djacobson

It is the part of the real-time protection, that has been a feature of the paid Malwarebytes. This is the equivalent to the older version's "malicious file protection" with a re-branded name. The reason that real-time features cannot be used is they create a new MB process with every connection made, these can add up to the point where it can bring the server down. So we suggest to only use the scanner function in cases like this.

@BRAM, thanks for clarifying. Please keep me up to date on how it goes with your GP rollout. Do you have a case open already?

@BRAM, did you already have a previous issue with shutdown loops, long shutdown times or hung shutdown with MBARW? I've had that issue pop-up about three times. It is very hard to diagnose because it is during shutdown and no tools will work during that time. Windows Event Viewer doesn't offer many clues either. Also did you click through the update via the notification or push the new version over the top of the existing using the installers? It would be my suggestion to try to uninstall the old version first then deploy the new, see if that helps your situation.

@jbwilliams33, no, the notification behavior is part of the application itself and is not a registry setting. There are no settings at all for the system tray in registry except for the start run, which is the application's front-end itself and the tray icon. If it is disabled, the MBARW service still runs but the program will be broken and not able to properly respond to an infection event. MBARW is a very simple tool, any and all complexity went into its detection engine. The CLI it can respond to is only built around adding and removing exclusions, deleting or restoring items from quarantine, and starting and stopping the protection. If you wish to no longer see the notification, you must uninstall and reinstall, to which I would say if you're gonna do all that, you might as well just upgrade it. System tray stuff has been covered before here -

@WHairstonLOI I remember that case. Another L2 B2B agent and I were helping the LT agent and it had to do with how it pulled MBAE. The software pieces are pulled from a link and not from your LT server, but it is not our download link, ours is a zip package for the console with the standalone MBARW contained within - https://downloads.malwarebytes.org/file/mbes_for_business There is no other link that we host which contains MBARW-B, except our update backend server, sirius, which only the programs themselves can talk to and is not where LT get's the installers. The installers are pulled from some server or cdn that LT runs but I forget what it is, it's been a while since that case. I can ask our Partner PM what the link is and if it is possible to change that so it pulls something newer.

No, there are no options for the system tray. If you remove the MBARW start run entry in registry, you will break the program. Your users can click on the X until such a time as you can push the update manually. The prompt will return at the next restart.

We will always be faster to update than MSP's, that's a given as we are the author. New LT plugins also take time to code and then for LT to vet once those programs are finished. To be on top of what's available, you will have to be proactive and look at our support KB area I linked for jpereboom, or you could let it be and wait until LT notifies you of a new plugin once it is on their hands and they have finished their testing. Notifications on the forum will be a mirror of the support KB, it will be in the KB first. There is nothing to sort through on the KB site, it is posted front and center, all major need to know stuff will be there... 1. When we push NEW installations of MBARW using our EXISTING LT plugins, I'm still seeing the OLD version of MBARW deployed. Am I correct that this will be the standard behavior until a NEW or UPDATED LT plugin is developed and distributed? That is correct. The plugin is only going to install what it has available within it. 2. If we manually apply the update of MBARW (either manually or via the .MSI file you've referenced), will that cause any issues with the EXISTING LT plugin? (ex: installations no longer recognized, etc.) I do not have a way to know that, this is something for LT to test. Or some daring LT admin to try out ;p I do not foresee any issue as the programs functionality and options have not changed. I imagine it will be similar to how Anti-Exploit is able to upgrade independent of your LT platform and run correctly. New pushes will revert the version though, that is a truth for MBMC as well. I could see however, that it is possible for it to not display the correct version number, but that is my own speculation and may not be the case. At any rate, it is not going to break anything and leave you with a sev 1 type scenario. 3. Per the question posed by jpereboom above, after the update of MBARW is installed (either manually or via the .MSI file), will FUTURE upgrades to MBARW still have this behavior, or can we simply have transparent updates from this point forward (at least for MBARW)? To clarify, the program already has silent update ability, and we have already released a few silent updates, these were what we call CU's, component updates, for MBARW which you probably never even noticed. This one is prompting because; one - the business build was mistakenly included in a live push meant for consumers. And two - it is a whole program revision, not an update (this was required to fix the temp profile issue, it couldn't be done in a CU), and requires local admin permissions to run. For the question about future behavior for program revisions on the business MBARW, the answer is, no, it will not. See below... 4. WHEN can we expect the new MB Endpoint Protection product to be the one installed, supported, and managed by the LT plugin? I don't expect an exact date, but a general timeframe for moving us LT partners off the legacy platform and onto the current platform would be nice to know. After all, our clients expect us to provide them with the latest, best protection, and obviously what we're working with isn't it. I know of no plan for the MB3 business product to be available to any MSP's. That is an Executive and Program Manager level decision. It for sure will not be possible until such a time as there is an API written for it, and I am not at liberty to share the timeline for MB3 Business to receive the ability to be controlled via CLI. I can share that it is something we have planned to create and is in the pipe.

