Jump to content


  • Content Count

  • Joined

  • Last visited

Everything posted by djacobson

  1. To follow up on this a bit more, for what you are asking go to C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware, use the text files called "version.check" and "rules.new.yaml", they have version info within them you will need to parse. The actual signature files, rules.new and rules.ref, are encrypted and you will get nothing out of them except a date stamp. These files cannot be swapped around, the program itself needs to read and apply them.
  2. You can create a testing group and policy which has the realtime protection items disabled, switching the machine to a group with a policy like that would essentially disable it. For watching what processes are being interacted with by programs on the system, we use Process Monitor, aka ProcMon - http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx
  3. Malwarebytes cloud platform update - July 19, 2018 Malwarebytes is scheduled to update our cloud platform on July 19, 2018 at 8:00PM EST / 5:00PM PST. We anticipate less than 4 hours of downtime to complete this update. As a customer of this platform, we want to take a moment to familiarize you with the changes that are about to become available. New Features Added easy access to contextual threat information. When viewing detection details, an administrator can click on the detection name (which opens a new browser tab to a Malwarebytes Labs resource) to gain additional background and insights on the threat: Improvements Relocated the “Add Endpoints” link to a new dedicated page in the main navigation of cloud console Added new link to the Malwarebytes Business Support webpage - administrators can access it by clicking on their logged-in user name in the top right corner of the cloud console Renamed “My Account” page to “Profile” to reduce confusion with the Malwarebytes My Account customer account platform Added the license key for subscribed products to the License Information tab within the user’s Profile page Added capability for Endpoint Agent plugins to resume downloading if interrupted – beneficial for customers with very slow Internet connections Added the administrator’s IP address within User Invited events when new users are added to the console Added new event types for Endpoint Remediation Success and Endpoint Rollback Success for Malwarebytes Endpoint Protection and Response Addressed anti-ransomware technology issues for Windows Server and will be enabled based on Policy setting Updated Syslog Logging feature so that when an administrator adds, removes, disables, or enables the Syslog Communication Endpoint it will now create an Event Table headers now remain visible when scrolling down on paginated pages Improved header messaging that appears when selecting multiple items in a table (e.g., Manage Endpoints, Quarantine) Improved validation for Policy form fields Changed “Ransomware Protection” label in Policy Settings to “Behavior Protection” Improved Detections page so that Location ellipses will truncate the middle portion of the path Fixed: Endpoint Agent emitted excessive errors to the Windows log when an excluded file path did not exist on an endpoint Fixed:Endpoint Protection for Mac - If a scan was triggered imminently after endpoint agent installation but before the Endpoint Protection plugin was fully installed and loaded, the agent would be stuck in a “busy” state Fixed: Endpoint Protection for Mac - Scheduled scans are no longer triggered incorrectly Fixed: Endpoint Protection for Mac - Now sends up Agent Information Fixed: Endpoint Protection for Mac - Protection Updates version was reporting SDK version instead of DB version in Scan History, was not reporting in Endpoint Details Fixed: Endpoint Protection for Mac - Non-administrative users are now able to interact with the tray icon Fixed: Endpoint Protection for Mac - User interface now stays minimized during on-demand scans if initiated from endpoint Fixed: Endpoint Protection for Mac - Endpoint Protection plugin will no longer get stuck in "busy" state if a scan is triggered immediately after startup Fixed: Endpoint Protection for Mac - Free Physical memory is being reported as "0" in the Overview tab of Endpoint Properties Known Issues User Verified account notifications are not getting emailed to administrators Windows Server 2008 scans crash when scanning .lmk files Sysprep can fail to run with Self-Protection enables in the policy Within the Endpoint Properties pages under the Detections tab, the Action Taken and Category dropdowns are cut off Modal windows are showing an unnecessary scroll bar Endpoint Protection and Response: When a Remediation action succeeds but Rollback action fails, the Suspicious Activity status is stuck and displays "Pending Remediation" Endpoint Protection for Mac: Scan History tab does not get information populated if Threat Scan does not detect any threats Endpoint Protection for Mac: Timestamps in Scan History Tab for macOS endpoints are in GMT, and not the web browser's locale Endpoint Protection for Mac: Endpoint Agent does not report update_package_version on fresh Endpoint Protection install Our next cloud platform update is scheduled for August 2018.
