N33dful

Hi @ChrisLombaard, I'd suggest also excluding the working directory of any projects. Do you have any other endpoint protection programs installed on the affected machine? If so, a conflict could be to blame and could be remedied by mutual exclusions. If not, and the trouble persists, you may want to look into creating a custom policy for that server and try disabling real-time protection layers to see which is at fault. I suspect you'll find the 'Behavior Protection' is the cause as it monitors the file system for ransomware-like behavior. You'll find the Real-time Protection settings in the Policy under 'Windows > Settings > Real-time Protection'. Let me know if that gets it working for you!

As @Lesyk009 mentioned, we are still looking in to the issue and should have an update soon. Apologies for the inconvenience, we'll update you all here as soon as we have more information.

Hi @Tora, Sorry for the delay! If the ip address is the same as the previous console, the clients should check back in automatically. If the ip is not the same, the following article should prove useful. Malwarebytes Management Console server migration https://support.malwarebytes.com/docs/DOC-1041 Let me know if you have any further questions, or any trouble!

Hi @Howiedoit, As @exile360 pointed out, the Suspicious Activity page in the Cloud Console (and the associated policy settings) are features of Endpoint Protection and Response. These features are an upsell to the Endpoint Protection product. We recently made a change to make that page and the policy settings visible so that customers have an idea as to what features they're missing. The Endpoint Protection and Response features require a significant increase in overhead on the back end and thus come at an increased cost. Let me know if you have any further questions!

Hi @schnax, The status light was not reporting in real time, so in many cases it gave the illusion of an endpoint being online, whilst that may not have been the case. If an endpoint has a last seen time of today, and both the Malwarebytes Endpoint Agent Service and Malwarebytes Service are 'Running', it's safe to assume they are online. That said, we have recently added a 'Send Feedback' button at the lower left of the console and encourage you to send all feedback and feature requests via that option.

Hi @Roadrunner562, The online/offline indicator in the Malwarebytes Cloud Console was deprecated in favor of the more modern ‘Last Seen’ timestamp and search functionality. You can easily filter based on a last seen status of 'Today' for similar results to the green 'online' indicator.

Hi @Tora, Can you confirm that the external access requirements below are met? From the Administrator Guide: If your company’s Internet access is controlled by a firewall or other access-limiting device, you must grant access for Malwarebytes Management Console to reach Malwarebytes services. These are: https://data.service.malwarebytes.org Port 443 outbound https://data-cdn.mbamupdates.com Port 443 outbound https://hubble.mb-cosmos.com Port 443 outbound https://*.mwbsys.com Port 443 outbound https://telemetry.malwarebytes.com Port 443 outbound Malwarebytes Management Console Administrator Guide https://support.malwarebytes.com/docs/DOC-1723

Hi @JKIRK4885, I've refreshed your installers on the back end. If you would, please try downloading a fresh .msi installer from your Cloud Console, then run the following command from an elevated command prompt: msiexec /i Setup.MBEndpointAgent.x64.msi GROUP=YOURGUID /quiet There should not be a delay, the endpoint should join the group immediately once it connects to the console. Regarding the endpoint returning to its previously assigned group, this is likely due to configuration files remaining from the previous agent installation on that machine. Let me know if this gets it working for you!

Hi @brianyst, Let's try uninstalling using the business support tool (a restart will be required). Malwarebytes Support Tool for business environments https://support.malwarebytes.com/docs/DOC-2333 Once you've completed the cleanup process, please check for the following directories and if present, delete them. C:\Program Files\Malwarebytes Endpoint Agent\ C:\Program Files\Malwarebytes C:\ProgramData\Malwarebytes C:\ProgramData\Malwarebytes Endpoint Agent Let me know how it goes!

Hi @TBundy, Sorry to hear you're having trouble, I'll be happy to help. Can you provide an example of the exclusion you're trying to add? (please redact or anonymize any personal information) How have you determined it's Anti-Ransomware breaking the function, are you receiving detections? I'd suspect Anti-Exploit to be the cause of such an issue.

Hi @jbennin, @exile360 is correct that the notifications from the detections had stacked up. Depending on the amount of detections made for the false positive, you could continue to get notifications well after the event until they've all been reported. The solution to stop the continued reporting is to remove the detection history from the managed client, as you found. Let us know if you have any further trouble or questions!

Hi @bdawg425, It looks like you spoke with Chris via chat and we've opened up a support ticket for this issue, let's continue working on this via the support ticket to resolve the trouble.

Hi @bdawg425, The steps @exile360 provided should assist you in getting the push install working, you would need to have the administrator account enabled and have the same password set on each machine. Please do let us know if you have any further trouble, we'll be happy to help!

Hi @Kelvs, As @exile360 pointed out, Endpoint Protection does not have those features. Endpoint Protection and Response does have a lock feature, Endpoint Isolation, which you can read more about in the previously mentioned link. There are currently no locate or wipe features, but I wouldn't be surprised if we saw them implemented in the future.

Hi @csnead, You should have had the option to retrieve the computer information when you re-added the OU, and alternatively, they should eventually sync on their own if AD sync is enabled. Have you double checked the AD sync settings/credentials? Has it ever worked? You can try removing and re-adding again and choose to retrieve the computer information now. You may need to toggle between groups to have the clients in each group reflect accurately. Let me know how it goes and if you continue to have trouble!