Hi @jpereboom, the MBARW team learned a valuable lesson from the backlash and case inundation we received, one which us B2B agents already know; that our admin customers need to have program revision update control. Bar none, end of story. Whether that's due to end user restrictions, update vetting, change control processes or just bundling all the work into one day of updates across your environment, or more honestly a week cause crap happens 😜 - the B2B team gets it, we've all been system admins in previous lives, we are your advocates and we do not want your tickets/helpdesk to blow up any more than our own. These expectations have been communicated and the MBARW team is stepping up to meet them on behalf what our people need. There are no controls for the MBARW system tray icon, so to prevent things like this in the future, it is wholly on our shoulders here internally when the time comes to "flip the switch" for updates, so here's what we are doing; the business MBARW build will no longer be part of the over the air updates. Future updates will be done via new installers, which will be communicated in our new support community here - Business Solutions - We will also mirror this communication via forum posts and possibly the B2B newsletter emails.

@rleroux, the LT agent neglected to realize that it is not because it is the only version available to them, or the only one compatible with the plugin, it is because that version is the latest we have for the on-premises product. LT had in fact been using previous builds before culminating to 1012. MBAM 1.80.2.1012 itself is not old or out of date. It is very stable and has just about everything it could need now, it is however built upon the legacy platform. The reason for this is the fully realized API in that product version. MB3 does not support any CLI just yet, and so is not manageable by MSP platforms or our own console application. The API functionality for MB3 platform will be created in the future. I should rephrase my statement that "there will be no more Anti-Malware for Business program versions past 1.80.2.1012". We may not go past 1.80, but there may in fact be revisions to the 1.80 main build, like we had with 1.80.1010, 1011 and then 1012, which brought MITM protection to signature updates. Malwarebytes Endpoint Protection, which features the flagship MB3 tech, is sold by us only, no partners have the ability to sell or integrate with it at this time. If you are interested in this product, you can get a free trial of it here to test drive - https://www.malwarebytes.com/business/trial/?ref=ep

@King_Of_The_Castle the settings are not exactly clear as to which portion of the product they affect, so here's an example policy for a server needing Anti-Malware web and file real-time off and MBARW disabled. Anti-Exploit is on and Anti-Malware's scan engine is still in place. The scan schedule though, is in a different area of the settings.

@Winterborn see this support KB for the product download - https://support.malwarebytes.com/docs/DOC-1161

@alexl010 That's part of the upgrade steps, performing a new push is required to update the clients after installing the new console version. And as always, perform a DB backup as stated in the upgrade steps to be able to easily recover and attempt the upgrade again if something goes wrong.

Hi @kdan, our release history is shown here - https://www.malwarebytes.com/support/releasehistory/business/ MBMC and Managed Client (these always match) - 1.8.0.3443 Anti-Malware for Business - 1.80.2.1012 Anti-Exploit for Business - 1.09.2.1413 Anti-Ransomware for Business - 0.9.18.806

Hi @mihnehtoox What are the required server communication ports for the final clients in the scan? Firewall off or ports for mbmc are open (defaults are 18457, 443 and 137).NET Framework 3.5Windows Installer 4.0 or higherTurn on Network discovery, File sharing and Printer sharing. Be aware the Microsoft deprecation of netbios may affect your ability to discover endpoints using the client push install tool! Do the mbae, mabm, and mbarw client ports update to the network? External URLs to have open for MBMC https://data.service.malwarebytes.org Port 443 outbound https://data-cdn.mbamupdates.com Port 443 outbound https://keystone.mwbsys.com Port 443 outbound For the server, also add the keystone address to IE's trusted site list and disable IE Enhanced Security if you still have it enabled. Are clients' updates searched on the internet or on the server? You choose this in your policy, whether to have the client reach out to the internet own their own (saving you a ton of bandwidth), or to have the management server host them (useful for machines not typically connected to the external internet).

