MBAE updates - some clients updating, some aren't

[trevoralf]

I've posted a similar question on the AM forum as i've got the same problem in AM and AE, but i'll post it here as well.

We have around 200 clients running AE and AM.  Around 60 are on the latest AE version (1.09.2.1261), presumably having updated themselves, whereas the rest are stuck on a variety of previous versions.  I can see nothing common to the ones that have updated that's different to those that won't.  I've seen the post on how to update - the options seem to be tick the auto-update button (which is ticked) or deploy via AD or manually.

Firstly, please could you someone let me know if they have any ideas why some machines would update and others don't, or at least where to look in the logs of ones that don't to see whats happening?

Secondly, is it possible to add the latest version into the console somehow so that when i deploy a new installation (or redeploy) it already includes the latest update?  At present my system deploys AE 1.08.2.1189 (and then updates on some clients and not others).  It would be better if the initial deployment contained the up to date version - this seems an obvious thing to want to do so i'm assuming I've missed something significant along the way on how to do this but if anybody could explain that would be great!

Thanks

[Rsullinger]

Hello Trevoralf,

 

Do the computers that are not updating share any similarities with each other that the ones updating don't? I am mainly asking as I have seen customers who have front facing computers that are more locked down and are either blocking the CDN or the download of our .exe from the CDN. Make sure that these are allowed to go through for the client:

data-cdn.mbamupdates.com port 443
sirius.mwbsys.com Port 443

Other then that, a wireshark may need to be running while you restart the service to see if something is blocking the connection to those said CDN's. 

 

As for your second question about updating the package. There is a way you can do it but it is not something we really recommend. Take the latest version of anti-exploit to the server and go to the \\Program Files (x86)\Malwarebytes Management Server\PackageTemplate folder. Back up the old mbae-setup.exe or change it to .old. Then, take the new package and rename it to mbae-setup.exe. You may need to stop the service before doing this but I usually don't have an issue with it. 

 

[trevoralf]

Thanks for the reply,

I can't see any difference between the machines that are updating to those that aren't.  We have three main sites each accessing the internet independently and machines do and don't update across each site.  Likewise, there is no difference between laptops or desktops (i thought a GPO or people using laptops may update when out of the office may fix it) - both seem to be affected.  I've also checked user group permissions as that controls internet access, but there's nothing there either.

I've tried to use my own laptop as a guinea pig by removing MB entirely, reinstalling it and seeing what happens in various situations, but i'm currently stuck with an issue where I'm unable to reinstall it because the console continuously tells me to a reboot is required to complete the uninstallation on my laptop and i'm unable to reinstall MB.  I've got this call logged with support as well, but with only one email a day going backwards and forwards it's taken a week so far with little progress.  So far we've tried multiple reboots, the managed client clean tool, the non-managed client clean tool, manually deleting folders mention Malwarebytes and removing the client from the console and trying again but with no luck so if you've got any ideas on this one as well that would be great!

[trevoralf]

I've made some progress here.  By checking wireshark as suggested and then turning various features of our firewall off for a specific machine one by one i think i've traced this to a specific AV feature of our firewall.  I didn't check the firewalls before because all clients go through them and it doesn't make sense for some to be updating and others not to be.

I've now got a problem on the two test machines that have upgraded as i get a service took too long to start error on each reboot and the service has vanished but i'll post again if i get stuck on this as i'm going a bit off-topic of my own thread now!

 

[Rsullinger]

Hello Trevoralf,

 

For the 'reboot pending issue' can you search the registry to see if there is any entry of Malwarebytes? It is possible that the clean tool didn't grab all the settings so that would be mainly to check that. It should grab them all, but usually this issue is due to a registry entry still being around. 

But that is good to hear you were able to find a feature on the firewall that could be causing this. 

If that is anti-exploit giving that message, I have a build that may help with that. If you see the message again, confirm what program it is and I can get your hands on it. 

[trevoralf]

Thanks for your help Rsullinger,

I'm just about to go home, but i've had a quick look and found loads on mentions of Malwarebytes in my registry so i'll look at that tomorrow.

With regards to the Anti-Exploit service error, I've found the post below and tried that and it seems to have solved the issue, but how do i deploy the fix for 200 machines?  If i fix the firewall issue so that my machines all update, but then fail to start the service I don't fancy the job of running around 200 machines installing this!

 

[Rsullinger]

Hello Trevoralf,

Aside from deploying the package via sccm, gpo, or another package deployment program there will not be an easy way. That update is not pushed through the automatic updates at this time. 

[trevoralf]

Hi again,  I've removed all registry entries of 'malwarebytes' except for some recent file lists and URL's but still got the same problem on this client.

Do you have any details on how to deploy this silently via GPO (and ideally all the other components)?  I think to deploy the whole lot (MC, AM, AE) you create a package via the console and then create the GPO to run misexec "path to package" /quiet, but how do I set one up just to install this AE patched version.

[trevoralf]

I've sorted the console refusing to install on a client as it was requesting constant reboots.  Stupidly simple solution - I created a deployment package and installed the software  manually.  All installed OK and the console is reporting all OK now.

 

[Rsullinger]

Hello Trevoralf,

 

That is good to hear. I want to answer this as well: "  I think to deploy the whole lot (MC, AM, AE) you create a package via the console and then create the GPO to run misexec "path to package" /quiet, but how do I set one up just to install this AE patched version."

For anti-exploit you can just deploy the build we give out for the patch through GPO. It will deploy over the top of the existing anti-exploit install. As long as you have the managed client software already on the machine, it will connect to the server just fine like before. We have both .exe and .msi's for the new versions we put out so both are available if needed. 

[trevoralf]

Thanks for the details - I've finally got to the bottom of the AE update issue.  It's due to a cloud anti-virus feature in our firewall detecting the AE download as a Trojan - I've assumed this is a false positive and created an exception in our firewall and all looks OK now.  I've also given the firewall vendor the relevant details so i'm hoping they'll be able to do something about the false positive.

A few machines have updated AE now and aren't having the service start issue, so i may just see how big the problem is before i start rolling out the fix via GPO.

[Rsullinger]

Hello Trevoralf,

 

Good to hear. I have seen a few of those issues recently with AV's blocking us downloading the .exe to install the update. So it is something I will look into as well. Please keep me updated and let me know if you have any issues! 

[trevoralf]

I though this was sorted but it appears the issue has just moved to another cause.  I've noticed AE on machines still aren't updating, but now it's because our firewall blocks EXE downloads to users and it looks like that's what the AE update is trying to do.

I'm obviously not keen on allowing EXE downloads just to get AE updating so I've checked where they are coming from to see if i can just allow that source.  However, they seem to be coming from 104.82.105.62 which resolves to an Akamai server and presumably the IP could change.  If i can't add this as a reliable exception to the EXE download rule, is another option for me to tell the clients to get the updates from the server and just allow EXE downloads for the server?

Or am I missing some other solution?

[Rsullinger]

Hey Trevoralf,

 

There is not unfortunately. The anti-exploit automatic update can only be pulled through or CDN's. So the only other option would be taking the install package and deploying it through sccm/gpo to the clients if that is an option to you.

The .exe and .msi can be found here for it:

1.09.2.1291 exe:

https://malwarebytes.box.com/s/7gbe30azrsfof7v2poithvvda2huu1w9

1.09.2.1291 msi:

https://malwarebytes.box.com/s/6m519c2yvtlkioeryzsbu1t8ueons8mf