Jump to content

Reports offline?


Recommended Posts

I have several clients that appear offline in the console but they are not offline. In fact it reports the host server as an offline client. 

I restarted one of the 2012r2 servers that appears offline in the console with no effect.  On this server I can tell MBAM to update and it says its updated to the latest DB but i can see the numbers on it and its clearly out of date.  It reports that I have v2016.03.19.02 on the client.  On the console for this server it says i have v2016.03.19.01.  The console shows that i have v2016.03.22.04 as the current latest database as well as most clients report having this too. 

There are no firewalls between these 2 servers.  Not even the windows firewall is enabled.

I have also rebooted the console server with no effect.  This is a 2008r2 server in case it matters.

As it sits right now it shows 60 online and 101 offline clients.  Maybe half or less are actually offline or off network right now. 

Link to post
Share on other sites

As an update i had restarted the service and not see any change but it appears it needs about 10 min after the service is started/restarted for you to see the computer as online in the console.

Hopefully ill be able to work with support and see why the service is either not starting or stopping. 

Link to post
Share on other sites

  • 1 month later...

I'm also having the same issue and have opened a support case. I've found that clients that are reporting offline in the console all have the 'MeeClientService' not running and the service is set to automatic startup on all clients. Rebooting the client does not allow the service to start automatically. I can manually start the service on the client machines, but that's obviously not feasible on 80 endpoints. I'll post back here once Support has resolved the issue.

Link to post
Share on other sites

Support got mine working.   It was that the service would stop due to an invalid registry key value.  In my case it was actually blank.   

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Malwarebytes' Anti-Malware\dbversion

Currently my value is set to v2016.04.25.05 and the dbdate shows Mon, 25 Apr 2016 20:08:39 GMT 

 

Link to post
Share on other sites

It seems my issue was caused by a conflict with my anti-virus software (Sophos Endpoint Protection). I was able to resolve the issue by doing the following provided by Malwarebytes support;

Please make sure that following Malwarebytes' files have been added to the list of excludes of your anti-virus or other security software.

 

*For 32 bit Windows operating systems:*  

 

For Malwarebytes Anti-Malware client (if installed):  

 

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe 

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe

C:\Windows\System32\drivers\mbam.sys

 

For Malwarebytes Anti-Exploit client (if installed):

 

C:\Program Files\Malwarebytes Anti-Exploit\mbae.exe

C:\Program Files\Malwarebytes Anti-Exploit\mbae-svc.exe

 

For Malwarebytes Managed Client:

 

C:\Program Files\Malwarebytes' Managed Client\SCComm.exe

C:\ProgramData\sccomm\sccomm.log

 

*For 64 bit Windows operating systems:*

 

For Malwarebytes Anti-Malware client (if installed):

 

C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe

C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe

C:\Windows\System32\drivers\mbam.sys

 

For Malwarebytes Anti-Exploit client (if installed):

 

C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.exe

C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae-svc.exe

 

For Malwarebytes Managed Client:

 

C:\Program Files (x86)\Malwarebytes' Managed Client\SCComm.exe

C:\ProgramData\sccomm\sccomm.log

 

If MBAM client is installed on some server:

Exclude the SQL database paths (if SQL Server in place) as well as the IIS root folder.

Malicious Website Blocking must be disabled if Malwarebytes Anti-Malware is being installed on an Exchange server.

Link to post
Share on other sites

  • 6 months later...

I suspect the only option besides remote scripting would be to uninstall and reinstall on each but maybe support has another option that better fits.

However you could try these powershell scripts.  Please test them first as they are put together kinda quickly and by no means do I consider myself all that proficient at Powershell scripting.  Google is my friend when it comes to powershell.

READING VALUES:
 

$Logfile = "C:\Logs\MBDBVales.log"
Out-File $Logfile
$SRVS = get-content "c:\Logs\RemoteComputers.txt"
foreach ($SRV in $SRVS) {

If (test-connection -ComputerName $SRV -Count 1 -Quiet)
    {
        $REG = [Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey('LocalMachine', $SRV)
        $RK1 = $REG.OpenSubKey("SOFTWARE\\Wow6432Node\\Malwarebytes' Anti-Malware")
        $V1 = $RK1.GetValue("dbdate")
        $V2 = $RK1.GetValue("dbversion")
        Write-Host  "$SRV`t$V1`t$V2"
        Write-Output  "$SRV`t$V1`t$V2" | Out-File $Logfile -Append
        $V1 = ""
        $V2 = ""
}
    else
    {    
        Write-Host "$SRV`tunreachable"
        Write-Output "$SRV`tunreachable" | Out-File $Logfile -Append
    }
}

 

WRITING VALUES:

$f = get-content "C:\Logs\MBDBVales.log"
foreach ($line in $f)
{
    $fields = $line.split("`t")
    $SRV=$fields[0]
    $dbdate=$fields[1]
    $dbversion=$fields[2]
If (test-connection -ComputerName $SRV -Count 1 -Quiet)
    {
        Write-Host "$SRV`tRemoteReg`tSetValue"
        $REG = [Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey('LocalMachine', $SRV)
        $RK1 = $REG.OpenSubKey("SOFTWARE\\Wow6432Node\\Malwarebytes' Anti-Malware",$True)
        $RK1.SetValue("dbversion","$dbversion")
        $RK1.SetValue("dbdate","$dbdate")
        
       
}
    else
    {    
        Write-Host "$SRV`tunreachable"
        Write-Output "$SRV`tunreachable" | Out-File $Logfile -Append
    }
}

 

This will read from a text file that has a computer name per line then it will read the 2 registry values and output the computer name and 2 values to a tab text file.  You will need to edit the text file and make sure that the 2 values are correct.  Then run the write script and it will set the corrected values.  Then you can see if the service will start and stay started.

Example of output file: computername    Sun, 13 Nov 2016 23:13:33 GMT    v2016.11.13.07

 

AGAIN i will add caution that you should test these script first and make sure that these 2 registry values are actually your issue. 

Link to post
Share on other sites

  • Root Admin

@Donovan I've moved your posts to your own new topic so that you can obtain one-on-one assistance instead of piggy-backing off of another topic. It's quite possibly the same issue, but we'd need to check to make sure.

Your new topic is located here:  https://forums.malwarebytes.org/topic/190714-reports-offline-database-not-updated/

Thanks

 

 

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.