N33dful

Hi @Hardhead, Thanks for letting us know! I believe we have enough information to go on now and are developing a fix, I'll let you know if any further detail or logs would prove useful. Additionally, I'll update you here once we've released a fix. I see your subscription is for the consumer product, it may take additional time for the update to reach the Premium consumer version compared to the ARW standalone business release since the former is bundled. For this reason, you may want to open up a new case with our consumer support team. If you have a business subscription that I'm not seeing, I'll be happy to open a case and update you accordingly.

@JanN-M, Happy to help! And there are certainly some instances where we may advise, or you may prefer to take a machine offline and remediate via our MBBR tool (available in your Cloud Console on the 'Downloads' page). What I was attempting to convey is that these instances are few and far between, and that in the majority of detections/infections, disconnecting the machine is unnecessary and can impede a swift recovery.

Hi @JanN-M, I've copied your questions and replied in red to keep this as digestible as possible. Question 1 : After installing the agent on the endpoint, it becomes impossible to visualize any kind of interface to view the current settings, recent activities, quarantine etc on the endpoint itself ? The only source of information or config becomes the cloud portal.Is that correct, and by design ? Correct, all of our cloud based solutions are intended to be lightweight on the client side and centrally managed from the Cloud Console. The Agent first checks for any of our other products and if present, uninstalls them, so the free version would not remain or be accessible once the Endpoint Agent is installed. (*) The first thing I do when an endpoint infection is detected, is disconnect the endpoint from the network to avoid spreading malware : but that severs the cloud console connection, and leaves me with no interface at all on the endpoint to perform any kind of interaction with the MB services!? - I know of a repair tool that can be downloaded, but that is tekst-based, and focuses on repair, not on the current config or status of the services ? And to be able to use it, it should obviously be downloaded prior to any network disconnect… ( and periodically updated - manually - …. ) It sounds like you're referring to our Malwarebytes Breach Remediation Tool (MBBR), the standalone scanner. While this is one of many options to remediate, disconnecting after detections are made with a cloud product and remediating via MBBR is not a typical scenario or recommended use case. Endpoint Protection (EP), and Endpoint Protection and Response (EPR) are designed to stay connected throughout the infection lifecycle. (**) The presumption seems to be that endpoints will never get infected, that MB will be 100% effective ? What is the scenario for a zero-day infection, for which a remediation follows some days later ? Isolating the endpoint from the console, and leaving no way to interact on the endpoint itself ( to update drivers from a new definitions file e.g. ) results in catch-22 situation ? Our real-time protection operates on many layers and in the event of a 0 day, infections can be stopped based on behavior. There is certainly no presumption of 100% efficacy, however, a multi-layered defense employing real-time protection ensures there's not a single point of failure (delayed, or missed scheduled scans etc.). I would find it much more convenient to always be able to open a GUI interface on the endpoint (as administrator), in which it is possible to consult the current active config ( active policy, exclusions, etc ), and be able to interact more with the MB services than just 'performing a threat scan'. Is that present on an endpoint that has the agent installed, and am I not finding it ? On what is visible on the endpoint, I only find these options that can be set ( by policy) : - tray options : --> hide completely --> show tray icon but nothing can be done with it --> show tray icon and a threat scan can be issued - either by all users, or only by local administrator accounts - all reference to the MB programs in the endpoint menu’s and desktop are also removed when the console agent is installed. Again, this is by design as the cloud products were intended to be lightweight on the client and managed remotely from the cloud console. You could certainly log in to the console at cloud.malwarebytes.com from any client, although not a best practice from an infected machine. Question 2 : In the console it is possible to see that the website checker has been triggered, but : - malicious websites that are blocked : there is no information about which user and/or which process caused the detection. - we use Windows Desktop Services ( Terminal Services ), but cannot know which user attempted to visit the site, and whether it was a browser process, or something else. --> can I find this information anywhere ? Selecting the detection name on the 'Detections' page will pull up a 'Detection Details' pane with more information, including the applicable process. It does not, however, include a logged on user. This has been requested as a feature, but I'd definitely recommend submitting feedback using the 'Send Feedback' button in the lower left of the Cloud Console. This feedback goes straight to our Product Management team and is recommended for all feature requests and enhancements. Question 3 : - determine all exclusions that are currently active on one endpoint : how can that be achieved --> In the overview of the endpoint there is no way to see a list of active exclusions : You have to puzzle the complete picture by using the selections in the “Exclusions” part in the console ? --> It would be better to be able to consult this, and basically also the active policy sessings as reported by the endpoint in de endpoint overview. Am I correct that this cannot be visualized ? Correct, and Correct. This information is only visible from the Cloud Console. Question 4 : I have not tried this yet - just curious : - when the endpoint is removed in the console, the endpoint agent will be removed. - Will the malwarebytes service itself remain, and will its default interface re-emerge ? Will it become a Malwarebytes Free installation with no real-time protecion ? - What settings will be in effect ? If a machine is deleted from the Cloud Console, an uninstall command is queued and sent once communication with that machine is established. Once complete, the Endpoint Agent and all services are uninstalled. Some configuration files may remain. Question 5 : - when a detection occurs, how long does it take for the endpoint to notify the cloud console ? Is that immediately, or at the next endpoint-cloud console communication cycle ? Any detection event will force an immediate sync with the console to report that detection data. Question 6 : - Am I correct that there is NO way to have the MB environment notify by mail that a real-time detection has occurred ? Only when the detection occurred during a scheduled or interactive scan of an endpoint ? Email notifications for RTP detections are not configurable through the console. That said, syslogging can be utilized to report RTP events and subsequently notify you via email. More info below. Configure Syslog in Malwarebytes Cloud Platform https://support.malwarebytes.com/docs/DOC-2811 We do encourage you to report all feature and enhancement requests, and ask that you provide those via the 'Send feedback' button in your Cloud Console, while on the most relevant page of the console to the request. Apologies if I missed anything, let me know if you have any follow up questions or if I can be of any further assistance!

