Jump to content

djacobson

Honorary Members
 View Profile  See their activity

  • Posts

    1,275

  • Joined

  • Last visited

 Content Type 

Posts posted by djacobson

    Preventing MBARW from being disabled or uninstalled

    in Malwarebytes Anti-Ransomware for Business

    Posted · Edited by djacobson

    Standard "domain user" level accounts (and higher) will have access to opening the main application GUI and killing processes from task manager. You would need to leverage GPO to limit the scope of permissions available to your users. Creating a group in AD, adding the user accounts to that group under properties \ member of, then creating a policy via Computer Configuration\Policies\Windows Settings\Security Settings\Restricted Groups, adding that new group and its users to the restricted list. This can have unintended impacts on access to other applications, so be aware of that. As the admin for this environment, you got to strike a balance between access and restriction. Is denying access to Malwarebytes' GUI worth locking down all other applications through this policy and the subsequent internal tickets that will be opened because users can no longer do other things? Another point to keep in mind is If these domain accounts have been given local admin or local power user rights over the machine, then nothing can stop them from opening the application or killing it in task manager.

    Preventing MBARW from being disabled or uninstalled

    in Malwarebytes Anti-Ransomware for Business

    Posted

    Hello kieferschild. At this time, Anti-Ransomware does not have a provision in it to control access in this way. For the Anti-Malware side of the agent software, you can change the access settings via the policy under Protection. Normal, Silent and Limited user modes. Any changes to these settings will require that the user logs off and back on in order to complete the change. 

    Anti-Malware, Normal mode:

    This is the default setting (silent and limited modes unchecked), it allows full interaction with the software; invoke scans and updates, enable/disable real time file and web protections.
    58a1e9b0ad4a2_normalmode.JPG.2854fccecbac61af2a61b94ec997a25d.JPG

    Anti-Malware, Silent mode:

    This mode hides the Anti-Malware system tray icon and does not allow any interaction with the Anti-Malware software.

    Anti-Malware, Limited user mode:

    This mode for Anti-Malware disables access but keeps the system tray icon and allows users to invoke on-demand updates and scans.

    58a1e9b02389e_limiteduser.JPG.23c900867abf3908094cee2483974963.JPG

     

    Anti-Exploit:

    This product has a separate setting for access to its system tray icon. Policy \ Anti-Exploit \ Do not show Anti-Exploit traybar icon and program interface.

    58a1e9b181f2e_Anti-ExploitTrayIconcontrol.JPG.1b6c29c3ccb38cdf2a835e4f1ea9868e.JPG

    MWB 3rd Party Deployment

    in Malwarebytes Anti-Malware for Business

    Posted · Edited by djacobson

    You are likely experiencing new netbios name service restrictions. Check those machines for certain Windows update KB numbers. These recent updates have restricted using netbios across subnets and VLANS (and within the same subnet if the server also has the update installed), so the machines will not show up. 

    The updates in question which block netbios are KB3161949, KB3163017 and KB3163018. There's four options available:

    1. Modify (if existing) or create the registry key HKLM\SYSTEM\CurrentControlSet\Services\NetBT|AllowNBToInternet a 32 bit dword with a value of 1.
    2. You can also bypass this with a GPO to allow an exception for netbios if you are using Windows Firewall:image003.jpg.e09b5ff4be8ffe6a09f589d34e872933.jpg
    3. Use an offline installer package created by the console in Policy -> Create Installation Package to install locally or through GPO/SCCM.
    4. Remove the updates from the server and the endpoint temporarily.

    Malwarebytes and Microsoft Security Essentials conflicts

    in Malwarebytes Anti-Malware for Business

    Posted · Edited by djacobson

    Hi guys, it's been a while since we had an update but things are looking promising again. The cases where folks had put in the exclusions but were still experiencing lockups, we dived a bit deeper into those and found a common thread.

    Again the issue from page 3, post 90, is coming up; using 8.3 truncated short names for the file path locations in the Microsoft product's ignore list (due to Microsoft's denial of our path name with the apostrophe) are not pointing to the actual locations for the executable files, rendering the exclusions non-functional.

    Not every computer is going to have the "%programfiles%\malwar~1" location mean the same place due to; different bitness (%programfiles% can be two locations depending on if the machine is 32 or 64), other folders in the same directory starting with the name "Malwarebytes" and the order in which the software was installed. This makes some Anti-Malware paths "%programfiles%\malwar~2" or "%programfiles%\malwar~3". Using the dir /x command to see the actual truncated name for that particular machine will show you what that machine is using. This was described in this post... 

     

    We want to prevent mistakes in the ignore list so I came up with an ignore list scheme that should take into account every possible path for Anti-Malware, managed or un-managed, on either a 32 or 64 bit machine. I've gotten a lot of positive feedback on this list from the folks who I have been working with one-on-one in support tickets and PM's, so I'd like more of you guys to try it out. Let me know if this helps you guys! 

