Laptops not quaratining items when found

[scoutt]

I have some laptops (mostly) that don't seem to quarantine items when they are found.

 

2/3/2016 8:27:39 AM      2CE33713KS        <ip>       PUP.Optional.WeDownLoadManager    < No action taken >                HKU\S-1-5-21-3451057674-2693170720-1305275285-2191\SOFTWARE\WeDlMngr

 

Per policy it should quarantine everything found.

 

I have attached MBAE files

Malwarebytes Anti-Exploit.zip

[Rsullinger]

Hey Scoutt,

 

That looks to be from the anti-malware detection and not anti-exploit. I noticed that this is a PuP detection and there is a setting in the policy that may be causing it to not be removed. Open up the management console and go to the policy pane on the left side. Open up the policy this computer is on and go to the scanner tab at the top. Find the 'Action for potentially unwanted programs (PUP):' and make sure it says 'Show in results list and do not check for removal'.

 

If a PuP is found and the quarantine option is set, then that setting will make it so the PuP will be removed. Once you change that setting, click OK in the policy and let your clients get the policy. Then, run a scan on those computers and it should clean up the PuP detection.

 

Try that and let me know if fixes the issue!

 

Thank you,

 

Ron S

[scoutt]

Hi Ron,

 

That seems backwards to me, don't we want it to be checked for removal? In my other policy It shows "Show in results list and check for removal" and it shows quarantined each and every time in the results. How do I check to see if it is set to quarantine? Eitehr way, if the setting is "check for removal" and the results shows "no action taken" then something is not right, lol

 

I will make the change and see what it does, it may take awhile.

 

Thanks

[scoutt]

So, changing that setting did nothing, it still shows No Action Taken.

[Rsullinger]

Hey Scoutt,

 

I do apologize for not getting to you on Friday. I thought that I followed this post when I sent the response, but it doesn't seem like I did.

 

You are correct that it should be "Show in results list and check for removal". I am not sure why I put in the do not portion, but the correct setting should be the way you had it then. 

 

If that is the case and you had the setting on with auto quarantine, then I want to have you get me client logs so I can see if the client is getting the policy update correctly. If you would like to move this into a ticket then shoot me your e-mail. If not, go ahead and just follow these instructions:

 

-Locate the this folder on the client computer: C:\Program Files (x86)\Malwarebytes' Managed Client

-In this folder, right click the 'CollectClientLog.exe' utility and run it as admin.

-Save these logs to the desktop of the computer.

-Zip up this folder and attach it to the next reply.

 

Thank you,

 

Ron S

[scoutt]

I have changed the setting back. I will wait until the policy propagates throughout. Once I see one happen I will try to get the logs for ya

[scoutt]

Well, after I reset the policy to quarantine all items it hasn't failed. So thinking that when I copied the main policy to this laptop policy it didn't set very well. So checking the box again finally set it.