djacobson

May 26, 2017

It's doing an upgrade, once MBAE moves to 1413, restart the endpoint and MBAE will show as active in the client view.

May 26, 2017

Usually registration failure is not a show stopper, the installs should be fine, although with the lack of services running, there must be a deeper issue. What that regfail error means is client did not check back into the server within a set hardcoded time-frame. It could be because of firewall, network speed and another security product interfering with our communication. It is most likely happening because the sccomm process is not running or even getting installed.

Let's check some things. On your server go to C:\Program Files (x86)\Malwarebytes Management Server\PackageTemplate and check the file sccomm.xml file. Make sure it contains the correct server address.

On a client with the check in issue, go to C:\ProgramData\Sccomm and check out the sccomm.xml there, check that the server info is correct.

May 26, 2017

MEEClientService is tied to the sccomm.exe process, it must be running at all times for the clients to be able to check-in, it is the process that controls the server/client communication. If MEEClientService is unable to run, be sure to have C:\Program Files (x86)\Malwarebytes' Managed Client\sccomm.exe ignored by whatever other security software you have in place.

MbamScheduler.exe is your scheduled scan task engine. It should be running or scheduled scans will not kick off.

MbamService.exe is your real time protection engine, it should also be running or you have none of the real time protection features.

May 26, 2017

Hey @cjones_ufv, my bad on the timer, it slipped my mind that it is a global number. Somehow that check-in number became corrupted; either on the endpoint due to a mismatch between console / client communicator before 0 timer bug or in the SQL table as the policy is pulled from it. It may be worth moving everyone to the policy copy you made and deleting the original in case the SQL table is the reason why the timer was so long. Having the timer at 10 minute auto should be fine, but the shorter manual interval is useful to test with since you don't have to wait so long to see the changes. Any other stragglers that are not picking up the changes or are not showing the correct status, go ahead and restart their MEEClientService to force a new check-in to get them reset.

May 25, 2017

Right click and copy that policy, please the test machine under this policy. With just that one on there, the stagger should show as 5 seconds. Then to the service restart on the test machine to force the new check-in.

May 25, 2017

How many clients are deployed? Your auto stagger may place you at 10 minutes if your seat count is high.

May 25, 2017

May I have you change the policy to the auto / 5 second setting and then restart the MEEClientService on the machine under test to force a new check-in / policy pull? The auto setting will stagger the check-in automatically based on the size of the deployment.

May 25, 2017

Hi @Rammer47, sorry for the delay. I've got your results. There's an Anti-Malware double install and build conflict between the versions. There's a consumer build on here that has broken the business install. The realtime service is unable to run and there is a consumer driver present but broken. Uninstall everything from this machine using the business cleaner tool here - https://malwarebytes.box.com/s/rck2gbt0kqqdp8iw1uk7u6pmjg0gajkr

Restart the machine and the reinstall the business build.

Malwarebytes Anti-Malware MSI (HKLM-x32\...\{AA447184-9FDA-46C1-A38A-F90A3A555BA5}) (Version: 1.60.2 - Malwarebytes Corporation)
Malwarebytes Anti-Malware version 2.2.0.1024 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.2.0.1024 - Malwarebytes)

R2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [452576 2016-02-09] (Malwarebytes Corporation)
S2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [1135416 2015-10-05] (Malwarebytes)
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [27008 2016-02-09] (Malwarebytes Corporation)
R3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [192216 2017-05-10] (Malwarebytes)
S3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [63704 2015-10-05] (Malwarebytes Corporation)

May 25, 2017

The check-in time looks to be extremely long, 36000 seconds / 600 minutes. What is your setting in Policy \ Communication?

May 25, 2017

Hi @Kable what's your component update package number in the about tab?

May 25, 2017

Hi @MGBII, yes, it's yours to use with your business level subscription.

May 24, 2017

Hey @bigjohn888jb I'll help clarify what's in that package. Malwarebytes_Endpoint_Security_1.7.7.0000 \ Managed has the console installer. The console deploys two modified Malwarebytes programs and the administrative portion; Anti-Malware, Anti-Exploit and the Managed Client Communicator. These managed versions of MBAM and MBAE are modified to be controlled by the console, they are not compatible with the standalone or home / trial / consumer versions.

Under Malwarebytes_Endpoint_Security_1.7.7.0000 \ Unmanaged \ Windows are all the installers meant for standalone operation.

Unmanaged \ Windows
mbae-setup-1.0x.2.xxxx - msi and exe
Malwarebytes Anti-Exploit for Business standalone installer.

mbam-setup-1.80.2.1012 - msi and exe
Malwarebytes Anti-Malware for Business standalone installer.

mbar-1.09.3.1001.exe
Malwarebytes Anti-Rootkit tool, self extracting program. This is to be used locally on a machine if you suspect it has a rootkit infection.

MBARW_Business_Setup - msi and exe
Malwarebytes Anti-Ransomware installer, this tool is meant just for standalone operation and on workstations only, no servers. Consider it as a supplement to your main protection suite. The Anti-Ransomware program does not integrate into the management console in anyway at this time.

For Anti-Malware's scans giving you a "no action taken" on the items discovered, that means your policy isn't fully configured. There's two stages to set up; you define what MBAM will be looking for and tagging for removal in Policy -> Scanner. In your scan scheduler, or on demand scan, you define what action will be taken on the items identified and tagged. See my screenshots...

