Jump to content

rbabcock

Members
  • Posts

    5
  • Joined

  • Last visited

Reputation

0 Neutral
  1. We never resolved this, these message are still flooding our event logs.
  2. After disabling TLS < 1.2 on Win/10 workstations, we see event logs flooded with schannel errors "error occurred while creating a TLS client credential". It appears these are from the Malwarebytes endpoint agent attempting a TLS 1.0 connection to ec2-34-193-90-6.compute-1.amazonaws.com. Is there any configuration change we can make to force the agent to use TLS 1.2? Are we breaking the agent by blocking TLS 1.0?
  3. Thanks It was exactly that guide that eventually clued us in to the fix. On the server side, we hit the 10GB SQL Express database size limit. Following instructions in this thread we truncated and shrunk the database. And, we temporarily set the retention to 1 day and turned off email notifications. I wrote a cleanup script customized for our environment. Cleaning up the logs has worked on a few test machines. Monday we'll worry about recording who has/hasn't gotten the cleanup and do everybody. I suspect the fact that you're responding to posts this late on Friday night means you've had a tough week. Hang in there.
  4. Looks like the problem is that sccomm.exe is choking on the local log files. To fix on a remote target: Stop the SCCommService . (SCCommService probably won't respond to a service stop command, so use pskill or other task killer on sccomm.exe.) Delete all txt and xml files in "C:\ProgramData\Malwarebytes\Malwarebytes’ Anti-Malware\Logs" Restart the SCCommService with sc. We see ~20,000 files in the log directory. Deletion over the network takes around 5 minutes.
  5. Machines that got caught by this weekend's oops are showing sccomm.exe saturating one CPU core after deleting the bad ref file and rebooting. We terminated sccomm.exe on most machines (which is equivalent to stopping the MEEClientService service except the service doesn't respond to stop commands). When machines get rebooted and the service restarts, we get a flurry of emails from the Malwarebytes server as a hundred thousand or more blocks of internal servers get reported. But the high CPU usage continues. The server was also showing high CPU usage and the database hit 10GB so we truncated it and set the retention to 1 day. The server side is now under control. Machines that were off over the weekend show minimal CPU usage by sccomm. How do we stop sccomm.exe from gobbling CPU, and less important, can we delete the local records of blocks before restarting the MEEClientService? Email to corporate support hasn't been answered, but they must be swamped dealing with customers in worse shape than us.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.