Jump to content

HCHTech

Techbench
  • Posts

    32
  • Joined

  • Last visited

Posts posted by HCHTech

  1. On 9/23/2023 at 4:06 PM, Porthos said:

    The business has its own dedicated support ticket system.

    Which, unfortunately is slow and underwhelming considering the amount of $ I send their way each month.  I like the product, I do.  But I'm starting to think I should be looking around.  :-(

    There is an MB subreddit, but it's just end-users griping about the personal product.  r/msp seems pretty clearly to be focused on Sentinel.   And so it goes...

    See you on TN!

    • Like 1
  2. I can appreciate that However, consider the following:  This was a major feature that sold us on the product.  Not being able to test it, or prove that it works makes it vaporware.  I'm depending on it being there and working in a time of crisis when I cannot ascertain that beforehand.  If I had been more unlucky and actually HAD an infection among my client base where it saved the day, then this would be less of an issue.

    I guess it occurs to me that the company is asking a lot for its users to trust that this feature will work when needed -- without providing the any ability (other than checking the box in the policy setup) to prove that it will be ready and waiting when you really need it.  If you will put yourself in my shoes for a moment, I think you will see my concern.  Help me sleep a little better at night by throwing me a breadcrumb here...

  3.  

    On 12/21/2021 at 10:41 PM, HCHTech said:

    Question 2:  What notifications have YOU setup for your clients?

    Two years into this product now and I was all ready to post this question again, forgetting that I ever posted it before - haha.   I am disappointed to see that no one ever responded, meaning this forum is not the correct venue for this query.

    It's disappointing that most every question turns into a support ticket, which is missing the important "community take" on many issues.   Support has no interest in answering the question "What is everyone else doing in this situation?".   That question should be exactly what forums like this are for...

  4. That is.....disappointing.  I did open a ticket, and guess what, support cannot help - they sent me to SALES who want to do a demo.   Yeah, no - that's not what I'm interested in.  I want to see the thing work with my own eyes on a real machine that I control.  I don't think that's too much to ask.   This is no different than restoring a file or directory from backup to prove it works, IMO.

  5. I've been lucky and have not had to actually perform a rollback for a client yet, but I'd like to test the process on a sacrificial workstation.  For one, we can review our SOP, and perhaps most-importantly, we can see that this process actually works so we're not trying to figure it all out in a time of crisis.  The documentation appears to say that the software needs to have detected suspicious activity for a rollback to be available.   I'd like to setup quarterly testing of this process for clients - How can I do this?

  6. You may be right.  I am pretty sure I have the correct policy set as the default for that site, so any workstations that get into the default group should have the correct policy even if I forgot to move them into the right group.  For sites with servers, I typically define both a Servers and Workstations group, and apply separate "ClientName_Server" and "ClientName_Workstation" policies assigned to those groups respectively.   Additionally, I like to assign the "Workstation" policy to the Default group because new workstations get added way more often than new servers.

    Admittedly, it has always been confusing to me the differences between global and local policies, so maybe I'm just doing it wrong.   I typically create my policies from the main Nebula console, before the individual site is even created (because that way I can clone from another client policy, which saves time).  Then, when I create the site, I choose the now-existing policy as needed.   For sites with no servers, there is typically only the default group, so I assign the client policy to that group.    For sites with servers, I do as stated above.  I assign the workstation policy to both the default group and the workstation group.   Then I assign the server policy to the server group.

    In any event, I did find a couple of workstations that were still in the default group for the most-recent client where I found the problem of the missing tray icon.   So, I moved them into the workstation group, but in fact, both the default and workstation groups use the same policy which has the checkbox to display the systray icon.   I'll check after-hours today to see if the icons now display.

  7. Latest installer for EDR from Nebula, Windows 11 Pro on workstation.   There seems to be sporadic cases where although the app is installed, there is no entry in the start menu and no system tray icon.  The endpoint is resident on the dashboard, however.   Is this a known issue perhaps?    One thing may be relevant - these are replacement machines, so the licenses are temporarily over-provisioned until the devices going aware are deleted from the dashboard.

  8. On 10/7/2022 at 5:00 PM, Coach-E said:

    You are correct that having a signature based AV would not stop an EDR from catching threats.  What I would point out is what if there was no signature for malware with the signature only AV product?  This is where EDR would alert, catch and/or contain a infection.

    Thank you - this is my point...that having both products still has value.  PLUS having both of those products being from different vendors would also appear to be a better answer than a one-vendor solution.

  9. On 10/6/2022 at 9:14 AM, HCHTech said:

    telling me that having the AV in place with an EDR will stop the EDR from automated remediation, ...,Further, thay there is no possibility than a signature-based AV would find something that the EDR would miss. 

    Thanks, @Coach-E, can you please comment on the above statements?  I can't imagine it has weight, but I'd like the opinion of someone more in a position to have real knowledge / experience with the situation.   I can only guess with my way-too-small sample size.

  10. I have a managed AV product on all of my commercial customer's machines.   For those that also have MB's EDR installed, is this a problem?

