TonyCummins
-
Posts
122 -
Joined
-
Last visited
Content Type
Events
Profiles
Forums
Posts posted by TonyCummins
-
-
Im starting to see this too....opening the MBCloudEA.exe.Config file shows it as empty !
-
2 minutes ago, djacobson said:
Is this a server?
It is on ALL my endpoints..servers / workstations ....but that above is from a win 7 machine.
-
43 minutes ago, djacobson said:
Great catch by that agent. The folder by path function can be used for that path if you leave the wildcard off the end. Ignoring folder by path already implies everything within that folder, making the wildcard unneeded. Save the wildcard usage for items in the middle of the path string. MBMC needed the * to the end of a path, so I know it is a hard habit to break
So all i need to do know is figure out is whats going on with these events:
2018-05-01 12:58:59,720-06:00 [27] ERROR MB3Service Error clearing ARW exclusions
System.Runtime.InteropServices.COMException (0x80004005): Error HRESULT E_FAIL has been returned from a call to a COM component.
at ArwControllerCOMLib.IArwController.ClearExclusions()
at EAMBAMPlugin.MB3Service.<>c__DisplayClass30_0.<ApplyExclusions>b__1()2018-05-01 12:58:59,637-06:00 [22] ERROR MBAMPlugin Unable to apply setting for "L1WPM": System.Runtime.InteropServices.COMException (0x80004005): Error HRESULT E_FAIL has been returned from a call to a COM component.
at AEControllerCOMLib.IAEController.SetAeOption(_AeOptionName optionName, Int32 option)
at EAMBAMPlugin.MBAMPlugin.ProcessAdvancedAntiExploitTechniques()
-
On 4/13/2018 at 12:06 PM, djacobson said:
Thanks Tony, I've seen this sometimes when the agent looses connection to the cloud and is unable to finish setting exclusions after starting, allowing a few of the ignored items to get caught. The effect is temporary but the issue is being tracked and we're going to get it fixed in a later update.
**Update**
So, finally got a hold of support and he noticed that the exclusions i had in place from previous support tech was incorrect.These where the errors he picked up from his end:
2018-04-30 02:11:40,703-06:00 [27] INFO MB3Service Exclusion ScanExclusionType_Folder:C:\Program Files (x86)\Zuercher Suite\* was not added to Scan controller because it was not valid for the type
2018-04-30 02:11:40,703-06:00 [27] INFO MB3Service Exclusion ScanExclusionType_Folder:C:\Program Files (x86)\Zuercher Suite\* was not added to RTP controller because it was not valid for the type
2018-04-30 02:11:40,703-06:00 [27] INFO MB3Service Exclusion ScanExclusionType_Folder:C:\Program Files (x86)\Zuercher Suite\* was not added to ARW because it was not valid for the type
2018-04-30 02:11:40,703-06:00 [27] INFO MB3Service Exclusion ScanExclusionType_Folder:I:\* was not added to Scan controller because it was not valid for the type
2018-04-30 02:11:40,703-06:00 [27] INFO MB3Service Exclusion ScanExclusionType_Folder:I:\* was not added to RTP controller because it was not valid for the type
2018-04-30 02:11:40,703-06:00 [27] INFO MB3Service Exclusion ScanExclusionType_Folder:I:\* was not added to ARW because it was not valid for the type
In order to have the correct exclusion in place I needed to remove the “Folder by Path” and change that to “Exclude files or folders by wildcards (Windows)” and use the following C:\Program Files (x86)\Zuercher Suite\*Hopefully this will bring to an end to my issues.
-
This is absolute nonsense.....again last night one of my dispatch machines had the "leds" software flagged and quarantined........
-
On 4/13/2018 at 12:06 PM, djacobson said:
Thanks Tony, I've seen this sometimes when the agent looses connection to the cloud and is unable to finish setting exclusions after starting, allowing a few of the ignored items to get caught. The effect is temporary but the issue is being tracked and we're going to get it fixed in a later update.
Im having some other issues related to leds...my end users are reporting the software program becoming unresponsive..slow...locking up...needed a full computer restart to get out from under it. Im seeing the following events in our around the software is having issues....
2018-04-22 23:11:29,719-06:00 [33] ERROR MB3Service Error applying ScanExclusionType_Folder:I: to ARW controller
System.Runtime.InteropServices.COMException (0x80004005): Error HRESULT E_FAIL has been returned from a call to a COM component.
at ArwControllerCOMLib.IArwController.AddExclusion(_ArwExclusionType type, String pData)
at EAMBAMPlugin.MB3Service.<>c__DisplayClass30_0.<ApplyExclusions>b__1()2018-04-22 23:11:29,719-06:00 [33] ERROR MB3Service Error applying ScanExclusionType_File:C:\Program Files (x86)\Zuercher Suite\production\launcher\launch_leds.exe to ARW controller
System.Runtime.InteropServices.COMException (0x80004005): Error HRESULT E_FAIL has been returned from a call to a COM component.
at ArwControllerCOMLib.IArwController.AddExclusion(_ArwExclusionType type, String pData)
at EAMBAMPlugin.MB3Service.<>c__DisplayClass30_0.<ApplyExclusions>b__1()
2018-04-22 23:11:29,703-06:00 [33] ERROR MB3Service Error clearing ARW exclusions
System.Runtime.InteropServices.COMException (0x80004005): Error HRESULT E_FAIL has been returned from a call to a COM component.
at ArwControllerCOMLib.IArwController.ClearExclusions()
at EAMBAMPlugin.MB3Service.<>c__DisplayClass30_0.<ApplyExclusions>b__1()2018-04-22 23:11:29,236-06:00 [23] ERROR MBAMPlugin Unable to apply setting for "L1WPM": System.Runtime.InteropServices.COMException (0x80004005): Error HRESULT E_FAIL has been returned from a call to a COM component.
at AEControllerCOMLib.IAEController.SetAeOption(_AeOptionName optionName, Int32 option)
at EAMBAMPlugin.MBAMPlugin.ProcessAdvancedAntiExploitTechniques() -
12 hours ago, djacobson said:
@TonyCummins is this still happening to you?
