[Anti-Ransomware Interfering with PDQ Inventory Scans]

Hi @tdhaslett, yes, MBARW can have exclusions configured via CMD.

API location - C:\Program Files\Malwarebytes\Anti-Ransomware\assistant.exe

assistant ––exclusions add c:\safe_executable.exe
assistant ––x add “c:\work files\safe_executable.exe”
assistant ––exclusions delete-all

Anti-Ransomware 0.9 Administrator Guide.pdf

[Upgrade MBMC for new AE Client]

@AndyPP, that process does not work for upgrades, only new deployments. It is not reliable enough and so it is unsupported. Users can do this at their own risk as it has the potential to break the push utility.

[Offline Clients Still Showing as Being Online]

No worries. To clarify, I mean the initial build the console deploys before the auto-upgrade takes over. For console 1.8.0.3443, it initially deploys mbae 1.09.2.1384.

The mbae uninstall log has some interesting info, the switch over is failing. Something, I suspect your other security software, is not allowing mbae to move its new files and overwrite the old ones. Your awaiting new files are stuck in C:\Program Files (x86)\Malwarebytes Anti-Exploit\tmp.

2017/06/02 - 11:04:09 - 457 - {ERROR} 5 deleting file: C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae-cli.exe.
2017/06/02 - 11:04:15 - 939 - {Info} The command {C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae-svc.exe -remove} has been executed. 0
2017/06/02 - 11:04:15 - 352 - {INFO} Setting path in registry: 0.
2017/06/02 - 11:04:15 - 224 - {info} Getting current working directory. Result: {C:\Program Files (x86)\Malwarebytes Anti-Exploit\}.
2017/06/02 - 11:04:15 - 783 - {info} The file {C:\Program Files (x86)\Malwarebytes Anti-Exploit\tmp\mbae64.exe} could not be moved to file {C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.exe}. 5.
2017/06/02 - 11:04:15 - 853 - {info} The file {C:\Program Files (x86)\Malwarebytes Anti-Exploit\tmp\mbae64.exe} has been marked to move to (C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.exe).
2017/06/02 - 11:04:15 - 783 - {info} The file {C:\Program Files (x86)\Malwarebytes Anti-Exploit\tmp\mbae-cli.exe} could not be moved to file {C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae-cli.exe}. 5.
2017/06/02 - 11:04:15 - 853 - {info} The file {C:\Program Files (x86)\Malwarebytes Anti-Exploit\tmp\mbae-cli.exe} has been marked to move to (C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae-cli.exe).
2017/06/02 - 11:04:15 - 783 - {info} The file {C:\Program Files (x86)\Malwarebytes Anti-Exploit\tmp\mbae-svc.exe} could not be moved to file {C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae-svc.exe}. 5.
2017/06/02 - 11:04:15 - 853 - {info} The file {C:\Program Files (x86)\Malwarebytes Anti-Exploit\tmp\mbae-svc.exe} has been marked to move to (C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae-svc.exe).
 

To be safe, since Trend Micro and Windows Defender are both running, I'd say to whitelist the mbae directory and exe's in both.

AV: Trend Micro OfficeScan Antivirus (Enabled - Up to date) {8242D66F-41BD-4049-C2E6-E578E73B62A0}
AS: Trend Micro OfficeScan Anti-spyware (Enabled - Up to date) {3923378B-6787-4FC7-F856-DE0A9CBC281D}
AS: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: Trend Micro Personal Firewall (Enabled) {BA79574A-0BD2-4111-E9B9-4C4D19E825DB}

 

Here are the file locations, Anti-Exploit is the most important piece for the current issue but I added mbam and the managed client communicator pieces just in case. Let me know if your upgrades work after this.

Anti-Exploit:
32
C:\Program Files\Malwarebytes Anti-Exploit\mbae.exe
C:\Program Files\Malwarebytes Anti-Exploit\mbae64.exe
C:\Program Files\Malwarebytes Anti-Exploit\mbae-cli.exe
C:\Program Files\Malwarebytes Anti-Exploit\mbae-svc.exe
64
C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae-svc.exe
C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.exe
C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.exe
C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae-cli.exe

