloads.malwarebytes.com/file/FRST
    FRST 64-bit version: https://downloads.malwarebytes.com/file/FRST64

    Note: You need to download the version compatible with your system. If you are not sure which version applies to your system, download both of them and try to run them. Only one of them will run on your computer; that will be the right version. Some traditional Anti-Viruses may false positive the download or running frst, I can assure you it is safe. If this happens, please temporarily disable the AV.

    2.) Double-click the purple frst or frst64 icon to run the program. Click Yes when the disclaimer appears.
    3.) Click the Scan button
    4.) When the scan has finished, it will make 2 log files in the same directory the tool is located, frst.txt and Addition.txt.

    Please attach frst.txt and Addition.txt in your reply.

     

  3. Roaming and remote clients are not supported by MBMC, yes there are a few tricks you can try with where the client points, like Andrew showed, and I've seen some customers pull it off using VPN, Microsoft Direct Access or DMZ's, but at the end of the day, it is not supported. You are also placing your network at risk since the MBMC console hosts an IIS 7.5 website, 7.5 is not secure enough to be externally accessible and/or public facing anymore. If you need the program to be set up this way, you must understand you do this at your own risk and it is dependent upon your own skills as an admin to make it happen.

    Alternatively, also as Andrew pointed out, we have a Cloud product that was meant to support roaming and remote clients.

  4. @turbote1 @SPIINC issues with browsers, office and MB is usually centered on Anti-Exploit. We wouldn't get very far if our solution that is meant to all run together, is not working when running together!

    If your MBAE is conflicting with a browser/office add-on or a script you use to open things like printers and doc functions, we will need to review the MBAE logs to see if you are facing a known issue and need to upgrade to a later build where the conflict is fixed, or you're the first one and your data will help write a new version to fix a conflict. At any rate, we'll need you guys zip up the entire “C:\ProgramData\Malwarebytes Anti-Exploit” folder from the client with the issue and attach it to your reply.
     

  5. Hi @PCJedi, it looks like KDawg was on the right track, most of your scans kick off at 22:59:59, with outliers happening at 15:20 outside of that. I would recommend changing your scan settings to allow the machine to wake from sleep, if that is not set, to not miss the scans. Your recover if missed by is already set to 0 or 1 hours. Another item to make sure you do not have enabled is to run a flash scan after successful update.

    Scheduled Item: Update     Schedule Options:    | Daily    | Wake From Sleep    
    Start Time: 2015-11-10 21:00     Repeating Every: 1     Recover if missed by: 23

    Scheduled Item: Scan     Schedule Options:    Quick Scan    | Daily    | Scan Remove    | Scan Terminate    
    Start Time: 2018-02-06 23:00     Repeating Every: 1     Recover if missed by: 0

     

  6. Win32 codes are permissions errors, make sure you are using a domain account who's primary group is domain admins, not domain users, even if the account is a domain admin, the GROUP must be set. Also make sure to complete the pre-reqs for client push to be successful, don't just disable the Windows Firewall, that will do nothing to help you except "lock" the settings it has adn continue erroring out. You need to specifically allow the netbios ports 135, 137 and 445, then allow remote administration and file and print sharing. See this KB for how to open these items via GPO - https://support.malwarebytes.com/docs/DOC-2237

     

    Machines not showing up at all during the scan are likely to be machines on another subnet, Microsoft has deprecated the usage of netbios (the protocol our push tool uses) to no longer function across subnets. You could setup a WINS server role to ensure that the netbios traffic returns from the subnet, or even easier, use the push option for serial client IP, that will make the tool attempt to match the netbios name up to an IP and use the IP to query instead.

  7. Hi @bclevenger, on the client, check your sccomm setup file. C:\programdata\sccomm\sccomm.xml, if this is corrupt or incomplete, the machine will not check back in after install to register. this file can become corrupted if the destination client does not have .Net 3.5 installed and enabled (common on Win 10) and when other AV interferes with the files during the install.

    The contents of the sccomm.xml should look like this:

    <?xml version="1.0" encoding="utf-8"?>
    <configuration>
        <appSettings>
            <add key="ServerRef" value="https://[SERVER-IP-or-FQDN]:18457/SCClientService/" />
            <add key="Group" value="[GUID of chosen group]" />
            <add key="Client" value="[Assigned GUID of the client]" />
            <add key="Policy" value="[GUID of the chosen policy]" />
            <add key="RegisterResult" value="[Plain text message for the registration result]" />
        </appSettings>
    </configuration>

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.