Hi djacobson,
Actually i still had the exclusion in place and never removed it. That said, last week we had a software update which changed the launch_leds.exe file.......it renamed the old launcher folder as .old...created a new launcher folder and placed the new exe in there...1 of my main dispatch machines picked it up and flagged as ransomware and deleted. I had a hell of a time troubleshooting it and getting it back up reinstalled and running. Re added the exclusion and it seems to be holding and not getting flagged for now
-
Click the Detection's tab on the left or the Quarantine tab
-
Anyone else seeing this cert issue this morning.....
-
Getting multiple detection's on the following file C:\WINDOWS\SYSTEM32\WERFAULT.EXE anyone else ??
-
Anyone using endpoint protection for MACS yet? If so, any issues that you are aware of? I have 1 dept that has primarily MACS and have just been using the incident response so far. Just curious
-
Just now, CHMOD_777 said:
Hello@TonyCummins I just wanted to reach out to you and confirm that the Malwarebytes platform did not go down today. The window you presented must have been cached in your users browser from our last maintenance window. Just clear your cache by using CTRL + F5 and then refresh.
I never said it went down today. I had issues yesterday and it was NOT a browser cache one. As i mentioned above i tried multiple computers and browsers to access console....even vpn to my home pc to try.
-
looks like its back up....
-
what the hell....now i'm receiving a "down for maintenance" logo !
The email i received yesterday alerting me to scheduled maintenance said it was not happening till Wednesday !
"Malwarebytes is scheduled to update our cloud platform on March 8, 2018 at 8:00PM EST / 5:00PM PST. We anticipate less than 3 hours of downtime to complete this update"
-
Anyone else having issues logging into their cloud console this morning? Tried multiple browsers and computers.
-
@KDawg
Can you shed any light as to why i'm seeing this after disabling it in the policy for my endpoints. Disabled it initially in the hope of freeing up system resources from MBAM.
The policy has been in effect over a day and pc restarted multiple times since and also "check for updates ran from cloud console. -
4 hours ago, IT_Guy said:
Agreed, I've had almost no complaints about endpoints since I've turned it off, and the complaints I do get are usually Adobe memory related now.
Have you noticed even though its turned off that its still showing in task manager and using system resources !
-
Turning that tray Icon off has helped ALOT ! even in the short period of time i'm testing.
-
1 hour ago, IT_Guy said:
I did disable it and have had fewer reports of people complaining about slow machines. I haven't been able to specifically identify a successful case, but since nobody used the function and it was apparently detrimental to some, I removed it. I suppose if you have end users that need to frequently scan things you could create a separate profile for them with it enabled.
Yea, I don't have any users that "need" to do local scans assuming its auto protecting etc....i guess i kind of used the tray icon as a means to determine if endpoint was being protected or not as i walked the campus
-
1 hour ago, IT_Guy said:
Click on an endpoint, in the bottom right corner is a button called "Related Tasks" under there you can schedule a "Check for Protection Updates"
This can also be done if you go to the Endpoints overview screen, click the blank checkbox in the top left to select all your endpoints, then click on Actions and under there "Check for Protection Updates"
You can also schedule scans in this area.
Looks like you already found this, and found that it doesn't do anything.
Yep...i was using the endpoints overview screen...don't seem to make a blind bit of difference as they do not have matching versions which tells me the check for update is doing nothing!
[off-topic]
Did i read elsewhere that you disabled tray icon to try stop some of the memory leak? Have you any luck with that? -
1 hour ago, IT_Guy said:
I noticed this across most of my endpoints as well, it took some time before I could find two with matching version numbers. I scheduled a protection update to see if that helped. Haven't checked back since.
When you say you scheduled a "protection update".....do you mean a scan? I'm not seeing how i can create just an "update schedule".....maybe im just not seeing it !
-
Just rechecked this morning...3 pcs online. restarted pcs..sent check for updates to all 3..task completed successfully....restarted the 3 pcs.....here's what i'm seeing now. STILL version mismatches.
-
On 2/20/2018 at 9:23 AM, vbarytskyy said:
The units should update when a scan is performed. Make sure your scan schedule is correct.
Also, at times updates are applied with reboots, make sure to perform a reboot if these computers have not been restarted in a long time.
Thank you.
What do you mean by making sure your scan schedule is correct? Also the PC s get rebooted daily.
-
5 hours ago, KDawg said:
Please add the exception for the 255 temporarily, we are not actually blocking but the program is incorrectly reporting such.
We have a fix in the works for this and should see it resolved soon. In the meantime adding a 255.255.255.255 exclusion will resolve.Wasn't this already addressed and fixed when it first surfaced back in November? why is the issue reoccurring?
MBCloudEA.exe.Config corrupts
in Malwarebytes Nebula
Posted
If i come across any more not communicating with cloud and having corrupt config files i will, but the 6 i found this morning ive already done a clean re install