    C:\progra~1\malwar~1\mbam.exe
C:\progra~1\malwar~2\mbam.exe
C:\progra~1\malwar~3\mbam.exe
C:\progra~2\malwar~1\mbam.exe
C:\progra~2\malwar~2\mbam.exe
C:\progra~2\malwar~3\mbam.exe

C:\progra~1\malwar~1\mbamdor.exe
C:\progra~1\malwar~2\mbamdor.exe
C:\progra~1\malwar~3\mbamdor.exe
C:\progra~2\malwar~1\mbamdor.exe
C:\progra~2\malwar~2\mbamdor.exe
C:\progra~2\malwar~3\mbamdor.exe

C:\progra~1\malwar~1\mbamgui.exe
C:\progra~1\malwar~2\mbamgui.exe
C:\progra~1\malwar~3\mbamgui.exe
C:\progra~2\malwar~1\mbamgui.exe
C:\progra~2\malwar~2\mbamgui.exe
C:\progra~2\malwar~3\mbamgui.exe

C:\progra~1\malwar~1\mbamapi.exe
C:\progra~1\malwar~2\mbamapi.exe
C:\progra~1\malwar~3\mbamapi.exe
C:\progra~2\malwar~1\mbamapi.exe
C:\progra~2\malwar~2\mbamapi.exe
C:\progra~2\malwar~3\mbamapi.exe

C:\progra~1\malwar~1\mbamhelper.exe
C:\progra~1\malwar~2\mbamhelper.exe
C:\progra~1\malwar~3\mbamhelper.exe
C:\progra~2\malwar~1\mbamhelper.exe
C:\progra~2\malwar~2\mbamhelper.exe
C:\progra~2\malwar~3\mbamhelper.exe

C:\progra~1\malwar~1\mbampt.exe
C:\progra~1\malwar~2\mbampt.exe
C:\progra~1\malwar~3\mbampt.exe
C:\progra~2\malwar~1\mbampt.exe
C:\progra~2\malwar~2\mbampt.exe
C:\progra~2\malwar~3\mbampt.exe

C:\progra~1\malwar~1\mbamscheduler.exe
C:\progra~1\malwar~2\mbamscheduler.exe
C:\progra~1\malwar~3\mbamscheduler.exe
C:\progra~2\malwar~1\mbamscheduler.exe
C:\progra~2\malwar~2\mbamscheduler.exe
C:\progra~2\malwar~3\mbamscheduler.exe

C:\progra~1\malwar~1\mbamservice.exe
C:\progra~1\malwar~2\mbamservice.exe
C:\progra~1\malwar~3\mbamservice.exe
C:\progra~2\malwar~1\mbamservice.exe
C:\progra~2\malwar~2\mbamservice.exe
C:\progra~2\malwar~3\mbamservice.exe

C:\progra~1\malwar~1\SCComm.exe
C:\progra~1\malwar~2\SCComm.exe
C:\progra~1\malwar~3\SCComm.exe
C:\progra~2\malwar~1\SCComm.exe
C:\progra~2\malwar~2\SCComm.exe
C:\progra~2\malwar~3\SCComm.exe

C:\progra~1\malwar~1\mbae.exe
C:\progra~1\malwar~2\mbae.exe
C:\progra~1\malwar~3\mbae.exe
C:\progra~2\malwar~1\mbae.exe
C:\progra~2\malwar~2\mbae.exe
C:\progra~2\malwar~3\mbae.exe

C:\progra~1\malwar~1\mbae64.exe
C:\progra~1\malwar~2\mbae64.exe
C:\progra~1\malwar~3\mbae64.exe
C:\progra~2\malwar~1\mbae64.exe
C:\progra~2\malwar~2\mbae64.exe
C:\progra~2\malwar~3\mbae64.exe

C:\progra~1\malwar~1\mbae-cli.exe
C:\progra~1\malwar~2\mbae-cli.exe
C:\progra~1\malwar~3\mbae-cli.exe
C:\progra~2\malwar~1\mbae-cli.exe
C:\progra~2\malwar~2\mbae-cli.exe
C:\progra~2\malwar~3\mbae-cli.exe

C:\progra~1\malwar~1\mbae-svc.exe
C:\progra~1\malwar~2\mbae-svc.exe
C:\progra~1\malwar~3\mbae-svc.exe
C:\progra~2\malwar~1\mbae-svc.exe
C:\progra~2\malwar~2\mbae-svc.exe
C:\progra~2\malwar~3\mbae-svc.exe

     

    Anti-Ransomware and RanSim scan

    in Malwarebytes Anti-Ransomware for Business

    Posted

    I'll also add that when I tested that tool before, I got 3 out of 5 when I ran it. It won't get 5 out of 5 due to a web test which I'll explain below. Make sure to read the logs of the Ransim tool as the Anti-Ransomware product will kill all the processes but sometimes the Ransim UI still shows "vulnerable". The web test, StrongCryptorNet scenario, has fake web traffic meant to simulate ransomware reaching out for the private key, but it sends the traffic to 127.0.0.1. Because home loopback is not an unsafe IP, the Anti-Malware product side web block will not engage. If it had been a real malicious IP, the traffic would be blocked if they had Anti-Malware. This tester is not realistic enough to provoke a shot for shot accuracy in the reaction of Malwarebytes software. 

