Jump to content

djacobson

Staff
  • Content Count

    1,295
  • Joined

  • Last visited

Posts posted by djacobson


  1. Set anti-rootkit scans to be on a schedule on their own rather than engaging the setting to make them run with every scan you perform. Recognizing when to use that will come with experience in dealing with rootkits and knowing the signs of one being there. These scans are highly intensive and ideally should not be ran with other scanning functions, they can also at times crash your system, not just the application, due to the sensitive areas this function scans. This becomes even more sensitive if disk encryption is used. 

    I think however, your true culprit may have been the SP early start. This is the old Chameleon function in an updated form. It sets MB stuff to be read only. Early start pushes that into the Windows loading process. Sometimes files need to change, even ours, we do update after all! This setting restricts this need and can have unintended consequences. I recommend this to only be used if you are dealing with malware that targets MB and nothing else - this was more common in the early 2010's, not so much anymore, but it could see a resurgence. Regular SP mode is fine to engage to prevent your users from deleting items.


  2. I know for sure 2008 R2 64 bit is supported so far to our latest 3.7.1 - I have this setup in my test environment, unfortunately I do not have a 2008 non-R2 example to try. I'll need to ask about that 2008 64.

    The KB listed is for TLS 1.1/1.2 communication. Failing on a scan can be a variety of things. If you right click on the M icon in the system tray, you can generate logs for us to review the situation.

    A workaround for the short term would be to use the "MALWAREBYTES BREACH REMEDIATION (VERSION 2.X)" found under Endpoints \ Add Endpoints \ Dissolvable Unmanaged Remediation Tool, to scan the machine.


  3. If you are on MBMC 1.9, definitely utilize the new service startup type and failure restart options on the general page in policy, this is exactly what those are meant to fix, especially with Win 10.

    The startup delay option under the Protection tab is for conflict/performance issues against Anti-Malware's web blocker and malicious file blocker with other security program during logon.


  4. Good find, that's our comm service, though when it is off, they usually just show as offline, not unregistered. Another thing you may see is laptops may have double entries, one for the ethernet and one for the wifi. Which ever NIC was in use during deployment will have that MAC saved to the machine, when it is on the other NIC, it may show an unregistered entry along with its checked-in entry.


  5. Hi @KHALIL, I apologize that this has gone unanswered for so long! We have a new build out right now that is metered. Please perform an uninstall, restart, new install, that way it will put the latest build on the machine without you needing to wait for the metering update. Let me know if this freeze continues while you are using Malwarebytes 3.7.1. You can find that number in the add/remove programs area.


  6. Hi @Devora, I understand the frustration, plus you and I just worked together not too long ago for the reports! I do not see any backend service or availability issues at the moment. As a test, please invoke a web detection hit manually by going to - iptest.malwarebytes.org - on a machine to test that the results are making it to your dashboard, if they happen. Let me know how that turns out, thanks Devora!


  7. ARW deployed this way will be contained within the "Malwarebytes Managed Client" entry in add/remove, it doesn't show on its own. MBAM and MBAE do the same, although when MBAE updates over-the-air, it'll make a new separate entry for itself. ARW will show its circular blue and white icon when running.

    Are your MB services ok and running? Verify in services.msc.
    MEEClientService = server / client comm
    MBAMService = MBAM's realtime engine
    MBAMScheduler = MBAM's scan task launcher
    Malwarebytes Anti-Exploit Service = MBAE's realtime engine
    Malwarebytes Anti-Ransomware Service = ARW's realtime engine

    The doubled old install can be removed safely without affecting your new install.


  8. Hi @JCourtney, ARW hasn't really changed from what you had before, though now MBMC has the ability to install it, pass it some basic items and receive hit information. It still has a non-silent icon. There is a bug that ARW cannot be passed a proxy set within your policy, if you use one, after installation. The push installer has no ability to set that during install like ARW needs. This will be addressed in the future.

    The double installs are a problem, though we haven't found that to be caused by the push tool, rather research is pointing to a failure of the services to stop when asked to on the endpoint during the upgrade install. The most common cause for the agent service not stopping when asked is if it is busy/stuck writing a huge logging file. Did you have a lot of fallout on your MBMC's database and endpoints during the Jan '18 FP on the DNS broadcast address? Are there any log files on the clients that exceed 1-5kb in C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\Logs?

     

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.