djacobson

For those that may also come across this, here is the answer: The outbound connection 23.209.52.146 hit a block because the IP used in part of this applications connection has been found to be used in phishing. The application should just move to its next available IP after this connection was denied. https://www.virustotal.com/#/domain/products.office.com

Answered in a PM.

MBAMToast, that sounds like a piece from a possible partner build of Anti-Malware by ChicaLogic or the consumer version 2.x. May I have you run an FRST to be sure the correct versions are isntalled and running? Frst Log Please follow the steps below to run frst. 1.) Download frst and frst64 from the link below and save it to your desktop: FRST 32-bit version: https://downloads.malwarebytes.com/file/FRST FRST 64-bit version: https://downloads.malwarebytes.com/file/FRST64 Note: You need to download the version compatible with your system. If you are not sure which version applies to your system, download both of them and try to run them. Only one of them will run on your computer; that will be the right version. Some traditional Anti-Viruses may false positive the download or running frst, I can assure you it is safe. If this happens, please temporarily disable the AV. 2.) Double-click the purple frst or frst64 icon to run the program. Click Yes when the disclaimer appears. 3.) Click the Scan button 4.) When the scan has finished, it will make 2 log files in the same directory the tool is located, frst.txt and Addition.txt. Please attach frst.txt and Addition.txt in your reply.

The second question regarding MBAE, those machines likely need to reboot. Your console does not deploy version 1.10.2.41, so those machines in the screenshots have just upgraded, try a reboot to let that upgrade finish. It should then post a correct status to the console.

Hello @wiile, there is definitely some work ahead to fix this. The two main portions to do are to change the ID's but keep the communication info the same and clear the duplicates from the Database. We will create a generic sccomm.xml file and swap that file out from the PC's that are duplicated. You finding that file is the correct move, though there is more to consider. We must also remove the machine entries from your SQL or they will just end up receiving the same ID. Do you have SQL Management Studio installed?

Hi @TraptPatriot, no there is not a way to do that. Machines in an AD OU group are just listed under a mirror of your actual AD, they cannot be moved or changed. Any changes while using this config must be done in your AD for it to reflect within the console's AD mirror. You can delete your AD OU as a group (this will not affect your deployment, right click the AD OU group and select remove) and create your own set of local group folders to move the machines around as you see fit, if you prefer to organize your MB deployment in this way.

PM'ing you @JPGrajek

Great work, glad it was something simple this time around!

You can use default msiexec switches, like /lv, to force a verbose log output but no, natively it does not log its actions. The cleaner is set to run silently and suppress a reboot, however that reboot will still need to happen before you reinstall and if you use this cleaner with GPO, the built in switches will be ignored and you will need to specify silent and no reboot manually in your GPO.

The most reliable option I have found while testing is to utilize GPO and perform the following: Open ports 135, 137 and 445 Set WMI predefined GPO options Set RPC predefined GPO options Set inbound remote admin GPO options Run a GPUpdate /Force Restart the endpoint(s) to receive and process the new GPO Then Scan for clients in Admin > Client Push Install and use the "Scan network and detect client software", "Enable WMI" and "Enable serial client IP detection" options.

On the client go to C:\Program Files (x86)\Malwarebytes' Managed Client and run the tool CollectClientLog.exe. Attach the folder it generates.

For now yeah, that's all I can think of. An extra piece we can ask about is for the website. If you want to post a screenshot of the hit entry for the machines that are blocking selfserve.pcmobile or btnativedirect, then I can check the IP with the research team. Another key may be this, any VM a user may use, that has the agent installed on the VM host as well, the VM client will be unable to connect to the address, but will not produce a pop-up or entry into the logs that a block has taken place. If you are not rocking VM's, this doesn't apply but your problem description sounds a bit like this behavior.

The blocks work based on IP, it could be that your machine is resolving to a different one for that domain or to a sibling domain. Your machine is on a group/policy with the Endpoint Protection pieces enabled and not the default Incident Response, right? Just verifying. Do you get a block when you try to visit iptest.malwarebytes.org ? Here's a VT link to the btnativedirect.com URL hit data https://www.virustotal.com/#/ip-address/209.15.13.136 selfserve.pcmobile.com does not resolve to a malicious IP for me, so I cannot confirm a block for it either. Also, hitting a realtime web block doesn't always mean something is on your PC causing a browser redirect, it can be an ad on the site you are browsing. Having scans come up clean but you hit a web block is not out of the ordinary at all. a) real-time protection on that PC is screwed up and identifying a false-positive Not uncommon, blocks can be verified by our research team if you'd like us to confirm. b) daily threat scans are missing this browser hijacker (and so do all the other Malwarebytes tools) Not very likely. Anti-Malware, ADWCleaner and the JRT tech incorporated into both are extremely effective. You may see an object be removed and then come back again, but that is more due to the type of malware you may be dealing with, what program it may be attaching itself to and a general lack of knowledge around different, more advanced, malware removal tactics for situations like that rather than a real time or scanning engine failure. As in, it's not the tool, it's how you use it, and that can change dramatically based on the foe you are up against. Time and experience removing malware will build up your arsenal of approaches. You can also activate us to assist in removals if needed, many of us are highly adept and can remove malware by hand if needed. c) something is not working on MY computer that is allowing me to visit that website and not getting blocked by Malwarebytes We can verify this by looking at the IP as I had mentioned and also testing the response of the realtime components.

It is fixed, I just checked it again....

How long is your check-in timer set for? Policy > your policy > Edit > Communication.

Is it listed under the all clients at all?

Please be aware everyone, that if a detection has been marked "Delete on Reboot", that reboot must take place before the item will be able to be released from quarantine, if you are restoring the files.

One of our agents is resetting your installer links, hang tight.

What kind of appliance are you behind? Have you allowed that URL to bypass any packet filtering functionality?

@bbeberstein. Do the mbbr register and update commands with the USB in a PC with connectivity first before scanning an offline machine.

What is your console, client and Anti-Malware version on one of the machines that isn't working?

Ohhh, exploit hit, ok, that's something different. Alright, stay with Ron on the server issue, your machine not receiving or processing their policies correctly is something that will need to be in the hands of dev, I imagine he's getting that going for you already? For the exploit hit, I'll need some logs off a machine in question. Open an elevated CMD prompt as admin. Change the directory to C:\Program Files\Malwarebytes Endpoint Agent cd C:\Program Files\Malwarebytes Endpoint Agent Once there, run this command MBCloudEA.exe –diag That will create a folder on the desktop called MBDiagnostics. Send this zipped folder back to us.

Hi @Computerdienst, just the normal self-protect module causes the issue for you?

@CHall thanks for the heads up. Does a log off / on not work?

@Luis_Chavez what's the full key that's in that hit? May I also have a screenshot of your ignore list?