5925b564d54f6_PolicyPUPandPUMsettings.jpg.83141f38331886b2270188549db1f827.jpg

5925be0e5ca39_scanschedulersettings.JPG.83673ec31eebefd9657916561ab7f7ff.JPG

May 24, 2017

There's no release date yet for 3.x tech on the business side.

May 24, 2017

@cjones_ufv don't worry, I'll help you get it straightened out. May I have you send me a log set from that client? Go to C:\Program Files (x86)\Malwarebytes' Managed Client and run the tool CollectClientLog.exe. Attach the folder it generates.

May 24, 2017

The Anti-Malware for Business 1.80.2.1012 engine is new, despite the legacy UI. Consumer 3.x technology will be brought in this year but I do not have a release date that I can share.

May 18, 2017

That's awesome John, I'm happy I could help out! Don't hesitate to ask if you need any other help, I want to make sure you are successful!

May 17, 2017

it's no problem at all! I'm happy to help!

May 17, 2017

It is up to date at CU Package - 1.1.46, there will be an update on the CU fairly soon, target is in the next few weeks. The difference between 661 and 689 is UI changes for the biz product version.

May 17, 2017

Hi guys, to clarify:
0.9.17.661 is the consumer beta - not for use in business environments - it is meant for a home use PC.
0.9.17.689 is the business build paired with paid Endpoint Security / Anti-Malware for Business / Anti-Exploit for Business subscriptions.
The vital thing is that they are on CU Package - 1.1.46.

May 17, 2017

That's pretty odd, what installer are you using? Exe or msi? If msi, what is the command set you are using?

May 17, 2017

Hi @jphelan, MBARW's pre-reqs are not much really. Main points are no Windows XP or Server OS support, just workstation's Win 7 and up. Other than that it requires active internet connection and for the following URL's to be explicitly allowed on any firewall, NGFW with SSL packet inspection, content filter, proxy etc..

External URLs to have open
https://data.service.malwarebytes.org
Port 443 outbound
https://data-cdn.mbamupdates.com
Port 443 outbound
https://keystone.mwbsys.com
Port 443 outbound

May 17, 2017

3431 has a zero integer check-in timer bug, which sounds like exactly what you are experiencing. I would recommend getting on the 3443 hotfix build as soon as possible. Re-download the package like you did for 3431, the new console installer will be on that same link.

May 16, 2017

Hi @computercourage

With the business products, you are protected on three levels; Anti-Malware's web blocker will stop the dial out for the key(it also now has the signature to catch the hardcoded process name used - C:\WINDOWS\mssecsvc.exe), Anti-Exploit stops the vector that is used - compromised PDF's and Anti-Ransomware will stop the encryption process.

If your business environment does not keep Windows full updated due to change process, or long term update vetting, it is vital that your security programs are up to date and that you at least patch the vulnerability that was exploited, MS17-010 - https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

Also check out our MalwarebytesLabs blog which dissects this ransomware, once you see how badly it is coded, it won't seem so scary at all.

https://blog.malwarebytes.com/cybercrime/2017/05/wanna-cry-some-more-ransomware-roundup-special-edition/

https://blog.malwarebytes.com/threat-analysis/2017/05/the-worm-that-spreads-wanacrypt0r/

May 16, 2017

Hi @bigjohn888jb, make sure you are right clicking the installer file and running it as admin, this needs to be done even if you are logged in as a domain admin. Alternativelty, you can use the server's local admin account to do the install. If you pre-install SQL Express or it is already installed on the server you are using, you'll need to create an instance for the Malwarebytes SQL to reside in. Download a new SQL Express installer, choose the one that matches the Express that is already in place.

SQL Server 2008 R2 Express:https://www.microsoft.com/en-us/download/confirmation.aspx?id=30438
SQL Server 2014 Express:https://www.microsoft.com/en-us/download/confirmation.aspx?id=42299
SQL Server 2016 Express:https://www.microsoft.com/en-us/download/confirmation.aspx?id=52679

Then follow these instructions for setup:

Choose to create a New Installation.
Choose "New Installation or Add Features" then click Next.
Accept the license, then click Next, then Next again.
Name the instance (I suggest naming it Malwarebytes) then click Next.
Click "Use Same Account for all SQL Server services."
- On the popup, enter your Windows credentials.
Choose Mixed Mode authentication. Create a password for the SA account, then click Next.
Click Next two more times and finish the SQL installation.
Now proceed with the Malwarebytes Management Server installation.
On the SQL step choose 'Use External Database."
- Enter the Database Address, if named Malwarebytes from step 4, it will be ".\Malwarebytes" without the quotes.
- Enter the username as SA, and then the password you created for it.
Proceed with the installation as normal

Let me know if this works for you.

May 16, 2017

Hi guys, you can only have one key in the console at a time. The process is to change the seat count of your existing key, the backend changes will report to your console licensing section in the Admin tab of console 1.7.0.,3208 and up once it is completed. Your sales agent is the person who would normally be doing this.

@BrianLG I got you! Send me a PM with your sales agent's contact (if you have one, if not that's ok), your email and your current key, I'll push the seat count changes through.

Events

Profiles

Forums

Posts posted by djacobson

Important Information