Jump to content

djacobson

Staff
  • Content Count

    1,298
  • Joined

  • Last visited

Posts posted by djacobson


  1. Hi Leobando, unfortunately, mapped drive letters and UNC paths are not supported by the console ignore list. We can accomplish an ignore in a different way, however I would need an example of the software that is getting hit as a detection. If you do not wish to share this publicly, PM me and I will get a support ticket started for you.


  2. Hi Gromitdog, the console already supports non-AD environments but it does require Windows server OS. It can be used with normal workgroups. There are no plans to support Linux at this time.

    You would need to enable the built-in local Windows Administrator account on the clients, give it a password and use that as the deployment credentials. Netbios name services are required if you wish to use the built in client push tool as this tool is built on netbios. If you do not wish to enable netbios-ns, you can create an installation package in Policy \ Installation Package and deploy the MSI or EXE you create through whatever third party installer tool you wish.


  3. In 2014 when this post was started, no server OS was supported by the client software. However that has changed with newer recent releases. Certain Server OS's are now supported by the agent software:

    • Windows Server 2012/2012 R2
    • Windows Small Business Server 2011
    • Windows Server 2008/2008 R2
    • Windows Server 2003 (32-bit only)

    However, there are some environment roles which are unsupported. Do not install Anti-Malware to a server which runs:

    • Terminal Services (TS) / Remote Desktop Services (RDS)
    • Virtual Desktop Infrastructure (VDI)
    • Windows Storage Server
    • Server Core
    • Citrix XenDesktop
    • Citrix XenApp
    • VMware View
    • VMware VShield

     

    Now as far as the file share connections, it is a known issue that the web blocker real time can interfere with connections to shared drives and applications running from shared drives depending upon the permissions set on those shares. Unfortunately this is not easy to solve as UNC paths are not supported in the ignore list on Anti-Malwares architecture. We instead have two workarounds; disabling the ABE (Access Base Enumeration) settings on the server hosting the share (must be a Windows server, Unix/Linux servers do not have this settings), and the other is creating an AD computer group with the machines having the issue assigned to that group, then giving that group rights over the shares. To troubleshoot your issue more fully, please email our business support team at corporate-support@malwarebytes.com


  4. 59 minutes ago, Saidin said:

    Any other updates about this issue?

    We are currently at an impasse until more data is gathered. What is needed to troubleshoot is...

    1.) A machine that can reliably lockup.

    2.) This machine must also be able to recover from the lockup on its own with time. If the machine must be hard reset, we will not be able to use any tools to record processes while the lockup is happening.

    If you have a machine that meets this criteria, PM me and I will send you the tool and instructions.


  5. What other security software do you have in place? If your service keeps being interrupted, the causes are usually from it being stopped by other security software and some sometimes WIndows updates. You may want to start by adding the communicator process associated with the service to the exception list of your other software. The process is C:\Program Files (x86)\Malwarebytes' Managed Client\SCComm.exe.

    If this does not work, I would need to have you run some tools to gather log info from a machine. These log sets will contain information about system that I am sure you would not want publically available. In that instance, please email corporate-support@malwarebytes.com to open a case where we can work with you privately. 


  6. We cannot recommend that URL because that won't be the same for everyone. That extra one you had to do is going to be based on whichever CDN you are resolving to in your proximity. It is also dependant on your hardware appliance or software firewalls config and if you are using SSL inspection or not on that firewall. Our product expects the SSL packet to be a certain way, if your firewall is changing anything about it, the software will reject the received packet. You can see these SSL connection resets in Wireshark while following the TCP stream.

    Basically if the external access URL's do not work right away, it is because your particular network appliance/app needs extra configuration of which we cannot advise as each product will have different options/features and will handle the SSL in different ways. For anyone else that comes across this thread while searching the same issue, I would recommend consulting your product vendor to see how they would suggest you perform the whitelist and any possible extra settings needed.


  7. The supported OS list is in your Management Console 1.7 Administrator Guide.pdf.

    On the site it is here - https://www.malwarebytes.com/business/endpointsecurity/ - scroll down to techspecs and open the piece of software you wish to see.

    On the support portal it is here - https://support.malwarebytes.com/customer/en/portal/articles/1835541-what-are-the-system-requirements-for-the-malwarebytes-management-server-console-and-client-?b_id=6401

    The unsupported roles list is from our engineering team.


  8. Server OS is already supported by the current business agent software, Managed Client Communicator 1.7.0.3208 (should always match console version), Anti-Malware 1.80.2.1012 and Anti-Exploit 1.09.2.1261:

    • Windows Server 2012/2012 R2
    • Windows Small Business Server 2011
    • Windows Server 2008/2008 R2
    • Windows Server 2003 (32-bit only)

    However, there are some environment roles which are unsupported. Do not install Anti-Malware to a server which runs:

    • Terminal Services (TS) / Remote Desktop Services (RDS)
    • Virtual Desktop Infrastructure (VDI)
    • Windows Storage Server
    • Server Core
    • Citrix XenDesktop
    • Citrix XenApp
    • VMware View
    • VMware VShield

     


  9. You can utilize silent or limited user modes in your policy if you wish to restrict user access to the program.

    Standard mode: Users have full access to start, pause or stop Malwarebytes and it's services.

    Limited user mode: Users will still have a system tray icon and will be able to initiate scans but will not be able to turn off the protections.

