Jump to content


  • Posts

  • Joined

  • Last visited

Posts posted by djacobson

  1. I definitely appreciate the contribution @Kalrand, I am open to whatever is able to help others! 

    But others, don't be discouraged if this particular tactic is not able to help you! The offline client issue is a bit of a quagmire, there are a myriad of different root causes that present the same symptom; offline clients. Service not starting (like Kalrand is dealing with here), Win 10's fastboot option, Windows not waiting long enough when the service is told to start and Windows moves on, HTTPS protocol problem still being on SSL 3 instead of TLS 1.1 / 1.2, SSL filtering/SSL proxy features on in network appliances with Malwarebytes URL's not whitelisted, bad certs, agent upgrade failed while copying its files from Windows\Temp due to something preventing access, and so on. That is what has made this a hard thing to solve for everyone and something that appears long standing, but not all offline client issues are the same and many people experience more than one on the same environment. If you are plagued with this issue symptom and the suggestions in this thread haven't helped your situation, open a ticket with the B2B support team so they can review your client's info to identify which thing is causing your clients to show offline.

  2. To follow up on this a bit more, for what you are asking go to C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware, use the text files called "version.check" and "rules.new.yaml", they have version info within them you will need to parse. The actual signature files, rules.new and rules.ref, are encrypted and you will get nothing out of them except a date stamp. These files cannot be swapped around, the program itself needs to read and apply them.

  3. Malwarebytes cloud platform update - July 19, 2018

    Malwarebytes is scheduled to update our cloud platform on July 19, 2018 at 8:00PM EST / 5:00PM PST.  We anticipate less than 4 hours of downtime to complete this update. As a customer of this platform, we want to take a moment to familiarize you with the changes that are about to become available.


    New Features

    • Added easy access to contextual threat information. When viewing detection details, an administrator can click on the detection name (which opens a new browser tab to a Malwarebytes Labs resource) to gain additional background and insights on the threat:



    • Relocated the “Add Endpoints” link to a new dedicated page in the main navigation of cloud console

    • Added new link to the Malwarebytes Business Support webpage - administrators can access it by clicking on their logged-in user name in the top right corner of the cloud console
    • Renamed “My Account” page to “Profile” to reduce confusion with the Malwarebytes My Account customer account platform
    • Added the license key for subscribed products to the License Information tab within the user’s Profile page
    • Added capability for Endpoint Agent plugins to resume downloading if interrupted – beneficial for customers with very slow Internet connections
    • Added the administrator’s IP address within User Invited events when new users are added to the console
    • Added new event types for Endpoint Remediation Success and Endpoint Rollback Success for Malwarebytes Endpoint Protection and Response
    • Addressed anti-ransomware technology issues for Windows Server and will be enabled based on Policy setting
    • Updated Syslog Logging feature so that when an administrator adds, removes, disables, or enables the Syslog Communication Endpoint it will now create an Event
    • Table headers now remain visible when scrolling down on paginated pages
    • Improved header messaging that appears when selecting multiple items in a table (e.g., Manage Endpoints, Quarantine)
    • Improved validation for Policy form fields
    • Changed “Ransomware Protection” label in Policy Settings to “Behavior Protection”
    • Improved Detections page so that Location ellipses will truncate the middle portion of the path
    • Fixed: Endpoint Agent emitted excessive errors to the Windows log when an excluded file path did not exist on an endpoint
    • Fixed:Endpoint Protection for Mac - If a scan was triggered imminently after endpoint agent installation but before the Endpoint Protection plugin was fully installed and loaded, the agent would be stuck in a “busy” state
    • Fixed: Endpoint Protection for Mac - Scheduled scans are no longer triggered incorrectly
    • Fixed: Endpoint Protection for Mac - Now sends up Agent Information
    • Fixed: Endpoint Protection for Mac - Protection Updates version was reporting SDK version instead of DB version in Scan History, was not reporting in Endpoint Details
    • Fixed: Endpoint Protection for Mac - Non-administrative users are now able to interact with the tray icon
    • Fixed: Endpoint Protection for Mac - User interface now stays minimized during on-demand scans if initiated from endpoint
    • Fixed: Endpoint Protection for Mac - Endpoint Protection plugin will no longer get stuck in "busy" state if a scan is triggered immediately after startup 
    • Fixed: Endpoint Protection for Mac - Free Physical memory is being reported as "0" in the Overview tab of Endpoint Properties


    Known Issues

    • User Verified account notifications are not getting emailed to administrators
    • Windows Server 2008 scans crash when scanning .lmk files
    • Sysprep can fail to run with Self-Protection enables in the policy
    • Within the Endpoint Properties pages under the Detections tab, the Action Taken and Category dropdowns are cut off
    • Modal windows are showing an unnecessary scroll bar
    • Endpoint Protection and Response: When a Remediation action succeeds but Rollback action fails, the Suspicious Activity status is stuck and displays "Pending Remediation" 
    • Endpoint Protection for Mac: Scan History tab does not get information populated if Threat Scan does not detect any threats
    • Endpoint Protection for Mac: Timestamps in Scan History Tab for macOS endpoints are in GMT, and not the web browser's locale
    • Endpoint Protection for Mac: Endpoint Agent does not report update_package_version on fresh Endpoint Protection install


    Our next cloud platform update is scheduled for August 2018.

