Jump to content

Recommended Posts

I just notice that if I turn off my protection it doesn't automatically come on after a certain period of time. Even after the policy check in. It seemed like before this version that it turned it self back on. I also noticed that in the management console i see under the system logs tab it says it was stopped, but under the client info tab it shows it still on.

Link to post
Share on other sites
  • Staff

Please click on the "readme first" link in my signature and you'll find instructions for obtaining and attaching the full MBAE and FRST logs.

 

In addition to MBAE and FRST logs, also please provide the SCCOMM log found in C:\ProgramData\SCCOMM.

 

Thanks!

Link to post
Share on other sites
  • Staff

Thanks for the logs @scoutt.

 

I see this is a Windows 10 machine. We have a known bug under Windows 10 which we're still working on.

 

On this machine, please follow the steps outlined here:

https://forums.malwarebytes.org/index.php?/topic/171634-anti-exploit-not-started-under-windows-10/

 

But instead of using the download link shown in step 6, use the link I will send you in a Private Message for the corporate build.

 

Let me know how it goes.

Link to post
Share on other sites

Thanks for the update. I have done what the article said to do and installed your file you sent me. The only problem I have is I did not have a MBAE to uninstall, just Malwarebyte's Managed Client. So I did uninstall that and the Management server hasn't see me since I uninstalled it. I did stop protection and so far, 45min later, it hasn't turned on, but I assume because the policy is not getting to me now.

Link to post
Share on other sites
  • Staff

You didn't need to uninstall the Managed Client. All you need to do is install the new MBAE version on top of what was already there.

 

Go ahead and re-deploy the Managed Client and then install the latest MBAE version on top.

Link to post
Share on other sites

Ok, I got back to managed and I still get the same thing. Client shows stopped, management server sees the stop event but still shows on and it never turns back on. Why would the user even get the option of turning it off? Shouldn't it be password protection for admin users?

Link to post
Share on other sites
  • Staff

The MBAE-CLI.EXE activity should be triggered by the sccomm.exe which is the Management Console agent. Manually starting and stopping the client does not trigger mbae-cli.exe activity.

 

Are you seeing *any* mbae-cli.exe activity?

Link to post
Share on other sites

Yes to both questions. The only difference between mine and a managed one, is I have Anti-Exploit installed as well plus the managed install. If it wasn't managed I couldn't see it on the server correct? And I do, I can see protection was turned off and the server still showing its still on.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.