    The AV vendor is trying to sell me on their EDR, telling me that having the AV in place with an EDR will stop the EDR from automated remediation, and that I shouldn't be running both on the same machine.  Further, than there is no possibility than a signature-based AV would find something that the EDR would miss.  I'm not ready to believe this, and have always been a fan of having more than one vendor's products looking at the data as a form of layered security.  For most all of my commercial clients, the hardware firewall has gateway AV, and gateway AS, and I have both a managed AV and Malwarebytes EDR on the endpoints.  So 3 separate vendor's products have a chance to review the traffic.

    Does my approach make sense or am I doing my clients a disservice by loading their endpoints with both products?

  11. On 10/4/2022 at 6:19 PM, AdvancedSetup said:

    We have created a story to track progress of possible changes for future builds. OCF-823

    Thanks, @AdvancedSetup - forgive me, but I'm not sure what this means.   I'll presume it is some sort of internal project tracking, but since there is an ID code there, does that mean it's something I might have access to somewhere?   Or perhaps just to refer to with any support tickets I might open on the subject....

     

  12. These reports appear to be the only automated client-deliverable for those of us using Oneview.   While it is generally good (I've seen MUCH worse attempts from other vendors in my sphere), I'm wondering what the development plans are for this report.  I have several comments/questions:

    • I note that items that would naturally prompt a question, don't give any data to answer that question.  For example, the endpoints listed as "Not seen in 30 days", would naturally prompt the question "which one(s)?", but no data is given.   Also, that line starts with total endpoints, then reports "Active in the last 7 days", then "Not seen in 30 days", but the total of these two detail items don't always equal the total endpoints.     My one clients shows 13 total endpoints, 10 active in the last 7 days, and 1 not seen in 30 days.   10 + 1 = 11, so what happened to the other two endpoints?   Are they "not seen in over 30 days"?   Something else?
    • For the Endpoint Protection section, the endpoints listed as "Unprotected" are not listed or explained.   Are these machines detected on the network that don't have the agent installed?   Something else?
    • In the "Endpoints needing attention" section, it doesn't list who they are, so I'm leaving the client with this question outstanding instead of pointing to a needed task.
    • In the "Top 5 operating systems" section, shouldn't the numbers add up to 100%?  In my 13-endpoint client example, I see 76% for Win10 Pro, 15% for Server 2016 and 7% for Win10 Home.  That's 98% total.   The leftover has to be rounding as it's too small to equal 1 unidentified machine somewhere. 
    • Some clients have endpoints identified as "Win 10 business" which are in addition to those listed as "Win 10 pro".    What exactly is "Win 10 Business"?
    • In the "Threats" section, they list all of the "Detections" but don't mention whether or not all of these were addressed.   Admittedly, this is better than showing detections as NOT addressed, and it allows the client to assume that all detections were, in fact, addressed or remediated.   However, it is not clear that this is actually the case from looking at the report.
    • In the "Top 5 Threats" section, there is often a line titled "compromised".   What exactly is this referring to?   I understand "trojan", "malware", "pup", "exploit", etc., but "compromised?   That makes me worry and begs additional explanation.
    • In the end section, where it starts with "We're here to help - for technical support, please contact" - so far so good.   Unfortunately, it only follows with my company name and address.  No phone number or email address.    I looked into where this might be controlled in the Oneview portal, but couldn't find a place.   Does anyone know where this is controlled?
    • Lastly, there doesn't appear to be a way to have these reports sent (on a schedule) directly to the client.   If I generate the report for every client at once, I get all of the reports in a single zip file sent to my OneView login email, so I can't setup an auto-forward rule in Exchange do make this job easier.   I have to unzip the file, then forward each report individually to the correct client - more time-consuming for sure, and opens up the possibility for error, plus yet another month-end job that has to be assigned to someone.   Is there any way to automate this more?

    Thankfully, I couldn't find any formatting problems or misspellings in the report, so kudos for that!

    • Thanks 1
  13. It was frustrating to see the fix available for individual clients but not be able to access the Nebula dashboard for any of our clients.   It took another hour for the fix to make it out to our clients, even though we still couldn't load the Nebula dashboard.   I stopped checking after that, but another hour went by (15 minutes or so ago now) and I see Nebula is back up and running.

    Just FYI, in retrospect, we could have pushed a manual update using our RMM product using the following command on the endpoint:

    "C:\Program Files\Malwarebytes Endpoint Agent\UserAgent\EACmd.exe" --updateprotection

     

    We didn't do that, because we didn't know about this approach until things were already starting to right themselves.   I put it in my notes in case there is a next time, though.

    • Like 1
  14. Thank you - that was the place.    This is one of those things about the platform that seems disjointed.   When I log into the main dashboard (not an individual site), and I see an icon that says, "Scan Needed" on 8 workstations spread over 6 sites, I want to be able to click on that icon right there and queue those scans.   It's more work than necessary (IMO) to accomplish the thing you are telling me needs done.  I have to click on that icons, which identifies the individual sites, then I have to open each site in turn to actually  queue the scans.  I understand why this behavior would be desired for detections, but for overdue scans, it should be easier than it is to just queue those scans to run.

