Jump to content

Recommended Posts

Been trying to get the Endpoint Security going in our org.

 

A few points of confussion for me that I need further clarity on.

 

I've read the following documents without actually seeing these items documneted?

 

Endpoint Security Quick Start Guide.pdf

Malwarebytes Management Console 1.4.1 Administrators Guide.pdf

Malwarebytes Management Console 1.4.1 Best Practices Guide.pdf

 

 

1) When a machine has a detection it shows up highlight pink in the clients view of the console:

 

But for how long? Forever? Until the client logs are cleared? Until the infection is removed?

 

 

2) Regading removals - there's a colum in the Security Logs tab within the Client console view that is titled OPERATION

 

What does this column actually indicate, and what are the range of responses?

 

So far I've noted <None> and success  But what do they mean? 

Presumably <none> means no action was taken

and success means the infection was removed? or whatever the policy action is set to be for that class of detection, yes?

 

So circle back to the top if success means removed/quarentined etc, will the client stop being highlighted in PINK to alert that there's an infection?

 

Thanks,

CxL

 

 

 

 

 

 

 

 

Link to post
Share on other sites

  • Staff

Hello cxl48548,

 

1.  The red/pink color will show that a detection is found. That will stay like that until the next scan that computer does comes back clean. 

 

2. You are correct in this but there is also a quarantine option. None, like you assumed, is no action taken. Success is there when a program or IP address was blocked. Quarantine is there when a file is removed. 

 

Just for an example, I ran a test infection which Malwarebytes blocked so it shows as a success. Then, it quarantined the file so it shows up as a quarantine. If you are noticing some items as none, then there is two things that may be causing that.

 

a. The settings in the policy may have the setting for that detection (pups and pums for example) as show in results list and do not check for removal. Because they are not check for removal, nothing happens to them.

 

b. Quarantine automatically was not turned on for that scan.

 

Let me know if you have any other questions!

 

Thank you,

 

Ron S

Link to post
Share on other sites

Hi Ron,

 

I guess the biggest question is, why is not not covered in any documentation?

Or if it is, can you kindly point me to which documentation addresses these items, as it may contain other information I could learn from.

 

 

 

I hear you about the default policy for PUP's to be list but not remove.

 

I learned that recently through experience, so I modified the policy to be:

 

PUP : Show & check for removal

PUM: Show & check for removal

P2P: Show & check for removal

 

I can see that some of the client(s) that I am questioning, are reporting the most recent policy version is in effect, yet they remain 'pink'

 

But they are not frequently online so it may just be that they have not reported back a 'clean' scan to the console as yet.

 

Thanks,

CxL

Link to post
Share on other sites

  • Staff

Hi CxL,

 

No problem. It is in the admin guide and it can be found under page 22 under section 7.4. Here is a link to the one I am viewing just in case: http://static-cdn.malwarebytes.org/assets/userguides/2015-01-21/MBMCGuide.pdf

 

 

If they are not frequently online, then that may be the issue. They have to check in with the policy (based on the policy check in timer) so that the client can send the console the log to update if the client is clean or not. If you notice they are online and are still showing as pink/red, then we can assist in figuring out either why an infection is not being removed or why it is still showing that way.

 

Thank you,

 

Ron S

Link to post
Share on other sites

Thanks Ron.

 

 

I had that document, so I went to the referenced section 7.4

 

I then found the other bit about the OPERATION colum being documented somewhat at 7.1.2 although it was more like a side note, and doesn't really define what the statuses meant - some of them being self evident of course, but like my query about what does Success indicate exactly...that isn't really defined that I could find even after the additional review of the document.

 

Thanks for the follow up.

 

 

CxL

Link to post
Share on other sites

  • Staff

Hello CxL,

 

You are correct. It doesn't seem to go into it much. I can bring this up to the team about possibly making an addition to show exactly what those entry's mean. We know what it is because we work on the product so much, but it may not be so obvious to customers who are new to the product.

 

Thank you,

 

Ron S

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.