Jump to content

djacobson

Staff
  • Content Count

    1,298
  • Joined

  • Last visited

Posts posted by djacobson


  1. Hello, if you mean for the alternate update location, this feature is kind of unruly and not easy to manage. These signature changes happen 6-18+ times a day. You must do this manually each time you wish to create this offline update location.

    You'll first need to visit this link - http://data-cdn.mbamupdates.com/v1/database/rules/version.chk - copy the signature version number and paste it into a notepad and name it version.chk. That will give you the version for that moment and have you create the version.chk file the program will need.

    Copy and paste these URLs into a different notepad...

    http://data-cdn.mbamupdates.com/v1/database/rules/data/rules.vYYYY.MM.DD.ver.ref
    http://data-cdn.mbamupdates.com/v1/database/rules/data/rules.vYYYY.MM.DD.ver.ref.yaml

    Edit out the vYYYY.MM.DD.ver and replace it with the signature version number you copied earlier. For today 11/22/2016, 9:56am Pacific, the signature is v2016.11.22.09, so the links would be edited to...

    http://data-cdn.mbamupdates.com/v1/database/rules/data/rules.v2016.11.22.09.ref
    http://data-cdn.mbamupdates.com/v1/database/rules/data/rules.v2016.11.22.09.ref.yaml

    Navigate to these links, they will invoke a download. Save the rules.v2016.11.22.09.ref and rules.v2016.11.22.09.ref.yaml files to a folder named "data" (must be named data!), place the data folder and the version.chk together in your alternate location. Note this example has the required data folder under a directory also named data, this is not necessary, the root can be named anything you want as long as the .ref  and .ref.yaml are in a folder named data placed next to version.chk.

    offline location folder.JPG

    This shared alternate location requires that "everyone" has permission to this location. If the shared folder has been set up correctly and specified in the policy to download from it, then you should see in the client log (%ProgramData%\sccomm\sccomm.log) that the client pulled the signature update from the location that was specified in the policy.

    offline location.JPG

    If the share was not set up correctly, you will see errors in the log. In this case, the .erf and .ref.yaml files were placed inside the shared folder without being in the data folder, therefore the MEE Client could not find the database files.

    offline location II.JPG

    I hope that helps!


  2. Quote

    Is there an integrated upgrade engine / mechanism in the Management Console to address the Managed Client Version and Anti-Malware Version mismatches? How do I go about deploying the latest version of the Management Client to my clients? 

    Hi PhillyPhotog, I understand what you want to do but the Console isn't written in this way, it cannot be done automatically. To upgrade the Managed Client communicator and Anti-Malware build on an endpoint you must push a new install to them. This will upgrade the build over the top of the existing install. If you go third party, like GPO or SCCM, then the existing software must first be removed, the machine rebooted and then complete the install of the new version. This push install upgrade in the Console to upgrade the endpoint is step 7 of our upgrade instruction KB - https://support.malwarebytes.com/customer/en/portal/articles/1835539-how-do-i-upgrade-to-the-latest-version-of-the-malwarebytes-management-console-?b_id=6520

     

    Quote

    Does the installed version of the management client have any impact on the speed of updates or effectiveness of the scanning engine? (any impact to the safety of my clients)

    Yes, for the scanning engine and the communicator.

    The difference between 1.75.0.1300 and 1.80.2.1012 is pretty vast. First upgrade in over two years to the business build. There are numerous feature differences between the two versions, which is what AdvancedSetup had listed.

    The biggest problem with version mismatch is the Managed Client communicator. There are newer policy / instruction settings contained in your Console 1.7.0.3208 than your outdated Managed Client communicator 1.4.1 and 1.6.1 versions will be able to process. This can result in machines that do not respond to scan or update commands, they may show as unregistered or offline, fail to submit logs and so on. The Managed Client version must always match your Console version.

     


  3. The update is "November, 2016 Security Monthly Quality Rollup for Windows 7 and Windows Server 2008 R2 for x64-based Systems (KB3197868)" - https://support.microsoft.com/en-us/kb/3197868

    You can get a clean example of the kernel32.dll file by downloading a standalone version package of the update and expanding from the cab - http://catalog.update.microsoft.com/v7/site/search.aspx?q=3197868

    3197868 file information.csv


  4. We're doing everything we can right now. Ultimately this is on Microsoft for not digitally signing their own file (you can confirm by checking the certificate properties of a file still on the system), which activated Malwarebytes' protections; it was meant to protect you from files like this.

    We're trying to figure out to which pending update KB this kernel.dll file is related, it may be possible to save the system by killing that update so that the system will not need to switch over to the Windows side by side holding version of kernel.dll as it restarts.


  5. A reversal to the signature selecting Delete on Reboot is unfortunately not possible. A reboot will be required before a Delete on Reboot item may be restored. You must prepare your system before the restart takes place.

    Place good copies of the detected files in your C:\ root. Do not place them into the folders they belong just yet, the reboot delete action will just remove them. You will then need to boot into recovery to place them back into their respective folder locations. You can make a script to do this as the folder name is quite long and easy to mess up.


  6. We're still trying to get to everyone. We will be checking into this forum post as often as we can between tickets and calls as the day goes on.

    Those with machines that haven't rebooted, restore the object. To prevent an auto-reboot on a detected object from occurring in the future, uncheck the scan option "Restart the computer if required for threat removal" in Policy \ Scheduler \ Edit or Add a scan. This will not change an object being marked as Delete-On-Reboot (that is decided in the signature) but it will prevent Malwarebytes from triggering a reboot.

