anyWARE-Mainz

Hi, since some time, we get these detections. It started with: Location: \u00dc\u0087\u00e4\u00bd\u0083\u00e3\u0095\u008d\u0002\u0018explorer.exe and later on we got: Location: ܇佃㕍explorer.exe I have no clue, what kind of malware this seems to be and where it resides or why there are displayed foreign characters in front of "explorer.exe". Anyone has a clue, how to proceed? We did scans with other antimalware-products, but did not find anything. Help appreciated, regards Daniel

Well, but how to obtain "beta-updates" via OneView or Nebula console? As HangingWithDan wrote: Same issue we had on 3 different computers, word and excel, on different days. Regards, Daniel

@LiquidTension No such file. Just a folder "*AppData\Local\Temp\mwbE39D.tmp" with a lot of files inside.

@LiquidTension I will have a look into it. @alexl010 Yes we do. Did you find the source and a solution for it?

... and apologies - wrong forum as I see at the moment. Please move the thread to the business forum / endpoint protection. Thank you.

Btw. - I can not edit my post, so this is, what the Support Tool says (see screenshot):

Hi LiquidTension, where may I Upload the Log - any specific mailaddress? I will rather not upload them public.

Hi, we got 2 different detections in the past 2 weeks on two different clients. Today it was: 1) Malware.Ransom.Agent.Generic C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Excel.lnk Blocked By Real-Time Protection 2) Malware.Ransom.Agent.Generic C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE Blocked By Real-Time Protection One or two weeks before before it was "Winword.exe" on a different client. The Product had to be repaired - restoring the .exe did not work. This is urgent, because just restoring out of quarantine does not work. Regards, Daniel

The Excel Addin does not help, but the Resful API documentation would be helpful. Where may we get the documentation?

Hello, thanks for your reply. The SQL-Database is only used, when on-premise. The Cloud-Console does not give "backend-access" as far as I know?! ... so there's the need of some kind of API or a possibility to get some client-information through local databases/registry. Did I write into the wrong forum? I thought, this is the right place for the could-variant. Regards Daniel

Hi, as a MSP we use different monitoring-solutions. How may we/the monitoring-provider get informations about the Malwarebyte client-status? Regards Daniel

I like to push this, regarding the time that has passed. Still no export/import option for settings? We like to use exclusion-/settings templates over all of our customers and have the need for documentation, so exporting into different formats is still important and import also. Beyond that a simple but effective documentation feature of all important settings would be great. Regarding the european law, auditors need documentation - especially for decurity products. Regards, Daniel

Thank you. We will have a look for it.

Hi, as msp, we have some dificulties, to manage malwarebytes. First problem, we may not use one same mailadress for different customers as login. Our cusomers do not maintain their installations, but we do. Second, we may not send a on demand report to our ticket-system (no variable mailadress and no subject to enter). Reports will allways be mailed to the account-mailadress. Also a multi-tenant console would be great, where we may manage all of our customers. Any future plans for this? Is there a way to achieve our goals? Regards Daniel

[...] You previously stated "Granted, we've never turned on active protection which may be the key " Correct - If you configure this, you are running the MBIR plugin which has zero IP blocking capability and would see no symptom [...] No, that was Kalrand (but interesting for me, too). I'm wondering, if we use "active protection" - I'm not sure, but I think "yes", if it is the term for "real-time protection". I like to provide some more information (did not want to hijack this thread, but it was interesting/informational - especially most bigger companies use more than 2 or 3 DCs). Here you are - maybe it helps - if you need more info, feel free to ask for: OS of 2 DCs: 2012 R2 Virtual: yes Roles: AD, DNS, one is DHCP Each DC/DNS points 1st to the other DC and 2nd to itself. Example: DC01: 192.168.0.2/192.168.0.1 DC02: 192.168.0.1/192.168.0.2 MBAM Options:

Thank you for the information, but I'm confused. There are situations, where you do not enter 127.0.0.1 or do not enter as primary the DC/DNS it self. There are also multiple Microsoft articles or articles from other IT-Pros, that differ a lot. Just two examples: https://blogs.technet.microsoft.com/notesfromthefield/2008/03/25/dns-client-configuration-for-windows-dns-servers/ https://www.dell.com/support/article/de/de/debsdt1/sln155801/best-practices-for-dns-configuration-in-an-active-directory-domain?lang=en The MS article you refer to also says: "A combination of the two strategies is possible, with the remote DNS server set as Preferred DNS server, and the local Domain Controller set as Alternate (or vice versa)" (https://support.microsoft.com/en-us/help/825036/best-practices-for-dns-client-settings-in-windows-2000-server-and-in-w) We use Malwarebytes cloud on a customers network on two virtual DCs, which have each other as primary DNS and themselves as secondary - without issues. Or do I misunderstand some of your posts?

@djacobson So does it mean, that if the hotfix works (regarding the feedback you get), at a later time, the client gets updates automatically, if you release a new version?

We tested McAfee VSE/ENS with other antimalware/MBAM. You just have to exclude relevant processes (exe) vise versa in each antimalware product. But as far as I understood, Malwarebytes sees itself as a *full* Antimalware-Solution, so there shouldn't be no need for another antivirus except Malwarebytes or am I wrong?

Same here. About 80 Machines. Performance issues on servers and workstations. Not all the time, just sporadically. When it happens, servers do not react in a proper way and same for clients. Workaround: Restart mbam-service, but that's no solution. It looks like some kind of memory leak. Any suggestions?

Indeed. And much more. Export/Import Options would be also nice/important (Text-Form, xml etc.) Also as part of a documentation feature.

Hi, when will 2FA be implemented? Is it yet implemented and I missed it. Security-Auditors do demand it in many cases - especially, when using cloud-infrastrutures.

New status: HKU\*\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\ACTIVEDESKTOP|NOCHANGINGWALLPAPER worked. Maybe the Malwarebytes policy on the logged clients was not updated, when the event was logged. So it was a syntax-issue. Thanks again.

Thanks you for the feedback. I'll try that also.

Hello, how may I disable Malwarebytes temporary for testing purposes? Is there a way to use some kind of realtime-monitor, so I may see, which files/processes are scanned - especially necessary, when it comes to delays? Best Regards Daniel

Hi, we try to set an AD Filter, but every time we try it stays at: The "regular" listing of the AD-Clients is working, but filtering not. Any ideas? Regards Daniel