Anti-Malware:
32
C:\Program Files\Malwarebytes’ Anti-Malware\mbam.exe
C:\Program Files\Malwarebytes’ Anti-Malware\mbamgui.exe
C:\Program Files\Malwarebytes’ Anti-Malware\mbamapi.exe
C:\Program Files\Malwarebytes’ Anti-Malware\mbamhelper.exe
C:\Program Files\Malwarebytes’ Anti-Malware\mbampt.exe
C:\Program Files\Malwarebytes’ Anti-Malware\mbamscheduler.exe
C:\Program Files\Malwarebytes’ Anti-Malware\mbamservice.exe
64
C:\Program Files (x86)\Malwarebytes’ Anti-Malware\mbam.exe
C:\Program Files (x86)\Malwarebytes’ Anti-Malware\mbamgui.exe
C:\Program Files (x86)\Malwarebytes’ Anti-Malware\mbamapi.exe
C:\Program Files (x86)\Malwarebytes’ Anti-Malware\mbamhelper.exe
C:\Program Files (x86)\Malwarebytes’ Anti-Malware\mbampt.exe
C:\Program Files (x86)\Malwarebytes’ Anti-Malware\mbamscheduler.exe
C:\Program Files (x86)\Malwarebytes’ Anti-Malware\mbamservice.exe

Managed Client Communicator:
32
C:\Program Files\Malwarebytes' Managed Client\SCComm.exe
64
C:\Program Files (x86)\Malwarebytes' Managed Client\SCComm.exe

[Offline Clients Still Showing as Being Online]

Let me dig around a little more in those logs. Are you using the 1413 I gave you or deploying from the console? The console version will be out of date compared to what's on the live update server. Mbae will try to upgrade after the install, and if the service switchover fails during the upgrade, mbae will not run.

[Offline Clients Still Showing as Being Online]

Slightly different issue here. Mbae service is present but it is the ESProtection driver that is missing, which is leaving the service unable to run. May I have a program files folder from this machine?

S2 MbaeSvc; C:\Program Files (x86)\Malwarebytes Anti-Exploit\tmp\mbae-svc.exe [155080 2017-05-15] (Malwarebytes Corporation)

[Offline Clients Still Showing as Being Online]

Mbae is not able to install the new service and run it on this machine:
2017/05/25 - 15:25:22 - {ERROR} The command {C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae-svc.exe -installopen} could not be executed. 2
 

We'll need to do it manually. Grab the mbae clean tool, run it on this machine and then restart it. After the restart, install 1.09.2.1413 directly.

mbae-clean: https://malwarebytes.box.com/s/waul5gj50wsdv1qxucgnci5obwul80w6

1.09.2.1413: https://malwarebytes.box.com/s/q6hx9tq36ig9dmxcy1yoor428gcfuz9u

[Conflict with Digital Dictation]

1.09.2.1291 is a bit old. Let's let your Anti-Exploit update before doing anything else. If the issue is with Anti-Exploit, which from the IE and plugin stuff you describe is highly likely, then creating an ignore in the policy for Anti-Malware will have no affect. Also, this could be a conflict that's already been solved by the newer Anti-Exploit build. Anti-Exploit does not use signatures, so any new features and compatibility fixes need to come through program updates. The option is in Policy \ Anti-Exploit \ Automatically upgrade Anti-Exploit on clients. Enable the option and wait for the machines to pick up the update and move onto 1.09.2.1413, then retest for the IE and plugin issue.

[Conflict with Digital Dictation]

We do not interfere with SQL in anyway, if there's interference, it would be with the application EXE itself. If the application runs from a network share, it could trigger the web block portion.

I'm not aware of any conflicts with that plugin. 1.8.0.3443 is your console version, I need to know your Anti-Exploit version in use on the machines. See my screenshot...

 

[Installed succesfully but registration failed]

Info    2017-06-01 11:34:54.9181    16988    57    There was a problem scanning [STHOMAS-PC}: System.Net.Sockets.SocketException (0x80004005): A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond
   at System.Net.Sockets.Socket.ReceiveFrom(Byte[] buffer, Int32 offset, Int32 size, SocketFlags socketFlags, EndPoint& remoteEP)
   at SC.Server.WindowsService.ComputerScan.ScanIPAddress(String consoleIP, String consoleLoginName, String ip, String name)

[Installed succesfully but registration failed]

Have you guys by chance disabled SSL in favor of TLS?

[Installed succesfully but registration failed]

Hi @md111, it looks like your install is perfectly fine, all drivers and services are running...