  4. It should be an instant after checking in; as long as the endpoint can access https://data-cdn.mbamupdates.com and https://sirius.mwbsys.com, and is allowed to download an exe direct through firewalls. Some machines will need to restart for the new version to present in the client view. You can also avoid having to go through the MBAE downgrade / upgrade process on agent upgrade or reinstall; the agent can be deployed without including the MBAE portion of the install, then the existing newer MBAE will reintegrate with the MBMC client software after it is reinstalled. The MBAE standalone installer can also upgrade the version on your machine if you do not wish to wait for the machine to pick it up itself.

  5. Guys, they are using Connectwise, aka Labtech, this is a Malwarebytes partner who's integration deploys and manages MBAM 1.x, MBAE 1.x and ARW 0.9 standalone.


    Barinder, I'm not exactly sure what you are trying to do, MBAM already integrates with Control Center and this information should already be in the dashboard. Is this some sort of alternate reporting thing? 

  6. 3 hours ago, StroTech said:

    Also, is it ok to take a recent version of the anti exploit installer and put it into the package template folder on the malwarebytes management server? Then create an installation package.

    Hi Strotech, the MBAE build that is within the MBMC package template will be out of date compared to what's out there latest over the air update. We do not recommend changing the package out, if you try to do this to upgrade the MBAE build on the endpoints, it can break the push. It can work for new installs though. The best way to do it without affecting your console is to install the MBAE standalone exe or msi (from the unmanaged folder of the MBMC package) over the top of the existing version using some other means; local install, scripted or through some other deployment tool like GPO or SCCM.

  7. This can happen as your database becomes full of records and/or the clients have lots of logs to submit or some may be stuck submitting a particularly large log. Use your database cleanup function in the Admin tab to clean the database up.

    The database has a high propensity to become too full of records because of two item types; PUPs and PUMs. Ensure you are removing PUP items in your policy. Very often we see that MBMC policy is not set to remove PUP's, which will generate new entries every time they are found, over and over. Another item is possible GPO reinforcements getting tagged as PUM's, over and over again. Here are some links around these items from our KB area:

    For client side cleaning, I have an MBMC client maintenance and tweaking script I came up with; this script will stop the client service, kill the process just in case the service doesn't stop, clears the client log sets, restarts the service and also modifies the service failure restart items - this last piece can help a ton for Win 8 and Win 10 clients that often go "offline" in MBMC client view. It also logs itself so if it has any trouble, we can check the C:\ProgramData\sccomm\clientScriptLog.txt file it writes. Deploy this script any way you see fit; onsie twosie, or en masse via whichever deployment method you use and prefer.

    @echo off
    net stop MEEClientService >> C:\ProgramData\sccomm\clientScriptLog.txt
    taskkill /t /f /im SCComm
    del /f /s /q "C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\Logs\"*.* >> C:\ProgramData\sccomm\clientScriptLog.txt
    del /f /s /q "C:\ProgramData\sccomm\txthrlog\temp\"*.* >> C:\ProgramData\sccomm\clientScriptLog.txt
    del /f /s /q "C:\ProgramData\sccomm\txthrlog\"*.* >> C:\ProgramData\sccomm\clientScriptLog.txt
    net start MEEClientService >> C:\ProgramData\sccomm\clientScriptLog.txt
    sc failure "SccommService" actions= restart/6000/restart/6000/""/6000 reset= 120 >> C:\ProgramData\sccomm\clientScriptLog.txt


  8. It is a slow process, but something that can help is to approach it with scans that are not yet set to remove anything, this way you can see what the MBAM scans will begin tagging for removal without it happening, and you can set your ignores around the stuff your users have versus what actually generates hits accordingly. We don't often interact with items the same way other AV's do, this tactic can help you avoid spending time making ignores for something we're not going to have an issue with, or be able to make an ignore for something you would not of thought needed one. There is some quirkiness to be aware of, and I see it a bit in your post here with the mention of shares.

    There are limitations to consider. Folder and file paths cannot take a wildcard in the middle of the path, it can only be used at the end to represent everything under a certain directory.

    C:\Users\*\Desktop\item.ext - this wildcard usage is not supported.
    C:\ProgramData\Some Program\* - this wildcard usage is supported.

    The realtime engine and pieces in the 1.x version has some known complications with applications that run from and/or write too drive shares. Check out this post I made here that brings up the known items and limitations of the MBMC and MBAM 1.x product - 

    See this post for an explanation of our workarounds for mitigating the drive share / realtime interference - 



  9. There's isn't anything like that really, help with approaching scans and removal is most often support staff advice from what we see and know about that program combined with the experiences of customers we help. There is a best practice guide for MBMC, but that is about setting up your server which host's the management side of the on-premises product version. Maybe a compilation of some support staff tips and tricks in a sticky thread might scratch that itch.

  10. Was the SQL account setup with enforcepassword policy and / or password can expire? There is no place to change this password externally, you'll need to either start up SQL Management Studio and change the SQL logon back to what it was originally, or uninstall/reinstall MBMC and use the SQL logon's new password when pointing it to the SQL instance. If you need to have the password expire for change control, you will need to create two SQL accounts and switch between them before the password expires.

  11. Hey @SMiThaYe, I've sent that along as a feature request for the My Account page. In case you are not familiar with that (and for other's that are searching this and stumbling onto this post), My Account can be found here - https://my.malwarebytes.com/en/login

    To set up the My Acount portal access follow this KB - https://support.malwarebytes.com/docs/DOC-1036

    Until that request is approved, release history can be found here - https://www.malwarebytes.com/support/releasehistory/business/

    Product Lifecycle info can be found here - https://www.malwarebytes.com/support/lifecycle/business/

Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.