Jump to content

Recommended Posts

Good afternoon,

I have recently purchased Malwarebytes Endpoint Security and I have MEE, MBARW and MBAE on my Client PC.

I want to know how to stop the user from disabling any of these products.

This PC is connected to the administrator console and is managed via policy. I know that MBARW is not centrally managed and removing local admin rights will prevent the program being uninstalled. However, I want it so that no one can disable protection for any of these products.

Is it possible?

Thanks.

 

Link to post
Share on other sites

Hello kieferschild. At this time, Anti-Ransomware does not have a provision in it to control access in this way. For the Anti-Malware side of the agent software, you can change the access settings via the policy under Protection. Normal, Silent and Limited user modes. Any changes to these settings will require that the user logs off and back on in order to complete the change. 

Anti-Malware, Normal mode:

This is the default setting (silent and limited modes unchecked), it allows full interaction with the software; invoke scans and updates, enable/disable real time file and web protections.
58a1e9b0ad4a2_normalmode.JPG.2854fccecbac61af2a61b94ec997a25d.JPG

Anti-Malware, Silent mode:

This mode hides the Anti-Malware system tray icon and does not allow any interaction with the Anti-Malware software.

Anti-Malware, Limited user mode:

This mode for Anti-Malware disables access but keeps the system tray icon and allows users to invoke on-demand updates and scans.

58a1e9b02389e_limiteduser.JPG.23c900867abf3908094cee2483974963.JPG

 

Anti-Exploit:

This product has a separate setting for access to its system tray icon. Policy \ Anti-Exploit \ Do not show Anti-Exploit traybar icon and program interface.

58a1e9b181f2e_Anti-ExploitTrayIconcontrol.JPG.1b6c29c3ccb38cdf2a835e4f1ea9868e.JPG

Link to post
Share on other sites

Standard "domain user" level accounts (and higher) will have access to opening the main application GUI and killing processes from task manager. You would need to leverage GPO to limit the scope of permissions available to your users. Creating a group in AD, adding the user accounts to that group under properties \ member of, then creating a policy via Computer Configuration\Policies\Windows Settings\Security Settings\Restricted Groups, adding that new group and its users to the restricted list. This can have unintended impacts on access to other applications, so be aware of that. As the admin for this environment, you got to strike a balance between access and restriction. Is denying access to Malwarebytes' GUI worth locking down all other applications through this policy and the subsequent internal tickets that will be opened because users can no longer do other things? Another point to keep in mind is If these domain accounts have been given local admin or local power user rights over the machine, then nothing can stop them from opening the application or killing it in task manager.

Edited by djacobson
Link to post
Share on other sites

Dyllon,

 

I understand what you're saying. However, we run Symantec Endpoint Protection on all systems too and users are not able to disable, kill the process or stop the service as a local administrator to the PC. As far as I can tell, Malwarebytes doesn't have a feature to lock the application to prevent unauthorised activity. The fact that there's an option to hide it from the tray and then state users cannot use Malwarebytes is very misleading. Can this be a feature request? a local user with no administrator rights is able to load the program and TURN OFF protection, I dont mean kill processes, I mean turn off. Literally, there is a button to turn the thing off.

Link to post
Share on other sites

It's true, we do not have lockouts like Symantec does for this build of Anti-Malware; if your users have access to task manager or services.msc, then they will be able to kill processes and services.

The GUI of the managed version does not have an option to turn off the real time protection features, except through the system tray icon shown in my other post regarding "normal mode" policy setting. The GUI only gives the ability to run three scan types, update the signatures, interact with quarantine and view the About tab. If you have any other GUI options shown, then I have a feeling that your managed install has been corrupted by being installed over a preexisting home or standalone Anti-Malware version. If this is the case, it is easy to fix with a cleaner tool.

This is what the managed GUI looks like...
58a3389ad8f96_managedGUI.JPG.3a18cb71d693d95e4c19a90b81d08bc2.JPG

 

This is what the standalone GUI looks like, and what I take is the button you are seeing to turn off the real time protection?
58a339ce00798_standaloneGUI.JPG.ae5932276bdaba7961765283ce4c8c49.JPG

 

There is another access control feature built into the standalone version of Anti-Malware, wherein you can set a password to lockout the ability to change the programs settings. However, this feature is not part of the managed build.
58a33b5b323b9_standalonepasswordprotect.JPG.376aaa16653c5c004dbecc06d818f4ff.JPG

Link to post
Share on other sites

Dyllon

I won't lie when I say I'm disappointed the application has no built in security to prevent it from being shut down. If, god forbid, a pc got infected and it was set to remove or kill the malwarebytes product, the software would be happy enough to close itself. 

Symantec service cannot be stopped. This should be a feature added. Surely if you push out and manage from a console then it should be specifically the console that can administer the endpoints?

i hope there are improvements coming...

Link to post
Share on other sites

With the way the architecture is within the current business build, this is how we have to get by for now. The console / client communication is not two-way, it is controlled on the client side, the console program is not going to be able to restart any services on a given endpoint. Since this is a major concern you're facing, you could change the applicable service's failure recovery conditions within the service's properties, enforcing these site wide via GPO if needed.

There are also tools included with Anti-Malware to start the program and scan the machine if an infection disables or prevents the services/processes from starting. It's called Chameleon. It can be found in %programfiles%\Malwarebytes' Anti-Malware\Chameleon. Check out the chameleon.chm help file there in that same directory to understand how it is used.

Link to post
Share on other sites

With managed deployments, you have three separate programs on your endpoint; Managed Client, Anti-Malware and if opted for, Anti-Exploit. Managed Client controls communication through a service called MEEClientService and a process called sccomm.exe. Sccomm.exe connects to the console server's IIS website, where it retrieves the policy settings you define as a file called policy.xml. Sccomm iterates through this file to setup your Anti-Malware via CLI commands. Here's an excerpt...

<Setting>
    <IsCloseIE>true</IsCloseIE>
    <IsSaveLogFile>false</IsSaveLogFile>
    <IsReportStatistics>true</IsReportStatistics>
    <IsCreateContextMenu>true</IsCreateContextMenu>
    <IsOpenLogFile>false</IsOpenLogFile>
    <IsWarnWhenDBOutdated>true</IsWarnWhenDBOutdated>
    <WarnDays>1</WarnDays>
    <IsScanMemoryObjects>true</IsScanMemoryObjects>
    <IsScanStartupObject>true</IsScanStartupObject>
    <IsScanRegistryObjects>true</IsScanRegistryObjects>
    <IsScanFileSystem>true</IsScanFileSystem>
    <IsScanExtraObjects>true</IsScanExtraObjects>
    <IsEnableHeuristicsEngine>true</IsEnableHeuristicsEngine>
    <IsEnableScanArchive>true</IsEnableScanArchive>
    <ActionForPUP>1</ActionForPUP>
    <ActionForPUM>1</ActionForPUM>
    <ActionForP2P>1</ActionForP2P>
    <Language>English</Language>
  </Setting>

There' s no provision in the MBAMAPI command set to check or start the service, that's why we're pointing you towards using the tools Windows has available for you. I've always wished the devs would put an "is service running" if/else decision to a net start command to turn it on if it was found to be off, but that is not a direction they're going to go. For now, you can just use the native Windows controls for service restart on failure.

Edited by djacobson
Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.