Jump to content

Recommended Posts

I just notice that if I turn off my protection it doesn't automatically come on after a certain period of time. Even after the policy check in. It seemed like before this version that it turned it self back on. I also noticed that in the management console i see under the system logs tab it says it was stopped, but under the client info tab it shows it still on.

Share this post


Link to post
Share on other sites

Please click on the "readme first" link in my signature and you'll find instructions for obtaining and attaching the full MBAE and FRST logs.

 

In addition to MBAE and FRST logs, also please provide the SCCOMM log found in C:\ProgramData\SCCOMM.

 

Thanks!

Share this post


Link to post
Share on other sites

Thanks for the logs @scoutt.

 

I see this is a Windows 10 machine. We have a known bug under Windows 10 which we're still working on.

 

On this machine, please follow the steps outlined here:

https://forums.malwarebytes.org/index.php?/topic/171634-anti-exploit-not-started-under-windows-10/

 

But instead of using the download link shown in step 6, use the link I will send you in a Private Message for the corporate build.

 

Let me know how it goes.

Share this post


Link to post
Share on other sites

Thanks for the update. I have done what the article said to do and installed your file you sent me. The only problem I have is I did not have a MBAE to uninstall, just Malwarebyte's Managed Client. So I did uninstall that and the Management server hasn't see me since I uninstalled it. I did stop protection and so far, 45min later, it hasn't turned on, but I assume because the policy is not getting to me now.

Share this post


Link to post
Share on other sites

You didn't need to uninstall the Managed Client. All you need to do is install the new MBAE version on top of what was already there.

 

Go ahead and re-deploy the Managed Client and then install the latest MBAE version on top.

Share this post


Link to post
Share on other sites

Ok, I got back to managed and I still get the same thing. Client shows stopped, management server sees the stop event but still shows on and it never turns back on. Why would the user even get the option of turning it off? Shouldn't it be password protection for admin users?

Share this post


Link to post
Share on other sites

Is the user stopping the protection? Only admin users can stop protection. And even if they stop protection, as a managed client it should be re-activated again automatically from the Management Server.

Share this post


Link to post
Share on other sites

Yes the user, on Win10. and it never reactivates. All our users are admins on the desktop.

Share this post


Link to post
Share on other sites

Thanks Pedro,

 

I have the same problems, stop protection and an hour later it is still stopped. Management server shows the correct version, 1.08.2.1189 but still shows protection is on.

Share this post


Link to post
Share on other sites

Can you please get a Process Monitor capture from that machine filtering to show only the process activity for MBAE-CLI.EXE and send that to me?

 

Thanks!

Share this post


Link to post
Share on other sites

Hi Pedro,

 

I ran Process Monitor and stopped and started the client and MBAE-CLI.EXE never shows in the list. filtered or not.

Share this post


Link to post
Share on other sites

The MBAE-CLI.EXE activity should be triggered by the sccomm.exe which is the Management Console agent. Manually starting and stopping the client does not trigger mbae-cli.exe activity.

 

Are you seeing *any* mbae-cli.exe activity?

Share this post


Link to post
Share on other sites

On the client I am not seeing any MBAE-CLI.exe activity. I let it run for an hour. over 6mil events

Share this post


Link to post
Share on other sites

Then this is not a managed client. Do you have the "Malwarebytes Managed Client" application installed on this machine? Is the process sccomm.exe running in the background?

Share this post


Link to post
Share on other sites

Yes to both questions. The only difference between mine and a managed one, is I have Anti-Exploit installed as well plus the managed install. If it wasn't managed I couldn't see it on the server correct? And I do, I can see protection was turned off and the server still showing its still on.

Share this post


Link to post
Share on other sites

Hey scoutt, would it be possible to do a remote support session to troubleshoot this?

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.