Jump to content

djacobson

Staff
  • Content Count

    1,295
  • Joined

  • Last visited

Posts posted by djacobson


  1. Usually repeated detection, removal and detection again of an object is a sign of a rootkit infection, however the path here is for Google's browser, this is a Google profile sync issue.

    Chrome has an autosync feature that automatically places browser extensions and settings from a users home machine(s) to whichever other machine(s) they use and are signed into with Chrome.

    For a more complete removal you need to have the users sign out of Chrome and then rescan, and use ADWCleaner - https://www.malwarebytes.com/adwcleaner/ -  which is much more aggressive against browser objects. ADWCleaner's abilities are not built into your MBES product, you'll need to use the standalone tool.

    To prevent this from coming back repeatedly, you'll need to make a decision; scan and clean up your user's home machine(s) in addition to their work machines - not very many admins are willing to do that (though now you can now at least see the true risk your users present to your environment on all fronts), so the next option is - disable this functionality entirely. Google support has an article on how to disable the autosync feature via Group Policy.


  2. The name may not be known but Is there no set convention it follows? If there are GUID's in the path name, that's helpful because those are set character string lengths.

    As an example, say a few folders are made, they start similar but end in different characters. Say, folder123, folderABC, folderXYZ. Entering an exclusion of C:\example\path\folder???\someprocess.exe, would ignore all combination of that name.

    An example with a real GUID, let's use a random one for this; "{e0e39e0d-f6c8-4ca9-8858-26b98eeec84a}":
    C:\example\path\{????????-????-????-????-????????????}\someprocess,exe

    Edit:
    It will also work just at the folder level if you want that, confirmed on my test environment 👍


  3. Hi @Timmy11, there is a migration tool in the works but it is not yet available. You can uninstall your clients from MBMC push tool, or you could use a script to call the msiexec /x on the installer cache, or use the MBClean tool.

    Here is the info on the tool - https://support.malwarebytes.com/docs/DOC-2333

    Check out these migration KB's for other items of concern when migrating:
    https://support.malwarebytes.com/docs/DOC-2930
    https://support.malwarebytes.com/docs/DOC-2954


  4. Infections will make their own areas, they are not going to know to attack your 2.0 folder unless it is done by someone that already knows your environment. Do your users download things to this folder and use it to store their items?

    The filename by itself will not work, the extension on its own will but is not advisable if the extension is a common script or process type. Files and folders are by whole path only. 

    You can use the ? to stand in for each character for a portion of the path you need.

    C:\User\*\AppData\Local\Apps\2.0\Partialfoldername??????????\Partialfoldername??????????\filename.exe


  5. I don't have a web link to it like the main ones, I'm sorry ktechno1. But it will be in the zip folder if you pull a new download of MBBR from your Manage Endpoints page in the cloud portal. Those excerpts were from the guides of the MBBR zips I just downloaded to write that post. Also, because your MBBR 2 zip had the wrong guide in it, I went ahead and refreshed your cloud installers to make sure it grabs the same ones I had this morning.


  6. Hi @ktechno1, unfortunately Server 2008 and 2008 R2 32-bit are no longer supported by the MB3 engine. Server 2008 32-bit can use the last MBBR 2 version, the one you have listed, 2.7.2.1655.

     

    From the Cloud Admin Guide - https://www.malwarebytes.com/pdf/guides/MBQSG.pdf
    Windows Server 2008 R2 SP1‡§, 2008 SP2 ‡§, 2008§
    ‡ Microsoft patch KB4019276 must also be installed and enabled
    § As of July 2018, development has halted for Endpoint Clients using this operating system

     

    Excerpts from MBBR's Admin Guides.

    MBBR 2.7.2.1655 Operating Systems:
    o Windows 10 (32/64-bit)
    o Windows 8.1 (32/64-bit)
    o Windows 8 (32/64-bit)
    o Windows 7 (32/64-bit)
    o Windows Vista (32/64-bit)
    o Windows XP (Service Pack 2 or later, 32-bit only)
    o Windows Server 2012/2012 R2 (64-bit only)
    o Windows Small Business Server 2011 (64-bit only)
    o Windows Server 2008/2008 R2 (32/64-bit)
    o Windows Server 2003 (32-bit only)

    MBBR 3.6.1.243 Operating Systems:
    o Windows 10 (32/64-bit)
    o Windows 8.1 (32/64-bit)
    o Windows 8 (32/64-bit)
    o Windows 7 (32/64-bit) (Service Pack 1 or later)
    o Windows Server 2012/2012 R2 (64-bit only)
    o Windows Small Business Server 2011 (64-bit only)
    o Windows Server 2008 R2 (64 bit)


  7. Hi @wkiess01, you'll likely need to ignore the folder up to the 2.0. Like this:

    C:\User\*\AppData\Local\Apps\2.0\

    The program is not going to be able to honor something with that many wildcards. Additionally, the use of wildcards may preclude your ignore entry from working with the engine you need. Be sure to look at the lower portion of the window under "Exclusions Applied To..."


  8. Do you guys use AD or workgroups? We just mirror the names to which your computers are already set, to change them they must be changed in the computer's properties pane or AD entry. Assuming you do not have a set naming convention in place, if you change the names in your AD to have a reliable convention, or set computer names for workgroup machines, those names will be reflected in MB's client view.

    Here is an article by Microsoft about the characters allowed and some best practices - https://support.microsoft.com/en-us/help/909264/naming-conventions-in-active-directory-for-computers-domains-sites-and

    A popular format goes like this:
    Location-Department-Computer type (D desktop, L laptop, T tablet). User (if assigned)-tag or serial. For example, HQ-HR-D-UserName-ABC123.


  9. Trend Micro Worry-Free works together with Malwarebytes, but needs mutual exclusions because currently as of 2/4/19, there are performance issues to be aware of with these two together if no exclusions are set. Keep in mind though that this comes and goes in waves depending on Trend's signatures for a given time.

    @jlans89, could you post your Worry-Free list you came up with?


  10. Hello @Kairshuang, which product do you have? Your ticket number is in the format used by our consumer section queue but your post here is in the business section.

     

    Follow-up edit:

    If you need help with the one purchase under the same email you used on the forum, that product is our old lifetime Pro Anti-Malware, it does not renew. Was the trouble with that purchase or a different one under another email?

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.