    In fact, I'm not sure the overdue scan warning really has any value.  In my experience this results from a workstation just being off since all of the sites have schedules for scans to run.  It's not my job (IMO) to chase clients and ask them to turn on a machine just so a scan can run.   If it's been off, then it hasn't been at risk, so there shouldn't be a need for a new scan until that computer is on again, at which point, the scheduled scan should take over and make it happen without my intervention.   Maybe I'm missing the point...

  15. I have EDR on a 50-workstation client.   An update to the Citrix Sharefile Outlook plugin tripped the 'Suspicious Activity' flag and was blocked on all endpoints.   I examined the first one, realized it was a false positive and closed the incident, creating a global exclusion for the MD5 Hash on that file.  I also created a 'File by path' exclusion using the system variable %localappdata% for good measure.  Ok, problem solved.    Except 49 other workstations still have open incidents for this very same file.   I cannot find a way to close those incidents without individually opening each one.  What am I missing?

  16. With regard to the "Detections" triggers.  I'm concerned there is a decision branch missing.

    If I choose the "Action Taken" condition, the only operator is "is equal to" and the choices are "Blocked, Found, Quarantined, Deleted form quarantine and Restored from quarantine".

    If I select more than one choice, for example "Found" and then "Quarantined", I am apparently working with an AND, not an OR.  So for the notification to fire, a detection must be BOTH "Found" and "Quarantined".   Further, If I choose to add another condition, then that 2nd condition is also an AND, as it clearly says "All of these conditions must be met".

    So, let's say that I want to get notified BOTH when something is found & quarantined, AND when something is found and NOT quarantined (arguably a more important event).  The only way to do this is to have TWO separate notifications, one where you choose "Found & quarantined", and a second one where you choose only "Found".   At least I think, anyway.   The problem with this solution is that when a detection is found and quarantined, it will fire BOTH notifications.   But if I remove the second notification so I don't get duplicate notifications in this scenario, then I don't get a notification if a detection is "Found" but not "Quarantined" for some reason - which as I stated above, is probably a more important thing to get notified about.

    Maybe the answer is to delete the FIRST notification and only have one that fires when something is found (regardless of whether or not it is quarantined).  I don't want to miss any important events, but I don't want to get spammed with notifications, either.  I'm trying to setup notifications to auto-create tickets, so finding the right balance is important.

    Am I missing something here?  It seems like we need an OR choice for the trigger values, which of course, we don't have currently.

    Question 1:  Does this make sense?

    Question 2:  What notifications have YOU setup for your clients?

     

  17. Support confirms there is no access to any system variables in a custom subject line.  :-(

    Support also confirms there is no design limit on the number of allowable notifications, so having 700 should work just as well as having 5.

    This is a ton more work on our end to maintain that, but hopefully it's a one-time setup for each client and we'll have to write it off as the price of automation.

    • Like 1
  18. OP, please do post what you find out here.   It seems this is exactly the kind of question these forums are intended for.  If there is documentation on how a feature works (which, there must be, right?), it would seem a simple task to say "Please read this LINK and then contact support if you have any questions."   As a user, its a bit frustrating to see so many responses of "Please open a ticket".    No one but the OP learns that way and the forums don't life up to their potential usefulness.  My 2c anyway.

  19. I am trying to better organize the notifications we receive for clients on the Oneview platform.  Ideally, I'd like notifications that mean we have to physically "do something" to automatically create tickets in our CRM.  To do THAT, I need to control the subject line of the notification emails to contain the client email, which is the identifying field in our CRM.

    I can do this now, by making notifications that only apply to one site (client), then specifying the subject line as needed (like this:  "Threat Detected - name@clientdomain.com").   This means, though, that for every client I add to Oneview, I would need to make a new set of these notifications.   Before I start down this path, I have some concerns about how scalable this feature is.   It works now with only a handful of sites, but will the platform continue to work well if I have, say 700 notifications defined?  Even though this would be a ton of work to setup and maintain, it might be worth it to get the automation I'm looking for.

    Is there a better way?  Are there any system variables I could use in the subject line that would allow me to have only one set of notifications that apply to all sites?   Could I set a subject line something like this:

    [Threat Detected - %siteprimaryemail%]

    If so, then I would just need to make sure that the identifying email in Oneview is the same as the identifying email in my CRM - a much easier job to setup and maintain than creating new notifications for each site added.

    What do you think?

    • Like 1
  20. Just closing this loop.   Notifications are set BY USER.   So to do what I want (have all notifications go to a special email address instead of the current admin user), I created a "read-only" user called "Notifications User" and used the notifications@mydomain.com email for that user.    Then I deleted the notifications I could from the main admin user and added them to the new notifications user.  So far so good.  I have some other questions about this process, but I'll start a new topic for those.

    • Like 1
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.