Kalrand

Can you verify on the endpoints that are not working that the MBEndpointAgent service is running? If so, can you restart it and see if the issue is still there? Edit: Oops, @vbarytskyy beat me to the punch. You're in good hands.

@djacobson listed a good guide matrix on recommended settings. The below post was in regards to Exchange but his matrix included multiple server roles and OS.

You are not alone @mprott or @Markpol, I've created a stop-gap to at least get the Endpoints reporting until the issue is resolved. I also worked with @TonyCummins and created a step-by-step guide using PDQ Deploy (it's handy and it's free) [see below]. I'll reiterate my comment from earlier this month on my findings of the issue and the impact as I know it of the script. Mods, I don't want to interfere with you in tracking down the issue but at the same time I don't want to have blind spots in our visibility. However, that being said if this is counter productive or in anyway hinders your efforts please remove

I agree that this is troublesome and we also run into this issue, and have with Sophos before switching to Malwarebytes. I truely believe that the issue is with Windows 10 as it wasn't an issue before on Windows 7 (for Sophos or Malwarebytes). Do you have a means to run a batch script on the endpoints, like PDQ Deploy? The below is the script we use to help mitigate the issue. START /WAIT net stop "MBEndpointAgent">nul 2>&1 timeout /T 3 /nobreak>nul START /WAIT net start "MBEndpointAgent">nul 2>&1 sc config "MBEndpointAgent" start= delayed-auto Granted this is a stop-gap and not a solution, on occasion will need to be reapplied as updates reset the Agent start mode. When the Agent is in a offline state it does not prevent Malwarebytes from protecting the system, this only affects the communication to the cloud (updating current policies and schedules) and on-demand scanning.

We had to create a support ticket to get them removed, though once the ticket was created they were removed quickly.

Interesting, we are also behind a SonicWall.

As a stop-gap measure, try running the below script on the endpoint. We do this on our own endpoints when they happen to drop off. START /WAIT net stop "MBEndpointAgent">nul 2>&1 timeout /T 3 /nobreak>nul sc config "MBEndpointAgent" start= delayed-auto START /WAIT net start "MBEndpointAgent">nul 2>&1 This stops the agent and restarts it with a delayed start which I believe is being pushed aside during Windows boot up. The agent only controls the GUI and communication with the Cloud Portal and won't interfere with active protection, the engine. Though I believe updates is handled by the agent as well though I don't know that for certain having it start a few seconds later won't interfere with it running and updating.

After you ran the above did the Endpoints start reporting? Another part of the script that we use is to delay the start of the Agent by this command, for some reason with the Agent and Windows 10 we had more offline endpoints if we didn't delay it's startup. The only issue is the next update of the agent will undo that. sc config "MBEndpointAgent" start= delayed-auto

We had 14 endpoints go offline this morning, all of the physical computers are up and running. To combat this since we've seen it in the past is to restart the Malwarebytes Endpoint Agent. We automate it a little by using PDQ Deploy with a script to restart the agent. Below is a snippet of the script we use, I left out some of our logging functions that you probably wouldn't need. START /WAIT net stop "MBEndpointAgent">nul 2>&1 timeout /T 3 /nobreak>nul START /WAIT net start "MBEndpointAgent">nul 2>&1

We had quite a few agents not report to the MEP Cloud in the beginning, this would show them as offline. Since we saw this particular behavior before with Sophos and Windows 10 we did what we did there, set the agent start mode to auto (delayed start). This cut down the offline endpoints to nearly zero. We scripted it for convenience, see below for the command we use. sc config "MBEndpointAgent" start= delayed-auto

You could use MetaDefender or VirusTotal to get some reports. If you have a SonicWall with Capture ATP you could submit the file, other option is a free service like Comodo Instant Malware Analysis or Windows Defender.

This happened to me last week. You'll need to open a support ticket and they will delete it.

Since this is an Exchange server it should not be downloading and running programs or sharing files so the Web and Ransomware really are not needed because the data is not directly accessed. As for the email, the Endpoints on the workstations are scanning anything they come in contact with.

The matrix shows what settings should be enabled/disabled for certain server roles. In the case of Exchange, both Web Protection and Ransomware Protection should be disabled to not interfere with Exchange.

Take a look at this to make sure your policy is set correctly for Exchange.