Anti-Malware:
R2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [452576 2016-02-09] (Malwarebytes Corporation)
R2 MBAMService; C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [901088 2016-02-09] (Malwarebytes Corporation)
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [27008 2016-02-09] (Malwarebytes Corporation)
R3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [192216 2017-05-30] (Malwarebytes)

Anti-Exploit:
R1 ESProtectionDriver; C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.sys [77408 2017-05-15] ()
R2 MbaeSvc; C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae-svc.exe [155080 2017-05-15] (Malwarebytes Corporation)

Managed Client Communicator:
R2 SCCommService; C:\Program Files (x86)\Malwarebytes' Managed Client\SCComm.exe [149992 2017-04-06] (Malwarebytes)

However, your Managed Client Communicator is unable to communicate back to the server...
Error    2017-05-30 10:03:24.2485    2752    6    Failed to send client status: System.Security.Authentication.AuthenticationException: Logon failure: unknown user name or bad password ---> System.Runtime.InteropServices.COMException (0x8007052E): Logon failure: unknown user name or bad password.

I'll need to check the server side communication to see how deep this goes. on the server, go to Start > All Programs > Malwarebytes Management Server and run Collect System Information. Zip the folder up and attach it.

 

[Offline Clients Still Showing as Being Online]

Hi @cjones_ufv, I have but this case has gotten complicated. Anti-Exploit's service is missing. May I have you zip up its program files directory and attach it?

Anti-Malware:
R2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [452576 2016-02-09] (Malwarebytes Corporation)
R2 MBAMService; C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [901088 2016-02-09] (Malwarebytes Corporation)
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [27008 2016-02-09] (Malwarebytes Corporation)
R3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [192216 2017-05-28] (Malwarebytes)

Anti-Exploit:
R1 ESProtectionDriver; C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.sys [77408 2016-12-14] ()
Missing MbaeSvc; C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae-svc.exe

Managed Client Communicator:
R2 SCCommService; C:\Program Files (x86)\Malwarebytes' Managed Client\SCComm.exe [149992 2017-04-06] (Malwarebytes)


 

 

[Conflict with Digital Dictation]

Hey @bigjohn888jb, blank IE / Edge pages suggests a previously solved Anti-Exploit issue. Is this location using mbae 1.09.2.1413? Does the digital dictation software run from a network share or write to one?

[Email Alerts Sending the Same Email Over and Over]

Hi @Coxja, what is the alert? If it is a web block event, it will send an email every time it happens unless you act on what is causing the web block, throttle the send interval or turn off that particular alert trigger in the email notification settings.

[MBES and IIS7.5]

Hi @SMaton, yes there is!

1. Run mbmc installer exe file. Do not press any buttons after it launches.
2. Go to your temp directory (i.e. C:\Users\Administrator\AppData\Local\Temp), find a folder “scserver.<number>”, open it and copy ManagementSystemSetup.msi to your desktop.
3. Abort installer from step 1.
4. Run the ManagementSystemSetup.msi you copied and follow the normal install process.

 

[mbae compatiblilty with MSFT Device Guard]

Hi @zerohearne, I'm investigating this issue now. I'll have an update for you soon.

[Jaff Ransomeware Virus]

Hi @Simon_2016, an agent will be responding to your support ticket which was opened. To avoid double work, I'll be closing this forum thread as the case is being handled in that support case.

[Graphics won't appear when printing reports from the managment console]

Hi @Brandon_Lutz, are the Excel reports working out for you alright?

[weird pop up on desktop]

May I have you try again but in safe mode?

[Installed succesfully but registration failed]

Hi @md111 This error is not a show stopper, your install should be fine. The client did not check back into the server within a set hardcoded timeframe. It could be because of firewall, network speed and another security product interfering with our communication. Run these tools and I will investigate.

Step A – Malwarebytes Client Log Set
On the client go to C:\Program Files (x86)\Malwarebytes' Managed Client and run the tool CollectClientLog.exe. Attach the folder it generates.

Step B – Malwarebytes Check Log
Please download and save our diagnostic tool, mbam-check.exe, to your desktop from this link.

Malwarebytes Check Tool

Double-click mbam-check.exe to launch the tool. A black command prompt window will briefly appear, and then a log file will open. The log which opens will be saved to your desktop as CheckResults.txt.

Step C – frst Log
In addition to the check logs, I would like to have you run a tool known as frst. frst will help provide me with a list of installed programs and other information about your computer that will help me see if there are any other problems that are not being detected. Please follow the steps below to run frst.

1.) Please download frst and frst64 from the link below and save it to your desktop:

frst 32 Bit
frst 64 Bit

Note: You need to download the version compatible with your system. If you are not sure which version applies to your system, download both of them and try to run them. Only one of them will run on your computer; that will be the right version. Some traditional Anti-Viruses may false positive the download or running frst, I can assure you it is safe. If this happens, please temporarily disable the AV.

