Jump to content


  • Content Count

  • Joined

  • Last visited

Community Reputation

0 Neutral

About rbabcock

  • Rank
    New Member
  1. After disabling TLS < 1.2 on Win/10 workstations, we see event logs flooded with schannel errors "error occurred while creating a TLS client credential". It appears these are from the Malwarebytes endpoint agent attempting a TLS 1.0 connection to ec2-34-193-90-6.compute-1.amazonaws.com. Is there any configuration change we can make to force the agent to use TLS 1.2? Are we breaking the agent by blocking TLS 1.0?
  2. Thanks It was exactly that guide that eventually clued us in to the fix. On the server side, we hit the 10GB SQL Express database size limit. Following instructions in this thread we truncated and shrunk the database. And, we temporarily set the retention to 1 day and turned off email notifications. I wrote a cleanup script customized for our environment. Cleaning up the logs has worked on a few test machines. Monday we'll worry about recording who has/hasn't gotten the cleanup and do everybody. I suspect the fact that you're responding to posts this late on Friday night
  3. Looks like the problem is that sccomm.exe is choking on the local log files. To fix on a remote target: Stop the SCCommService . (SCCommService probably won't respond to a service stop command, so use pskill or other task killer on sccomm.exe.) Delete all txt and xml files in "C:\ProgramData\Malwarebytes\Malwarebytes’ Anti-Malware\Logs" Restart the SCCommService with sc. We see ~20,000 files in the log directory. Deletion over the network takes around 5 minutes.
  4. Machines that got caught by this weekend's oops are showing sccomm.exe saturating one CPU core after deleting the bad ref file and rebooting. We terminated sccomm.exe on most machines (which is equivalent to stopping the MEEClientService service except the service doesn't respond to stop commands). When machines get rebooted and the service restarts, we get a flurry of emails from the Malwarebytes server as a hundred thousand or more blocks of internal servers get reported. But the high CPU usage continues. The server was also showing high CPU usage and the database hit 10GB so we truncate
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.