Jump to content

uncoitsecurity

Members
  • Posts

    1
  • Joined

  • Last visited

Reputation

0 Neutral
  1. This is what we did in our environment. 1. Backup the database. 2. Delete all logs from the database as per instructions from Malwarebytes. 3. Deploy cleanup script which deletes logs from the clients. Malwarebytes provided instructions on writing a GPO script to delete the logs but we used a SCCM script in our shop. The script we used to delete those files reached 80% of the machines in our environment before we began this next phase. 4. Using the Window’s firewall on the server we restricted the number of clients which were able to communicate to the Malwarebytes server by blocking port 18457 communication. 5. Open communication to a small network segment. Using task manager we would monitor network and RAM usage, if it increased significantly we would restrict communication from the network range and reopen a smaller segment. Monitor client server communication using netstat -a Identify problem machines: (over the course of the operation we had about 80 systems that needed a manual removal of the logs) Machines had more than 2 connections on port 18457 (typically it was passing many small files) Machines remained in the list for an extended period of time (typically it was passing a large file slowly) Map the log locations on the problem machines and remove the log files manually. When resource use stabilized we would open another segment to the management server. 6. We deleted all logs from the database using the previous instructions to account for any machines that did not successfully execute our cleanup script.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.