    Silent user mode: Disables the system tray icon and all access to the services.

    A restart needs to take place in order to switch these modes from one to the other.


  10. Hello again. To see todays signature you can use this link - http://data-cdn.mbamupdates.com/v1/database/rules/version.chk - it will show you the current sig at that moment. If your machines are not updating, whitelist the following URL's on any content filters, proxies, firewalls etc so your machines have access to the update CDN network.

    https://data.service.malwarebytes.org
    Port 443 outbound

    https://data-cdn.mbamupdates.com
    Port 443 outbound

    https://keystone.mwbsys.com
    Port 443 outbound


  11. It would be best to have the remove and quarantine setting on. It is the auto restart on threat removal that I would be weary about having on as 1, it doesn't provide a user with a warning of the impending reboot, and 2, it's just going to restart out of nowhere.

    If there is another similar false positive in the future, you can recover easily if remove and quar is on and auto reboot is off. It is always possible to undo either the unsigned update that caused the FP or restore the item detected as long as the reboot hasn't yet happened. Those that had the machines reboot are the ones that suffered from the boot loop as the driver Windows was expecting to switch over to during the reboot after Windows updates no longer existed.


  12. Hi Alkodist, those web block entries seem like someone browsing on their machine, whatever website it may be looks to have a malicious ad loading on the page. If you are scanning your environment and not getting any infection hits, that makes the malicious ad scenario more likely. Feel free to click on the virustotal links I'm posting to see the research, I'm putting the bad domain names in a code box so that they will not be clickable. The IP 103.21.210.76 points to a domain called...

    https://www.virustotal.com/en/ip-address/103.21.210.76/information/

    ns1.gchao.com

    ns1.gchao has a few sibling domains, the interesting ones are called...

    https://www.virustotal.com/en/domain/down.gchao.com/information/

    down.gchao.com

    ...and another called...

    https://www.virustotal.com/en/domain/disk.gchao.com/information/

    disk.gchao.com

    These down.gchao and disk.gchao domains are showing hits that they are hosting malicious content. This one is not a false positive but you can rest assured that Anti-Malware's real time web blocker is doing its job :)

    Are these web block results blowing up your email alerts? I can help you with some settings so that the actions are more silent if it is bugging you.

     

     


  13. Hey Bill, thanks for reaching out to us about your problem, I'm more than happy to help get you fixed up and get you back to having that peace of mind. For logs submission, we'd only really need a set from one machine with the issue, you don't need to do a bunch of redundant work. Some quick questions; do you use logon scripts to assign drive shares or start up applications for the users which run from a shared drive? Do you use Dell KACE on the workstations? Do you have any add-ons for Outlook, if so what are they? Is there any other security software in use on the machines, if so which vendor, program version and definition are they on?


  14. Hey everyone, I'm sorry for the dead air this past week. I had been visiting family for Christmas break. The hits just keep on coming with this issue. I've read up on the latest posts, all you guys have been awesome with your research and updates for us, thank you. Anthony, nd1818 and Bryan; you guys bring up some great points in your questions, I'll explore those when I'm back in the office this coming week.

    oreonutz, this issue does affect home users on the consumer builds, I apologize you had to find that piece out alone. I should've brought that up sooner to warn those who support a mix of client types. Our consumer team had been receiving some tickets regarding the issue at the same time it blew up on the business side. It's not as prevalent but it is happening.

    We will do our best to get this solved for you guys, I know it's taken some time. Those of you who have machines which can reliably reproduce the issue, please PM me. I'll get you setup with some tools and steps for deeper investigation to help us get this figured out.


  15. The behavior you are seeing is a new issue, but is happening "by design". Check those machines for certain Windows update KB numbers. These recent updates have restricted using netbios across subnets (and within the same subnet if the server also has the update installed), so these machines will not show up. Our push tool uses netbios name services, the issue cannot be replicated by pinging the target machine and so ping is not a good test to confirm netbios connections.

    The updates in question which block netbios across subnets are KB3161949, KB3163017 and KB3163018. There's four options available:

    1. Modify (if existing) or create the registry key HKLM\SYSTEM\CurrentControlSet\Services\NetBT|AllowNBToInternet a 32 bit dword with a value of 1.
    2. You can also bypass this with a GPO to allow an exception for netbios if you are using Windows Firewall:KB GPO Workaround.jpg
    3. Use an offline installer package created by the console in Policy -> Create Installation Package to install locally or through GPO/SCCM.
    4. Remove the updates from the server and the endpoint temporarily.

     


  16. Brainerdmobil has the Anti-Ransomware info correct, business users will remain on Anti-Malware 1.08. with Anti-Ransomware as a standalone tool. Additionally I must mention servers in RDS roles are not supported.

    Certain Server OS's are supported by the agent software:

    • Windows Server 2012/2012 R2
    • Windows Small Business Server 2011
    • Windows Server 2008/2008 R2
    • Windows Server 2003 (32-bit only)

    However, there are some environment roles which are unsupported. Do not install Anti-Malware to a server which runs:

    • Terminal Services (TS) / Remote Desktop Services (RDS)
    • Virtual Desktop Infrastructure (VDI)
    • Windows Storage Server
    • Server Core
    • Citrix XenDesktop
    • Citrix XenApp
    • VMware View
    • VMware VShield

     

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.