  4. It should be an instant after checking in; as long as the endpoint can access https://data-cdn.mbamupdates.com and https://sirius.mwbsys.com, and is allowed to download an exe direct through firewalls. Some machines will need to restart for the new version to present in the client view. You can also avoid having to go through the MBAE downgrade / upgrade process on agent upgrade or reinstall; the agent can be deployed without including the MBAE portion of the install, then the existing newer MBAE will reintegrate with the MBMC client software after it is reinstalled. The MBAE standalone installer can also upgrade the version on your machine if you do not wish to wait for the machine to pick it up itself.
  5. Guys, they are using Connectwise, aka Labtech, this is a Malwarebytes partner who's integration deploys and manages MBAM 1.x, MBAE 1.x and ARW 0.9 standalone. Barinder, I'm not exactly sure what you are trying to do, MBAM already integrates with Control Center and this information should already be in the dashboard. Is this some sort of alternate reporting thing?
  6. Hi Strotech, the MBAE build that is within the MBMC package template will be out of date compared to what's out there latest over the air update. We do not recommend changing the package out, if you try to do this to upgrade the MBAE build on the endpoints, it can break the push. It can work for new installs though. The best way to do it without affecting your console is to install the MBAE standalone exe or msi (from the unmanaged folder of the MBMC package) over the top of the existing version using some other means; local install, scripted or through some other deployment tool like GPO or SCCM.
  7. Step 2 in the KB has you covered... Upgrade to the latest version of the Malwarebytes Management Console https://support.malwarebytes.com/docs/DOC-1043
  8. This can happen as your database becomes full of records and/or the clients have lots of logs to submit or some may be stuck submitting a particularly large log. Use your database cleanup function in the Admin tab to clean the database up. The database has a high propensity to become too full of records because of two item types; PUPs and PUMs. Ensure you are removing PUP items in your policy. Very often we see that MBMC policy is not set to remove PUP's, which will generate new entries every time they are found, over and over. Another item is possible GPO reinforcements getting tagged as PUM's, over and over again. Here are some links around these items from our KB area: PUP and PUM FAQs for business customers - https://support.malwarebytes.com/docs/DOC-2398 What is a PUM detection and how do I deal with it? - https://support.malwarebytes.com/docs/DOC-1205 Configure Malwarebytes Management Console to remove PUPs or PUMs automatically - https://support.malwarebytes.com/docs/DOC-2245 Group Policy registry keys detected as Potentially Unwanted Modifications - https://support.malwarebytes.com/docs/DOC-1417 For client side cleaning, I have an MBMC client maintenance and tweaking script I came up with; this script will stop the client service, kill the process just in case the service doesn't stop, clears the client log sets, restarts the service and also modifies the service failure restart items - this last piece can help a ton for Win 8 and Win 10 clients that often go "offline" in MBMC client view. It also logs itself so if it has any trouble, we can check the C:\ProgramData\sccomm\clientScriptLog.txt file it writes. Deploy this script any way you see fit; onsie twosie, or en masse via whichever deployment method you use and prefer. @echo off net stop MEEClientService >> C:\ProgramData\sccomm\clientScriptLog.txt taskkill /t /f /im SCComm del /f /s /q "C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\Logs\"*.* >> C:\ProgramData\sccomm\clientScriptLog.txt del /f /s /q "C:\ProgramData\sccomm\txthrlog\temp\"*.* >> C:\ProgramData\sccomm\clientScriptLog.txt del /f /s /q "C:\ProgramData\sccomm\txthrlog\"*.* >> C:\ProgramData\sccomm\clientScriptLog.txt net start MEEClientService >> C:\ProgramData\sccomm\clientScriptLog.txt sc failure "SccommService" actions= restart/6000/restart/6000/""/6000 reset= 120 >> C:\ProgramData\sccomm\clientScriptLog.txt exit
  9. Use this in the Registry key area of the exclusion function: HKU\*\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\ACTIVEDESKTOP|NOCHANGINGWALLPAPER See this KB for more info and a list of common GPO keys hit as PUMs - https://support.malwarebytes.com/docs/DOC-1417