    These files are being hit because they are unsigned from Microsoft. For those with machines that boot loop / blue screen, we're are still trying to come up with the most successful way to get the machines back up.


  7. Hi labrojri. Just to let you know, the managed version comes with a free SQL Express install for smaller deployments, don't be afraid to use this version if you want it :) It just gives you a central place to install, scan machines and act on infection results.

    Otherwise, if you are licensed for Anti-Malware and Anti-Exploit then mbam-setup and mbae-setup are your installers.

    MBAR is a standalone tool freely available for everyone, it is meant to scan for rootkits, this is not an everyday sort of scan, only to be used if you suspect a rootkit on the endpoint.

    MBARW is a newly released product having a soft launch right now, you are free to install if you'd like; to help better stay safe from ransomware, I would definitely leverage this product in the environment.

    Check out these videos from our KB area for how to install the standalone unmanaged products...

    Anti-Malware:
    https://support.malwarebytes.com/customer/portal/articles/2504216?b_id=6442

    Anti-Exploit:
    https://support.malwarebytes.com/customer/en/portal/articles/2502440?b_id=6443


  8. That is much too large for embedded. We'd need to review how many machines you have deployed and if your policy is setup properly to deal with infections. If you take no action on certain items you can blow you database out pretty quickly with repeated detections that are not being removed. Create a ticket by emailing corporate-support@malwarebytes.com and I'll pick it up out of the queue there to continue working with you.


  9. Hello PhillyPhotog. 

    Server / client communication is controlled by MEEClientService, its process is  C:\Program Files (x86)\Malwarebytes' Managed Client\sccomm.exe. This must be running for the endpoint to be manageable.
    MBAMScheduler runs the scheduled updates and scans. These scheduled tasks will not run if this service is not running.
    MBAMService runs the realtime web and malicious file blocker. This must be running if you want the real time protection features to work.

    If you have Managed Client, Anti-Malware and Anti-Exploit installed on an endpoint, this is what should be running.

    Services:
    MbaeSvc; C:\Program Files\Malwarebytes Anti-Exploit\mbae-svc.exe
    MBAMScheduler; C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
    MBAMService; C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
    MEEClientService / SCCommService; C:\Program Files\Malwarebytes' Managed Client\SCComm.exe

    Drivers:
    ESProtectionDriver; C:\Program Files\Malwarebytes Anti-Exploit\mbae.sys
    MBAMProtector; C:\Windows\system32\drivers\mbam.sys
    MBAMSwissArmy; C:\Windows\system32\drivers\mbamswissarmy.sys


  10. Hello Neng. MBAM agent 1.80.x is indiscriminate when it comes to any registry modifications. It will hit on your legit GPO enforcements. You can add your GPO registry key to Policy → Ignore list, replacing the account SID‘s with the * wildcard. Note that only console and client communicator version 1.6.1.2897 and above with Anti-Malware version 1.80.1.1011 and above, supports this wildcard in the middle of a string, and only for registry keys.

    You can utilize this website for finding registry keys associated with the GPO - http://gpsearch.azurewebsites.net/#4842

    You can also utilize this list I made of all the GPO changes I’ve seen get tagged as PUM so far: 
    hku\*\software\microsoft\windows\currentversion\policies\explorer|NoStartMenuMorePrograms
    hku\*\software\microsoft\windows\currentversion\policies\explorer|NoSetFolders
    hku\*\software\microsoft\windows\currentversion\policies\explorer|NoFind
    hku\*\software\microsoft\windows\currentversion\policies\explorer|NoSMHelp
    hku\*\software\microsoft\windows\currentversion\policies\explorer|NoRun
    hku\*\software\microsoft\windows\currentversion\policies\explorer|NoViewContextMenu
    hku\*\software\microsoft\windows\currentversion\policies\explorer|NoToolbarCustomize
    hku\*\software\microsoft\windows\currentversion\policies\explorer|NoPropertiesMyComputer
    hku\*\software\microsoft\windows\currentversion\policies\explorer|NoDrives
    hku\*\software\microsoft\windows\currentversion\policies\explorer|ForceActiveDesktopOn
    hku\*\software\microsoft\windows\currentversion\policies\system|DisableRegistryTools
    hku\*\software\microsoft\windows\currentversion\policies\system|NoDispCPL
    hku\*\software\microsoft\windows\currentversion\policies\system|NoDispBackgroundPage
    hku\*\software\microsoft\windows\currentversion\policies\system|NoDispAppearancePage
    hku\*\software\microsoft\windows\currentversion\policies\system|NoDispScrSavPage
    hku\*\software\policies\microsoft\internet explorer\control panel|ConnectionsTab
    hku\*\software\policies\microsoft\internet explorer\control panel|HomePage
    hku\*\software\policies\microsoft\windows\system|DisableCMD

     

     


  11. Hello, to clean up your environment you can utilize whichever one of these cleaner tools fits your requirements. Note that these cleaners are only meant to remove the consumer and standalone version of Malwarebytes, it will not fully remove a server managed version. The machine must also be rebooted before reinstalling another version of Malwarebytes after cleaning off the old install.

    MBAM Clean EXE, CLI switches supported: /silent and /silentnoreboot - http://downloads.malwarebytes.org/file/mbam_clean
    MBAM Clean MSI silent, forced reboot - https://malwarebytes.box.com/s/pj5n4vtjts4mxvbr2y8kwve9c2kdg20d
    MBAM Clean MSI not silent, no forced reboot - https://malwarebytes.box.com/s/p4beib3s4ylwozd9co19o43qt48e7jex

     

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.