Kalrand

As a stop-gap measure, try running the below script on the endpoint. We do this on our own endpoints when they happen to drop off. START /WAIT net stop "MBEndpointAgent">nul 2>&1 timeout /T 3 /nobreak>nul sc config "MBEndpointAgent" start= delayed-auto START /WAIT net start "MBEndpointAgent">nul 2>&1 This stops the agent and restarts it with a delayed start which I believe is being pushed aside during Windows boot up. The agent only controls the GUI and communication with the Cloud Portal and won't interfere with active protection, the engine. Though I believe updates is handled by the agent as well though I don't know that for certain having it start a few seconds later won't interfere with it running and updating.

After you ran the above did the Endpoints start reporting? Another part of the script that we use is to delay the start of the Agent by this command, for some reason with the Agent and Windows 10 we had more offline endpoints if we didn't delay it's startup. The only issue is the next update of the agent will undo that. sc config "MBEndpointAgent" start= delayed-auto

We had 14 endpoints go offline this morning, all of the physical computers are up and running. To combat this since we've seen it in the past is to restart the Malwarebytes Endpoint Agent. We automate it a little by using PDQ Deploy with a script to restart the agent. Below is a snippet of the script we use, I left out some of our logging functions that you probably wouldn't need. START /WAIT net stop "MBEndpointAgent">nul 2>&1 timeout /T 3 /nobreak>nul START /WAIT net start "MBEndpointAgent">nul 2>&1

We had quite a few agents not report to the MEP Cloud in the beginning, this would show them as offline. Since we saw this particular behavior before with Sophos and Windows 10 we did what we did there, set the agent start mode to auto (delayed start). This cut down the offline endpoints to nearly zero. We scripted it for convenience, see below for the command we use. sc config "MBEndpointAgent" start= delayed-auto

You could use MetaDefender or VirusTotal to get some reports. If you have a SonicWall with Capture ATP you could submit the file, other option is a free service like Comodo Instant Malware Analysis or Windows Defender.

This happened to me last week. You'll need to open a support ticket and they will delete it.

Since this is an Exchange server it should not be downloading and running programs or sharing files so the Web and Ransomware really are not needed because the data is not directly accessed. As for the email, the Endpoints on the workstations are scanning anything they come in contact with.

The matrix shows what settings should be enabled/disabled for certain server roles. In the case of Exchange, both Web Protection and Ransomware Protection should be disabled to not interfere with Exchange.

Take a look at this to make sure your policy is set correctly for Exchange.

That's what I thought, thank you.

After yesterday's issue with a threat that was not picked up by MEP but was by Windows Defender (VirusTotal, MetaDefender) we are forced to consider running both. If I enable in the policy "Never register Malwarebytes in the Windows Action Center" this allows Defender to start running on our Windows 10 workstations. My question is, when this is enabled will MEP still continue to provide active protection? I don't want to abandon MEP but I also don't want to be left open to threats either.

Looks like it is a false positive.

I did a test. I scanned my autochk.exe and it was clean. Copied it to a USB stick and ran a scan from the workstation on that file, it came up clean. Moved the file back to C:\Windows\System32 and ran another scan, it also came up clean. Unfortunately this doesn't point either way if it's a false positive or not.

I also saw this when I came to work this morning as well, only on one workstation.

What you see is normal for the Cloud Malwarebytes Endpoint Protection. The agent is what talks to the Cloud and allows on-demand scanning, the "version" install is the actual engine. Below is a screenshot from my own workstation.