Jump to content

Offline Clients Still Showing as Being Online


Recommended Posts

  • Replies 62
  • Created
  • Last Reply

Top Posters In This Topic

Top Posters In This Topic

Posted Images

I was finally able to push out the client successfully to the problem workstation and have it register properly.  All of the services are now running with the exception of the Anti-Exploit service.  When I try to start Anti-Exploit manually, I get an error message stating that the "Anti-Exploit service was taking too long to start.  Please reboot the computer to start protection".  Any idea why this is happening and how I can resolve it?

Link to post
Share on other sites
  • Staff

It'll usually happens right away with the auto-upgrade mbae policy setting on once mbae see's an internet connection. If for some reason the service fails to restart after an upgrade due to a system being busy in that moment, a restart should bring it back.

Link to post
Share on other sites
  • Staff

Yup, we'll need to gather logs off that machine.

Step A – Malwarebytes Client Log Set
On the client go to C:\Program Files (x86)\Malwarebytes' Managed Client and run the tool CollectClientLog.exe. Attach the folder it generates.

Step B – Malwarebytes Check Log
Please download and save our diagnostic tool, mbam-check.exe, to your desktop from this link.

Malwarebytes Check Tool

Double-click mbam-check.exe to launch the tool. A black command prompt window will briefly appear, and then a log file will open. The log which opens will be saved to your desktop as CheckResults.txt.

Step C – frst Log
In addition to the check logs, I would like to have you run a tool known as frst. frst will help provide me with a list of installed programs and other information about your computer that will help me see if there are any other problems that are not being detected. Please follow the steps below to run frst.

1.) Please download frst and frst64 from the link below and save it to your desktop:

frst 32 Bit
frst 64 Bit

Note: You need to download the version compatible with your system. If you are not sure which version applies to your system, download both of them and try to run them. Only one of them will run on your computer; that will be the right version. Some traditional Anti-Viruses may false positive the download or running frst, I can assure you it is safe. If this happens, please temporarily disable the AV.

2.) Double-click the purple frst or frst64 icon to run the program. Click Yes when the disclaimer appears.
3.) Click the Scan button
4.) When the scan has finished, it will make 2 log files in the same directory the tool is located, frst.txt and Addition.txt.

Please attach MBMC Client log, CheckResults.txt, frst.txt and Addition.txt in your reply.

 

Link to post
Share on other sites
  • Staff

Hi @cjones_ufv, I have but this case has gotten complicated. Anti-Exploit's service is missing. May I have you zip up its program files directory and attach it?

Anti-Malware:
R2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [452576 2016-02-09] (Malwarebytes Corporation)
R2 MBAMService; C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [901088 2016-02-09] (Malwarebytes Corporation)
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [27008 2016-02-09] (Malwarebytes Corporation)
R3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [192216 2017-05-28] (Malwarebytes)

Anti-Exploit:
R1 ESProtectionDriver; C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.sys [77408 2016-12-14] ()
Missing MbaeSvc; C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae-svc.exe

Managed Client Communicator:
R2 SCCommService; C:\Program Files (x86)\Malwarebytes' Managed Client\SCComm.exe [149992 2017-04-06] (Malwarebytes)


 

 

Link to post
Share on other sites
  • Staff

Mbae is not able to install the new service and run it on this machine:
2017/05/25 - 15:25:22 - {ERROR} The command {C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae-svc.exe -installopen} could not be executed. 2
 

We'll need to do it manually. Grab the mbae clean tool, run it on this machine and then restart it. After the restart, install 1.09.2.1413 directly.

mbae-clean: https://malwarebytes.box.com/s/waul5gj50wsdv1qxucgnci5obwul80w6

1.09.2.1413: https://malwarebytes.box.com/s/q6hx9tq36ig9dmxcy1yoor428gcfuz9u

Link to post
Share on other sites

Thanks Dyllon.  I will try that as soon as I can.  In the meantime, I have another workstation which we'll call PW2 (for problem workstation 2) that Anti-Exploit will not run on.  I am uploading all of the supporting data files.  I wonder if the issue is the same.  Thanks for all your help with this.

PW2-Addition.txt

PW2-CheckResults.txt

PW2-FRST.txt

PW2-Malwarebytes Anti-Exploit.7z

PW2-MBMC_Client_Diagnosis_Info_2017_06_02_111436.zip

Link to post
Share on other sites
  • Staff

Slightly different issue here. Mbae service is present but it is the ESProtection driver that is missing, which is leaving the service unable to run. May I have a program files folder from this machine?