  10. It is a slow process, but something that can help is to approach it with scans that are not yet set to remove anything, this way you can see what the MBAM scans will begin tagging for removal without it happening, and you can set your ignores around the stuff your users have versus what actually generates hits accordingly. We don't often interact with items the same way other AV's do, this tactic can help you avoid spending time making ignores for something we're not going to have an issue with, or be able to make an ignore for something you would not of thought needed one. There is some quirkiness to be aware of, and I see it a bit in your post here with the mention of shares. There are limitations to consider. Folder and file paths cannot take a wildcard in the middle of the path, it can only be used at the end to represent everything under a certain directory. Examples: C:\Users\*\Desktop\item.ext - this wildcard usage is not supported. C:\ProgramData\Some Program\* - this wildcard usage is supported. The realtime engine and pieces in the 1.x version has some known complications with applications that run from and/or write too drive shares. Check out this post I made here that brings up the known items and limitations of the MBMC and MBAM 1.x product - See this post for an explanation of our workarounds for mitigating the drive share / realtime interference -
  11. There's isn't anything like that really, help with approaching scans and removal is most often support staff advice from what we see and know about that program combined with the experiences of customers we help. There is a best practice guide for MBMC, but that is about setting up your server which host's the management side of the on-premises product version. Maybe a compilation of some support staff tips and tricks in a sticky thread might scratch that itch.
  12. Hi @RandomPersonInForum, funny name! You generally want to have a rootkit scan be totally on its own as it can add a lot of time to the scan. Auto-quarantine is good to engage unless you want the scheduled scan to take no action and just be investigatory into the machine.
  13. Hi @grega09, you are spot on in your research, the MB for Teams product variant would be a great choice to meet your needs here.
  14. Hi @Peb, for your product version it is in your MBMC console under Policy -> Ignore List.
  15. Hi @jdemoccc that version is for those that want to run their own server and control Malwarebytes, it is much more hands on. If you are looking for something more akin to your home MB3 experience, that would be the Endpoint Protection, cloud based portal, version of the product.
  16. The policy option to remove pups needs to be engaged in the policy or none will be removed, the program does not have an ability to pick and choose, it is all or nothing.
  17. Hi @tkraft, here's something that should help, it's from this KB - https://support.malwarebytes.com/docs/DOC-2237 Open ports 135, 137, and 445. Enable Windows Management Instrumentation (WMI) pre-defined rules. Enable Remote Procedure Call (RPC) pre-defined rules.
  18. Was the SQL account setup with enforcepassword policy and / or password can expire? There is no place to change this password externally, you'll need to either start up SQL Management Studio and change the SQL logon back to what it was originally, or uninstall/reinstall MBMC and use the SQL logon's new password when pointing it to the SQL instance. If you need to have the password expire for change control, you will need to create two SQL accounts and switch between them before the password expires.
  19. Hey Rob, while I cannot speak for the product managers or the development team, I just want you to know I appreciate your contributions to our B2B forum; you've given great feedback, especially following the Jan 27th FP and around helping to spur the creation of the upcoming cloud announcements sticky thread. I'll bring some extra attention to your question here.
  20. Hey @SMiThaYe, I've sent that along as a feature request for the My Account page. In case you are not familiar with that (and for other's that are searching this and stumbling onto this post), My Account can be found here - https://my.malwarebytes.com/en/login To set up the My Acount portal access follow this KB - https://support.malwarebytes.com/docs/DOC-1036 Until that request is approved, release history can be found here - https://www.malwarebytes.com/support/releasehistory/business/ Product Lifecycle info can be found here - https://www.malwarebytes.com/support/lifecycle/business/
  21. @ThatOneGirl even under an admin account, those tools need specific elevation. The logs from the server look perfect. The logs from that client, I have no idea where it is trying to get the 26 address from, we can try changing the sccomm.xml and sccomm.exe.config stuff out on that one.
  22. What product version of Malwarebytes are you using @MarkieVee? If it is Anti-Malware, with or without Malwarebytes Management Console, this version is not compatible. If you are on the cloud portal version, featuring Malwarebytes, that version is compatible with RDS.
  23. Hi @Peb Endpoint Security is equivalent to AV but since all the pieces of the program that make up the client agent are each separate modules, it cannot register in Windows Action Center as an AV.
  24. Scheduled Downtime - Malwarebytes cloud platform update - June 14, 2018 Malwarebytes is scheduled to update our cloud platform on June 14, 2018 at 8:00PM EST / 5:00PM PST. We anticipate less than 3 hours of downtime to complete this update. New product announcement, new features, improvements, known issues are detailed here - https://support.malwarebytes.com/docs/DOC-2554
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.