Jump to content

djacobson

Staff
  • Content Count

    1,298
  • Joined

  • Last visited

Posts posted by djacobson


  1. Malwarebytes is scheduled to update our cloud platform on October 18, 2018 at 8:00PM EST / 5:00PM PST. We anticipate less than 3 hours of downtime to complete this update. As a customer of this platform, we want to take a moment to familiarize you with the changes that are about to become available.

     

    With this latest update we’re proud to announce that we’ve enhanced administrators’ visibility and interaction throughout the cloud management console, providing additional insight. This makes it even easier for you to immediately respond to alerts and manage events. Malwarebytes Endpoint Protection and Response customers also benefit by seeing the exact behaviors and rule(s) which triggered a cloud sandbox detection.

     

    New Features

    • Malwarebytes cloud console now features endpoint status icons in the Manage Endpoints page. This allows administrators to take immediate action by clicking directly on the icons. You can see when an endpoint restart is needed, if remediation is required, or if any suspicious activity is detected on that endpoint (for Malwarebytes Endpoint Protection and Response).
      • Hovering over an icon provides additional info, and clicking on the icon presents specific actions you can take:
        2018-10-12_14-15-32.png
         
      • Endpoint status icons are also displayed when viewing the details of an individually selected endpoint:
        2018-10-12_14-16-54.png
         

      • This is the full list of endpoint status icons:
        2018-10-12_14-19-13.png
         

    Improvements

    • For Malwarebytes Endpoint Protection and Response only: Updated the Suspicious Activity Details page to display an expanded set of rules triggered when making cloud sandbox detections. This provides administrators with greater context of why a cloud sandbox detection was made on a suspicious file or process:
      2018-10-12_14-21-18.png
       
    • For Malwarebytes Endpoint Protection and Response only: Updated the Process Graph details pane. This allows administrators to click on Activities links and see specific file operation details, including File Rename, File Write, Set Security, Registry Set Value, Net Connect Inbound, and Net Connect Outbound activities:
      2018-10-12_14-22-16.png
       
    • For Malwarebytes Endpoint Protection and Response only: Granular Endpoint Isolation is now supported for Windows Server 2008 R2, Server 2012 R2, and Server 2016 allowing businesses to remotely isolate servers for further investigation

    • For Malwarebytes Endpoint Protection and Response only: Updated the Remove Endpoint Isolation notice to specify the endpoint name

    • Added capability for end users to enable/disable debug logging from the tray icon using ctrl + right click, and via command line

    • Fixed: For Malwarebytes Endpoint Protection and Response only – BSOD with SamSam ramsomware variant on

      Windows10x86

    • Fixed: Not cleaning up all temp files in c:\Windows\Temp

    • Fixed: For Malwarebytes Endpoint Protection and Response only – Some suspicious activities viewed in Process Graph returned Error 500 and other general improvements needed

    • Fixed: For Malwarebytes Endpoint Protection for Mac only – Error appearing in logs: ERROR WebServiceStore: remove: request.guid=...

    • Fixed: For Malwarebytes Endpoint Protection and Response only – Yes button in the dialog box for Lock icon status indicator doesn’t work

    • Fixed: For Malwarebytes Endpoint Protection for Mac only – Endpoint Agent does not report update_package_version on fresh Endpoint Protection install

     

    Known Issues

    • Exclusions that have been entered with short file name paths such as “c:\progra~2\” are not being applied
    • Modal windows are showing an unnecessary scroll bar
    • For Malwarebytes Endpoint Protection and Response only: When a Remediation action succeeds but Rollback action fails, the Suspicious Activity status is stuck and displays “Pending Remediation”
    • For Malwarebytes Endpoint Protection for Mac only: Scan History tab does not get information populated if Threat Scan does not detect any threats
    • For Malwarebytes Endpoint Protection for Mac only: Timestamps in Scan History tab for macOS endpoints are in GMT, and not the web browser’s locale
    • All Malwarebytes scans will inspect archived files regardless of the policy setting
    • In some cases, when a reboot prompt is shown, the reboot timer may reset with a 1-minute countdown
    • When administrators reboot endpoints from the cloud console, if the initial reboot task has not completed subsequent reboot commands are queued rather than replacing the initial reboot command (this would result in multiple reboots executing)
    • When administrator chooses “Restart Immediately” option in the Restart Options dialog, end users are still allowed to postpone the reboot even though the “Allow user to postpone” option is grayed out. Current workaround involves selecting the “Restart in ___ minutes” radio button, unchecking the “Allow user to postpone” checkbox, then select the “Restart Immediately” radio button and click the blue Restart button
    • Clicking on the Remediate button causes the Remediation Required indicator to lose its badge on hover and on click behavior— nothing happens on click (should give you the option to view details) and nothing happens on hover (should show "Remediation Pending"). This issue is resolved by refreshing the browser
    • Memory and storage objects in endpoint properties are not visible until the page is refreshed

     

    Our next cloud platform update is scheduled for November 2018.


