My company purchased MB Endpoint Protection about 3 weeks ago, using the most recent version of the software.
We configured the cloud console, and installed our endpoints
Some of the endpoints had previously been installed with MBAM free - with the “corporate use” option, others were ‘clean installs’ by using the deployment tool or the endpoint installer tool that was downloaded in the console. They behave identical.
Everything seems to work as it should, but there are some aspects that i find less than optimal.
I would first like to ask in this forum if these ‘features’ are by design, or if I am missing something :
Can someone knowlegdeable or with experience with the MB products react ?
Question 1 : After installing the agent on the endpoint, it becomes impossible to visualize any kind of interface to view the current settings, recent activities, quarantine etc on the endpoint itself ?
The only source of information or config becomes the cloud portal.Is that correct, and by design ?
(*) The first thing I do when an endpoint infection is detected, is disconnect the endpoint from the network to avoid spreading malware : but that severs the cloud console connection, and leaves me with no interface at all on the endpoint to perform any kind of interaction with the MB services!?
- I know of a repair tool that can be downloaded, but that is tekst-based, and focuses on repair, not on the current config or status of the services ?
And to be able to use it, it should obviously be downloaded prior to any network disconnect… ( and periodically updated - manually - …. )
(**) The presumption seems to be that endpoints will never get infected, that MB will be 100% effective ? What is the scenario for a zero-day infection, for which a remediation follows some days later ? Isolating the endpoint from the console, and leaving no way to interact on the endpoint itself ( to update drivers from a new definitions file e.g. ) results in catch-22 situation ?
I would find it much more convenient to always be able to open a GUI interface on the endpoint (as administrator), in which it is possible to consult the current active config ( active policy, exclusions, etc ), and be able to interact more with the MB services than just 'performing a threat scan'.
Is that present on an endpoint that has the agent installed, and am I not finding it ?
On what is visible on the endpoint, I only find these options that can be set ( by policy) :
- tray options :
--> hide completely
--> show tray icon but nothing can be done with it
--> show tray icon and a threat scan can be issued
- either by all users, or only by local administrator accounts
- all reference to the MB programs in the endpoint menu’s and desktop are also removed when the console agent is installed.
Question 2 :
In the console it is possible to see that the website checker has been triggered, but :
- malicious websites that are blocked : there is no information about which user and/or which process caused the detection.
- we use Windows Desktop Services ( Terminal Services ), but cannot know which user attempted to visit the site, and whether it was a browser process, or something else.
--> can I find this information anywhere ?
Question 3 :
- determine all exclusions that are currently active on one endpoint : how can that be achieved
--> In the overview of the endpoint there is no way to see a list of active exclusions : You have to puzzle the complete picture by using the selections in the “Exclusions” part in the console ?
--> It would be better to be able to consult this, and basically also the active policy sessings as reported by the endpoint in de endpoint overview. Am I correct that this cannot be visualized ?
Question 4 :
I have not tried this yet - just curious :
- when the endpoint is removed in the console, the endpoint agent will be removed.
- Will the malwarebytes service itself remain, and will its default interface re-emerge ? Will it become a Malwarebytes Free installation with no real-time protecion ?
- What settings will be in effect ?
Question 5 :
- when a detection occurs, how long does it take for the endpoint to notify the cloud console ? Is that immediately, or at the next endpoint-cloud console communication cycle ?
Question 6 :
- Am I correct that there is NO way to have the MB environment notify by mail that a real-time detection has occurred ? Only when the detection occurred during a scheduled or interactive scan of an endpoint ?
Thanks in advance for your feedback.