Hi @REGITDept, We're still working on a fix, no ETA at this time. I'll update you via email on the open ticket as soon as I have more information!

Hi @REGITDept, Sorry for the trouble! This is a known issue we're currently working on a fix for. I've opened a new problem ticket and reached out via email, I'll update you there as soon as a fix goes live.

Hi @Kernel, Sorry you're having trouble, I'll be happy to help. You should not be prompted for the password when attempting to turn off tamper protection in the policy. Let's try turning it off, then re-enabling it and try a new, simple password. If you continue to have trouble, I'll be happy to open a ticket and continue working with you to investigate the issue.

@morgan26, That makes sense, as wildcards are not supported in the Anti-Ransomware exclusions. Glad you were able to get it working, and you're very welcome!

Hi @morgan26, You can't exclude a specific .exe, regardless of directory, if that's what you're asking. You can however, exclude a file within a specific directory or the directory itself. To do that, you'd simply edit the relevant policy, adding the directory or file path to the ignore list on the Anti-Ransomware tab. Alternatively, you could right-click > Stop Protection on the Anti-Ransomware icon in the task tray, then re-enable once testing is complete. Let me know if you have any questions, or if I can be of any further assistance!

Hi @AyatoWard, Sorry to hear you're having trouble, I'll be happy to help. Are the crashes completely random, or do they seem to happen around the same time(s)? Do you have any other 3rd party anti-virus or security software installed? Typically, we'd create a ticket for an issue like this, however I wasn't able to find an account linked to the email on your forum account. If you'd like, message me any pertinent account and contact details and we can open and begin working a problem case. Thanks!

Hi @fyang, Sorry you're having trouble, I'll be happy to help. Is there a particular reason you opted to go with an external database, rather than the embedded one? If not, installing with the embedded database is typically much simpler. If you'd like to stick with the external database, try following the steps below. Configure Malwarebytes Management Console to use external database https://support.malwarebytes.com/docs/DOC-1279 Let me know if that gets it working for you or if you continue to have trouble!

Hi @ChrisLombaard, I'd suggest also excluding the working directory of any projects. Do you have any other endpoint protection programs installed on the affected machine? If so, a conflict could be to blame and could be remedied by mutual exclusions. If not, and the trouble persists, you may want to look into creating a custom policy for that server and try disabling real-time protection layers to see which is at fault. I suspect you'll find the 'Behavior Protection' is the cause as it monitors the file system for ransomware-like behavior. You'll find the Real-time Protection settings in the Policy under 'Windows > Settings > Real-time Protection'. Let me know if that gets it working for you!

As @Lesyk009 mentioned, we are still looking in to the issue and should have an update soon. Apologies for the inconvenience, we'll update you all here as soon as we have more information.

Hi @Tora, Sorry for the delay! If the ip address is the same as the previous console, the clients should check back in automatically. If the ip is not the same, the following article should prove useful. Malwarebytes Management Console server migration https://support.malwarebytes.com/docs/DOC-1041 Let me know if you have any further questions, or any trouble!

Hi @Howiedoit, As @exile360 pointed out, the Suspicious Activity page in the Cloud Console (and the associated policy settings) are features of Endpoint Protection and Response. These features are an upsell to the Endpoint Protection product. We recently made a change to make that page and the policy settings visible so that customers have an idea as to what features they're missing. The Endpoint Protection and Response features require a significant increase in overhead on the back end and thus come at an increased cost. Let me know if you have any further questions!

Hi @schnax, The status light was not reporting in real time, so in many cases it gave the illusion of an endpoint being online, whilst that may not have been the case. If an endpoint has a last seen time of today, and both the Malwarebytes Endpoint Agent Service and Malwarebytes Service are 'Running', it's safe to assume they are online. That said, we have recently added a 'Send Feedback' button at the lower left of the console and encourage you to send all feedback and feature requests via that option.