When we created the MBARW beta, people wanted it sooner than the time it would take to modify the console's code to include it, so it was released as a standalone tool to get it in peoples hands faster, just like the Anti-Rootkit (MBAR) and ADWCleaner tools, you have access to them but they are not managed products. If you are a long time console user, you may remember that it required a major update from Malwarebytes Enterprise Edition 1.3.1 to Malwarebytes Management Console 1.4.0 in order to bring managed Anti-Exploit functionality. It was and has been intended for the long run to combine all the technologies into a single footprint agent, that development had been ongoing for some time now and that product has since released. MBARW is part of a managed solution under the new Malwarebytes Endpoint Protection product.

@WHairstonLOI, I know where you are coming from, our own customers are upset as well, MBARW for Biz was mistakenly included on the over the air push. We had a newsletter email and update package being prepared but that isn't how it went down unfortunately. MBARW is essentially a standalone tool, it is independent, much like Anti-Exploit is. That on-screen prompt is the auto-update function, most CU (component update) packages are silent but the code change in this update is major and requires more involvement. If your customers are local admins of their own machines, they can install the update on their own by clicking through the prompts. If not, you will need to use the installer package on the support KB link - Install Malwarebytes Anti-Ransomware as an unmanaged client - there will be a plugin update but it must be created by us then vetted by LT, so it could take a while before you see it. Anti-Malware is not able to automatically update its revision like our next-gen products can due to the way it was originally coded and the architecture it was built on, however, there is no real need to ponder the consequences of this as there will be no more Anti-Malware for Business program versions past 1.80.2.1012. Anti-Exploit was designed to do this automatically from the get go. The new MB3 can do this now as well. MB3 for business is called Malwarebytes Endpoint Protection.

Hi @jforman, you are looking at a cached historic result from the last action the client push tool made. You can disregard the client push tool still showing old info, it will not update unless you use the option "scan and detect client software'. If the machine shows up in the client view and is seen as online, there's nothing more you need to do.

https://msdn.microsoft.com/en-us/library/windows/desktop/aa372835(v=vs.85).aspx - 2769 Custom Action [2] did not close [3] MSIHANDLEs. The InstallExecuteSequence may have been authored incorrectly. Actions that change the system must be sequenced between the InstallInitialize and InstallFinalize actions. Perform package validation and check for ICE77. Hi @siggiagnars Just a heads up, the MBES product is running Anti-Malware 1.80.2.1012. Version 2.x is a consumer product. What version of Windows is this? Did you create an MSI or EXE offline package installer? If you are using the MSI, this installer is meant for scripted deployment, you must run that from an admin elevated CMD prompt using the following command: msiexec /i C:\example\path\to\clientsetup.msi /qn

Hi @BenCunn, yes that is correct. Once the machine checks in, and sees the group, and assigned policy set for the machine to which it is installed, it will pull the rest of the needed pieces and install them to the endpoint automatically.

Hi @King_Of_The_Castle, there are a few things to consider for servers and also for those in terminal services and RDS roles. Here's something I wrote on another post that applies to your situation. Portions of EP are supported by servers, and then certain server roles can preclude you from using other pieces. First thing to note is MBARW, the Anti-Ransomware portion, does not support any server OS at all. Create a server specific policy with MBARW disabled for servers. IF MBARW did support server OS, it will still not help the server at all, the program works on behavior, it would be unable to detect and stop a process running from another machine, i.e. the patient zero workstation. Protect your servers and drive shares by protecting your endpoints. Next is Anti-Malware, the following environment roles are unsupported for Anti-Malware's real-time. Turn off the Anti-Malware real-time to a server which runs: Terminal Services (TS) / Remote Desktop Services (RDS) Virtual Desktop Infrastructure (VDI) Windows Storage Server Server Core Citrix XenDesktop Citrix XenApp VMware View VMware VShield Since your server falls under this, I would suggest creating a more aggressive scan schedule, one that has scans happening at shorter intervals, this will help make up the different in not running the real-time. Anti-Exploit though should be just fine on your server as is.

