Offline Clients Still Showing as Being Online

[cjones_ufv]

We recently upgraded our Malwarebytes for Business implementation to Malwarebytes Endpoint Security 1.8.0.  After upgrading some of our endpoint clients, they are showing as being online with the green light and users logged in when they are actually offline.  Connectivity does not appear to be an issue as they are still getting their daily database updates and protection is showing as enabled.  This is the first time that I have had a problem with the Management Console misreporting the computer state.  Does anyone know why this is happening?

[djacobson]

Is auto-refresh on in your client view? What is your check-in interval in Policy \ Communication?

[djacobson]

Also, follow-up question, are you on 1.8.0.3431 or 1.8.0.3443?

[cjones_ufv]

Thanks, Dyllon, Actually, I didn't have Auto Refresh checked.  However, even after doing a manual refresh, the computer state is not accurate.  I have a system that I know is on, but is showing as being offline this morning.  I have version 1.8.0.3431.

[cjones_ufv]

To answer your previous question, policy updates have been set for every 10 minutes.

[djacobson]

3431 has a zero integer check-in timer bug, which sounds like exactly what you are experiencing. I would recommend getting on the 3443 hotfix build as soon as possible. Re-download the package like you did for 3431, the new console installer will be on that same link.

[cjones_ufv]

Sounds good.  Thanks for the update.

[cjones_ufv]

After updating to 1.8.0.3443, I am still getting unreliable workstation status reporting.  Example:  I have a test machine that has been off since yesterday afternoon, and the console is still reporting it as being on and logged in as of this morning.  I have been running Malwarebytes for Business for the past 3 years and have never had so many problems since upgrading to 1.8.0.  Is there anything that can be done to resolve this?

[djacobson]

@cjones_ufv don't worry, I'll help you get it straightened out. May I have you send me a log set from that client? Go to C:\Program Files (x86)\Malwarebytes' Managed Client and run the tool CollectClientLog.exe. Attach the folder it generates.

[cjones_ufv]

Thanks, Dyllon.  I ran the log collector and have attached the resultant folder.

MBMC_Client_Diagnosis_Info_2017_05_24_093516.zip

[djacobson]

The check-in time looks to be extremely long, 36000 seconds / 600 minutes. What is your setting in Policy \ Communication?

[cjones_ufv]

The policy is set to update every 10 minutes.

[djacobson]

May I have you change the policy to the auto / 5 second setting and then restart the MEEClientService on the machine under test to force a new check-in / policy pull? The auto setting will stagger the check-in automatically based on the size of the deployment.

[cjones_ufv]

I changed it to the auto setting, but it's still showing every 10 minutes.  How do I set it to every 5 seconds?

[djacobson]

How many clients are deployed? Your auto stagger may place you at 10 minutes if your seat count is high.

[cjones_ufv]

There are currently 1260 clients registered.

[djacobson]

Right click and copy that policy, please the test machine under this policy. With just that one on there, the stagger should show as 5 seconds. Then to the service restart on the test machine to force the new check-in.

[cjones_ufv]

I duplicated the current policy and assigned it to my test machine.  The automatic update setting is still showing at 10 minutes.  Unfortunately, there is no option to set the update interval below 1 minute. I'm still wondering why the check-in time was showing 600 minutes when the policy is set to 10 minutes.  Something clearly is not working properly.  Where do we go from here?

[cjones_ufv]

It looks like a 5-second stagger won't be available in my situation as this option is only presented when the total number of registered machines is under 50.  I guess this is based on the global number of registered machines, not via the number of machines assigned to a specific policy.

[cjones_ufv]

After changing the stagger to 1 minute, the changes are showing up promptly.  Interesting.

[djacobson]

Hey @cjones_ufv, my bad on the timer, it slipped my mind that it is a global number. Somehow that check-in number became corrupted; either on the endpoint due to a mismatch between console / client communicator before 0 timer bug or in the SQL table as the policy is pulled from it. It may be worth moving everyone to the policy copy you made and deleting the original in case the SQL table is the reason why the timer was so long. Having the timer at 10 minute auto should be fine, but the shorter manual interval is useful to test with since you don't have to wait so long to see the changes. Any other stragglers that are not picking up the changes or are not showing the correct status, go ahead and restart their MEEClientService to force a new check-in to get them reset.

Edited May 26, 2017 by djacobson

[cjones_ufv]

Is the MEEClientService supposed to be running all the time, or just when required?  I noticed that only the scheduler service is showing as "started".

[djacobson]

MEEClientService is tied to the sccomm.exe process, it must be running at all times for the clients to be able to check-in, it is the process that controls the server/client communication. If MEEClientService is unable to run, be sure to have C:\Program Files (x86)\Malwarebytes' Managed Client\sccomm.exe ignored by whatever other security software you have in place.

MbamScheduler.exe is your scheduled scan task engine. It should be running or scheduled scans will not kick off.

MbamService.exe is your real time protection engine, it should also be running or you have none of the real time protection features.

[cjones_ufv]

That's interesting.  I was pushing out the client to a workstation yesterday.  At first, I couldn't find it when scanning the IP.  I fixed some firewall issues and ensured that the RemoteAdmin service was enabled.  I was then able to scan the workstation and push the client out.  The installation was successful.  However, the client failed to register.  "The client has not been registered.  The installation procedure has ended before the client registered"  Even when I manually uninstall the client and re-install locally, it will not register with the management console.  When I checked the services, only the MbamScheduler service was running.  Any ideas what is going on here?

[djacobson]

Usually registration failure is not a show stopper, the installs should be fine, although with the lack of services running, there must be a deeper issue. What that regfail error means is client did not check back into the server within a set hardcoded time-frame. It could be because of firewall, network speed and another security product interfering with our communication. It is most likely happening because the sccomm process is not running or even getting installed.

Let's check some things. On your server go to C:\Program Files (x86)\Malwarebytes Management Server\PackageTemplate and check the file sccomm.xml file. Make sure it contains the correct server address.

On a client with the check in issue, go to C:\ProgramData\Sccomm and check out the sccomm.xml there, check that the server info is correct.