    Change license keys

    in Malwarebytes Anti-Malware for Business

    Posted

    Hi Werner, you can do a clean reinstall or you can change the key in registry.

    Registry Script: 

    if exist "%programfiles(x86)%" reg add "HKLM\SOFTWARE\Wow6432Node\Malwarebytes' Anti-Malware" /v "ID" /d XXXXX-XXXXX /f>nul 2>&1
if exist "%programfiles(x86)%" reg add "HKLM\SOFTWARE\Wow6432Node\Malwarebytes' Anti-Malware" /v "Key" /d XXXX-XXXX-XXXX-XXXX /f>nul 2>&1
if not exist "%programfiles(x86)%" reg add "HKLM\SOFTWARE\Malwarebytes' Anti-Malware" /v "ID" /d XXXXX-XXXXX /f>nul 2>&1
if not exist "%programfiles(x86)%" reg add "HKLM\SOFTWARE\Malwarebytes' Anti-Malware" /v "Key" /d XXXX-XXXX-XXXX-XXXX /f>nul 2>&1

    Clean Reinstall:

    1. Download this tool - mb-clean-business.zip
    2. Restart then reinstall Anti-Malware and you'll again have the chance to put in the key.

    Group Policy Client Setup Upgrade

    in Malwarebytes Management Console

    Posted

    The groups the clients are held in within the console are determined by a file on the endpoint, a group GUID in a file tells the clients where they belong. As long as this file doesn't change, the client will report right back to where they were before after the upgrade is complete.

    The file is C:\ProgramData\sccomm\sccomm.xml on the endpoint. 

    Issues With Managed Deployment To Latest Operating Systems (Windows 8, Windows 8.1, Windows 10)

    in Malwarebytes Management Console

    Posted

    I have done nothing to your thread or post except to answer you. If you check your inno setup log area in Windows, you are sure to find the installation logs identifying the exact failure, which is highly likely to be 1603. The Labtech message is not at all verbose to what's actually happening. If you would like to have a case elevated to the development team, you will need to open a support ticket at corporate-support@malwarebytes.com, otherwise all support requests for partner applications must be done through that partner.

    Issues With Managed Deployment To Latest Operating Systems (Windows 8, Windows 8.1, Windows 10)

    in Malwarebytes Management Console

    Posted

    .Net 3.5 is not a requirement for the operation of standalone Anti-Malware or Anti-Exploit. It is, however, a requirement for the communication of the modified managed versions in use by MSP's like Labtech and our own Management Console software.

    Our managed client offline packages created by our console will install the prerequisites as needed, although for Win 8 and above, .Net 3.5 is already installed and disabled by default and the install will fail. The error code is usually 1603, which in this context means the failure was caused by the software already being installed. Our installer cannot correct for this condition. You will instead need to enable .Net 3.5 in Windows Features. If you stripped this out of your desktop image, you'll need DISM to re-install it.

    The Labtech plugin installer we provide only installs the installation files to your Labtech server. Deployment via the Labtech server is dependent on Labtech's chosen engine, we are not at liberty to change their installer.

    MSP (LabTech plugin) feature request: update MBAM

    in Malwarebytes Business Products Comments and Suggestions

    Posted

    This is the same for our product offerings as well, our standalone and managed solutions need to have Anti-Malware uninstalled and then redeployed if you are pushing with a third party tool; GPO, PDQ, SCCM and so on. The Labtech version is built on the standalone version of the product and follows those same requirements.

    This is not a solution that can be baked into the plugin installer. The plugin we make for Labtech is made to install Malwarebytes installation files to the Labtech console. The deployment of Malwarebytes from the Labtech console to the client machine(s) is up to the deployment engine that Labtech uses within their solution.

    Independant upgrade ability is something that may be brought into next-gen versions of Anti-Malware.

    Management server is changed

    in Malwarebytes Management Console

    Posted

    Yes it is possible, you'll need to perform a new push out to those clients to replace their connection information. This push is exactly like the very first install or client upgrade installs, you do it over the top of the existing deployment.

    If you restored the crashed console server's SQL to this new server, there a few places you'll need to check to make sure the old connection info isn't still being sent out. Go to Start > All Programs > Malwarebytes Management Server > Server Configuration and re-input the server connection info. Then head over to C:\Program Files (x86)\Malwarebytes Management Server\PackageTemplate and open sccomm.xml and make sure the server info is correct there. Afterwards, perform your new push and the clients should start to check in.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.