Hi @BertM, not exactly. Portions of EP are supported by servers, and then certain server roles can preclude you from using other pieces. First thing to note is MBARW, the Anti-Ransomware portion, does not support any server OS at all. Create a server specific policy with MBARW disabled for servers. IF MBARW did support server OS, it will still not help the server at all, the program works on behavior, it would be unable to detect and stop a process running from another machine, i.e. the patient zero workstation. Protect your servers and drive shares by protecting your endpoints. Next is Anti-Malware, the following environment roles are unsupported for Anti-Malware's real-time. Turn off the Anti-Malware real-time to a server which runs: Terminal Services (TS) / Remote Desktop Services (RDS) Virtual Desktop Infrastructure (VDI) Windows Storage Server Server Core Citrix XenDesktop Citrix XenApp VMware View VMware VShield Since your server falls under this, I would suggest creating a more aggressive scan schedule, one that has scans happening at shorter intervals, this will help make up the different in not running the real-time. Anti-Exploit though should be just fine on your server as is.

Hi @lcpeery, you can test the Anti-Malware malicious file real time function (test-trojan, test_PUP) and Anti-Exploit (mbae-test) with the following zipped tools – https://malwarebytes.box.com/s/2ae222kt1ogv41emx1ehgnq8d9stgiue Password = mbam The real time web blocker can be tested by going to – http://iptest.malwarebytes.org/ - on the endpoint. To test that the scanner is looking in certain areas during scheduled scans, you can copy and paste the test-trojan and test_PUP into different directories and perform a scan.

Hi @BenCunn, the cloud product has no UI for the endpoints at this time. The 3 products you are familiar with; MBAM, MBAE and MBARW, that are all separate pieces with MBES are combined into one footprint with MBEP, there is no need to download and run anything else. Everything about how the program runs, what protections are enabled, scan schedule etc, is controlled by the settings and policies within your cloud console portal. Licenses are controlled by the account email you set up, it doesn't use a license key like the consumer side, you cannot use the consumer MB3 with a cloud trial or purchase.

We will need to look at the MBAE logs surrounding the event, most times the MD5's need to be generated on your own, but in order to work the hit must act upon a specific layer of MBAE's protection. May I have you zip up the entire “C:\ProgramData\Malwarebytes Anti-Exploit” folder from the client showing the block and attach it here?

The process that runs the realtime is unable to run because there are portions of the program missing. Missing portions of the product during install happen due to other security software deleting them via some intrusion protection function in that other security software. I would suggest ignoring Malwarebytes' processes in your Avast and Windows Defender and reinstalling. R2 MB3Service; C:\Program Files\Malwarebytes\Anti-Ransomware\mb3service.exe [6054352 2017-07-25] (Malwarebytes) R2 MbaeSvc; C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae-svc.exe [155080 2017-05-15] (Malwarebytes Corporation) R2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [452576 2016-02-09] (Malwarebytes Corporation) S2 MBAMService; C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [901088 2016-02-09] (Malwarebytes Corporation) R1 ESProtectionDriver; C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.sys [77408 2017-05-15] () R3 MB3SwissArmy; C:\WINDOWS\system32\drivers\MB3SwissArmy.sys [253888 2017-08-03] (Malwarebytes) R3 MBAMFarflt; C:\WINDOWS\system32\DRIVERS\farflt.sys [101824 2017-08-03] (Malwarebytes) Missing MBAM.sys entry! Error: (08/03/2017 10:20:35 PM) (Source: Service Control Manager) (EventID: 7001) (User: ) Description: The MBAMService service depends on the MBAMProtector service which failed to start because of the following error: The system cannot find the file specified. Error: (08/03/2017 10:20:35 PM) (Source: Service Control Manager) (EventID: 7000) (User: ) Description: The MBAMProtector service failed to start due to the following error: The system cannot find the file specified. Error: (08/03/2017 10:20:33 PM) (Source: Service Control Manager) (EventID: 7001) (User: ) Description: The MBAMService service depends on the MBAMProtector service which failed to start because of the following error: The system cannot find the file specified. Error: (08/03/2017 10:20:33 PM) (Source: Service Control Manager) (EventID: 7000) (User: ) Description: The MBAMProtector service failed to start due to the following error: The system cannot find the file specified. Error: (08/03/2017 10:20:33 PM) (Source: Service Control Manager) (EventID: 7001) (User: ) Description: The MBAMService service depends on the MBAMProtector service which failed to start because of the following error: The system cannot find the file specified.