  2. Don't forget the exe's :)

    Processes:
    C:\Program Files\Malwarebytes\Anti-Malware\mbampt.exe
    C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe
    C:\Program Files\Malwarebytes\Anti-Malware\mbamwsc.exe
    C:\Program Files\Malwarebytes Endpoint Agent\ConfigurationRecoveryTool.exe
    C:\Program Files\Malwarebytes Endpoint Agent\MBCloudEA.exe
    C:\Program Files\Malwarebytes Endpoint Agent\UserAgent\EACmd.exe
    C:\Program Files\Malwarebytes Endpoint Agent\UserAgent\Endpoint Agent Tray.exe

     

    Edit - Adding other drivers and folders

    Folders:
    C:\Users\*\AppData\Local\Malwarebytes
    C:\Program Files\Malwarebytes\Anti-Malware
    C:\Program Files\Malwarebytes Endpoint Agent
    C:\ProgramData\Malwarebytes Endpoint Agent
    C:\ProgramData\Malwarebytes\MBAMService
    C:\Program Files\Malwarebytes Endpoint Agent\Plugins\Incident Response

    Drivers:
    C:\Windows\system32\drivers\ESProtectionDriver.sys
    C:\Windows\system32\drivers\farflt.sys
    C:\Windows\system32\drivers\mbae.sys
    C:\Windows\system32\drivers\mbae64.sys
    C:\Windows\system32\drivers\mbam.sys
    C:\Windows\system32\drivers\MBAMChameleon.sys
    C:\Windows\system32\drivers\MBAMSwissArmy.sys
    C:\Windows\system32\drivers\mwac.sys


  3. Hi @Kernel009, it's all related to the scan type. Default for Hyper scans is memory and registry objects only. Threats scan is the OS drive looks in all the most common areas malware is found. For full scans you can select Custom Scan type and use the option "Scan all local drives on endpoint" or use the scan path option to define specific ones. On-demand scans are always Threat scan types. If you are familiar with older versions of Anti-Malware; Hyper, Threat and Custom are the new versions of Flash, Quick and Full.


  4. Hi @TonyInSC, I don't mean Ghost as in the imaging software, I mean there was a thing when people had Symantec and some other AV's with roaming profiles, Remote Desktop Services, Terminal Service type of setup. MB would have detections of things that weren't really there, ghost detections. MB 1.75 and 1.80 do not scan your network drives in any scheduled scans, that can only be done locally with an on-demand scan ran through the context menu option of right clicking on the mapped drive letter. The issue with the ghost detections is with the local caching of the roaming profiles and other AV, this version of MB Anti-Malware does not support machines with roaming profiles or RDS/TS type roles. Anti-Malware's realtime web block can also interfere with applications running from mapped drives, though this is another issue completely.


  5. @gogi100, you'll need to run the MBEP, cloud based version, in order to get the Anti-Ransomware protection that can run on server OS. But remember, Anti-Ransomware cannot stop a process running from another computer. Even if you have it installed to a server, if an endpoint begins to encrypt a drive share, the server's Anti-Ransomware will not be able to stop the encryption since it is the endpoint performing the nefarious action. Protect your servers by protecting your endpoints and do not use servers to open email, unknown office docs or browse the web. 


  6. Thanks for posting that @Kalrand. The matrix is a nice little cheat sheet to help understand what realtime protections can be utilized.

    @mrmulti connecting via RDP will be ok. The restriction is around shared programs, services and profiles via RDS, which has trouble with the Anti-Ransomware side but is ok for the other protection items. The home premium is not meant for server operating systems, but even the business one shouldn't really have the web blocker on for servers running Exchange. 

    You can trial the Endpoint Protection version, which on first setup will initially install and use something called Malwarebytes Breach Remediation, this will allow you to scan and clean up without realtime items running, which seem to be hindering your ability to remotely manage them at the moment. The trial can be found here - https://www.malwarebytes.com/business/trial

    Later on you can edit / create policies that will allow you to choose which realtime pieces you would like on your machines, this action will change the plugin used from Malwarebytes Breach Remediation, to Malwarebytes version 3, which is a modified version of the home version you are running in order to support business environments.

    For your cleanup stuff, don't forget to turn on the anti-rootkit settings for the scans, this can help you get every nook and cranny, but be aware it makes the scans take much longer.


  7. @Kalrand that doc-2591 is for MBEP, MBES's Anti-Malware 1.80.2.1012 does not run mwac.sys, that is unique to the MB3 tech. What the KB outlines for DC's, that also run the DNS, is in line with Microsoft's best practices.

    @WORKS2016 @gonzo and kalrand, I do have another matrix whipped up to represent the new MB3, 3.5.1.2600, in use with the latest agent updates.

     

    646394638_MBEPMatrix.JPG.7e79eb74f8eb154ebceec53eebed57f8.JPG


  8. Malwarebytes Endpoint Agent, MBEndpointAgent, "C:\Program Files\Malwarebytes Endpoint Agent\MBCloudEA.exe", is your communication service to your cloud portal.
    Malwarebytes Service, MBAMService, "C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe", is your protection software.
    They are both vital.

    "C:\ProgramData\Malwarebytes\MBAMService\config\UpdateControllerConfig.json" is the correct place to get your database package version and date, but also your controller and program versions. 

     


  9. @Heinrich May I see the msi log?

    Just in case, there are some things to be aware of; the file must copied to the machine and ran from a local drive, running it from a network location will not work. Anti-Malware and Anti-Exploit are part of the Malwarebytes Managed Client entry shown in Programs and Features, though later on Anti-Exploit can and will auto-update (if allowed in policy), and create a separate entry for itself in Programs and Features. Anti-Malware will not create an entry for itself and will remain under Malwarebytes Managed Client.


  10. Moving thread to correct section. Dcollins was thinking this was the EP product at first, like Kalrand initially thought. The tactics they provided are true for the cloud based solution and its installers. With the server based on-premises solution, that uses MBMC, Malwarebytes Management Console, it can create an offline EXE and MSI for manual or 3rd party deployment, however the EXE one is not able to use any switches.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.