2.) Double-click the purple frst or frst64 icon to run the program. Click Yes when the disclaimer appears.
3.) Click the Scan button
4.) When the scan has finished, it will make 2 log files in the same directory the tool is located, frst.txt and Addition.txt.

Please attach MBMC Client log, CheckResults.txt, frst.txt and Addition.txt in your reply.

 

[weird pop up on desktop]

Hi @Benzyl, may I have you run this tool?

Frst Log
I would like to have you run a tool known as frst. frst will help provide me with a list of installed programs and other information about your computer that will help me see if there are any other problems that are not being detected. Please follow the steps below to run frst.

1.) Please download frst and frst64 from the link below and save it to your desktop:

FRST 32-bit version: https://downloads.malwarebytes.com/file/FRST
FRST 64-bit version: https://downloads.malwarebytes.com/file/FRST64

Note: You need to download the version compatible with your system. If you are not sure which version applies to your system, download both of them and try to run them. Only one of them will run on your computer; that will be the right version. Some traditional Anti-Viruses may false positive the download or running frst, I can assure you it is safe. If this happens, please temporarily disable the AV.

2.) Double-click the purple frst or frst64 icon to run the program. Click Yes when the disclaimer appears.
3.) Click the Scan button
4.) When the scan has finished, it will make 2 log files in the same directory the tool is located, frst.txt and Addition.txt.

Please attach frst.txt and Addition.txt in your reply.

 

[Anti-Ransomware causing Windows to freeze at shutdown]

@Kable please run this tool.

Frst Log
I would like to have you run a tool known as frst. frst will help provide me with a list of installed programs and other information about your computer that will help me see if there are any other problems that are not being detected. Please follow the steps below to run frst.

1.) Please download frst and frst64 from the link below and save it to your desktop:

FRST 32-bit version: https://downloads.malwarebytes.com/file/FRST
FRST 64-bit version: https://downloads.malwarebytes.com/file/FRST64

Note: You need to download the version compatible with your system. If you are not sure which version applies to your system, download both of them and try to run them. Only one of them will run on your computer; that will be the right version. Some traditional Anti-Viruses may false positive the download or running frst, I can assure you it is safe. If this happens, please temporarily disable the AV.

2.) Double-click the purple frst or frst64 icon to run the program. Click Yes when the disclaimer appears.
3.) Click the Scan button
4.) When the scan has finished, it will make 2 log files in the same directory the tool is located, frst.txt and Addition.txt.

Please attach frst.txt and Addition.txt in your reply.

 

[Offline Clients Still Showing as Being Online]

No problem at all, and yeah, we are off for Memorial Day. We'll reconnect Tuesday!

[Offline Clients Still Showing as Being Online]

Yup, we'll need to gather logs off that machine.

Step A – Malwarebytes Client Log Set
On the client go to C:\Program Files (x86)\Malwarebytes' Managed Client and run the tool CollectClientLog.exe. Attach the folder it generates.

Step B – Malwarebytes Check Log
Please download and save our diagnostic tool, mbam-check.exe, to your desktop from this link.

Malwarebytes Check Tool

Double-click mbam-check.exe to launch the tool. A black command prompt window will briefly appear, and then a log file will open. The log which opens will be saved to your desktop as CheckResults.txt.

Step C – frst Log
In addition to the check logs, I would like to have you run a tool known as frst. frst will help provide me with a list of installed programs and other information about your computer that will help me see if there are any other problems that are not being detected. Please follow the steps below to run frst.

1.) Please download frst and frst64 from the link below and save it to your desktop:

frst 32 Bit
frst 64 Bit

Note: You need to download the version compatible with your system. If you are not sure which version applies to your system, download both of them and try to run them. Only one of them will run on your computer; that will be the right version. Some traditional Anti-Viruses may false positive the download or running frst, I can assure you it is safe. If this happens, please temporarily disable the AV.

2.) Double-click the purple frst or frst64 icon to run the program. Click Yes when the disclaimer appears.
3.) Click the Scan button
4.) When the scan has finished, it will make 2 log files in the same directory the tool is located, frst.txt and Addition.txt.

Please attach MBMC Client log, CheckResults.txt, frst.txt and Addition.txt in your reply.

 

[Offline Clients Still Showing as Being Online]

It'll usually happens right away with the auto-upgrade mbae policy setting on once mbae see's an internet connection. If for some reason the service fails to restart after an upgrade due to a system being busy in that moment, a restart should bring it back.