S2 MbaeSvc; C:\Program Files (x86)\Malwarebytes Anti-Exploit\tmp\mbae-svc.exe [155080 2017-05-15] (Malwarebytes Corporation)

Link to post
Share on other sites

That's interesting.  I did and uninstall and re-install this morning.  Immediately following the installation, Anti-Exploit was working.  Even after re-booting the workstation, it worked for a few minutes, then stopped.  The PW2-Malwarebytes Anti-Exploit.7z file that I just sent is the program files folder.  Are you needing something else?

Link to post
Share on other sites

No joy doing the manual installation of MBAE.  It appears to be installed, but the service will not run.  For the moment, I have uninstalled MBAE from problem workstation #2.  It's probable that there is something else running on the computer that is interfering with the installation/operation of Anti-Exploit.  I'm hoping that it is a one-off.  Not sure what else to try at this point.  Any other ideas?

Link to post
Share on other sites
  • Staff

Let me dig around a little more in those logs. Are you using the 1413 I gave you or deploying from the console? The console version will be out of date compared to what's on the live update server. Mbae will try to upgrade after the install, and if the service switchover fails during the upgrade, mbae will not run.

Link to post
Share on other sites
  • Staff

No worries. To clarify, I mean the initial build the console deploys before the auto-upgrade takes over. For console 1.8.0.3443, it initially deploys mbae 1.09.2.1384.

The mbae uninstall log has some interesting info, the switch over is failing. Something, I suspect your other security software, is not allowing mbae to move its new files and overwrite the old ones. Your awaiting new files are stuck in C:\Program Files (x86)\Malwarebytes Anti-Exploit\tmp.

2017/06/02 - 11:04:09 - 457 - {ERROR} 5 deleting file: C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae-cli.exe.
2017/06/02 - 11:04:15 - 939 - {Info} The command {C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae-svc.exe -remove} has been executed. 0
2017/06/02 - 11:04:15 - 352 - {INFO} Setting path in registry: 0.
2017/06/02 - 11:04:15 - 224 - {info} Getting current working directory. Result: {C:\Program Files (x86)\Malwarebytes Anti-Exploit\}.
2017/06/02 - 11:04:15 - 783 - {info} The file {C:\Program Files (x86)\Malwarebytes Anti-Exploit\tmp\mbae64.exe} could not be moved to file {C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.exe}. 5.
2017/06/02 - 11:04:15 - 853 - {info} The file {C:\Program Files (x86)\Malwarebytes Anti-Exploit\tmp\mbae64.exe} has been marked to move to (C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.exe).
2017/06/02 - 11:04:15 - 783 - {info} The file {C:\Program Files (x86)\Malwarebytes Anti-Exploit\tmp\mbae-cli.exe} could not be moved to file {C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae-cli.exe}. 5.
2017/06/02 - 11:04:15 - 853 - {info} The file {C:\Program Files (x86)\Malwarebytes Anti-Exploit\tmp\mbae-cli.exe} has been marked to move to (C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae-cli.exe).
2017/06/02 - 11:04:15 - 783 - {info} The file {C:\Program Files (x86)\Malwarebytes Anti-Exploit\tmp\mbae-svc.exe} could not be moved to file {C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae-svc.exe}. 5.
2017/06/02 - 11:04:15 - 853 - {info} The file {C:\Program Files (x86)\Malwarebytes Anti-Exploit\tmp\mbae-svc.exe} has been marked to move to (C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae-svc.exe).

 

To be safe, since Trend Micro and Windows Defender are both running, I'd say to whitelist the mbae directory and exe's in both.

AV: Trend Micro OfficeScan Antivirus (Enabled - Up to date) {8242D66F-41BD-4049-C2E6-E578E73B62A0}
AS: Trend Micro OfficeScan Anti-spyware (Enabled - Up to date) {3923378B-6787-4FC7-F856-DE0A9CBC281D}
AS: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: Trend Micro Personal Firewall (Enabled) {BA79574A-0BD2-4111-E9B9-4C4D19E825DB}

 

Here are the file locations, Anti-Exploit is the most important piece for the current issue but I added mbam and the managed client communicator pieces just in case. Let me know if your upgrades work after this.

Anti-Exploit:
32
C:\Program Files\Malwarebytes Anti-Exploit\mbae.exe
C:\Program Files\Malwarebytes Anti-Exploit\mbae64.exe
C:\Program Files\Malwarebytes Anti-Exploit\mbae-cli.exe
C:\Program Files\Malwarebytes Anti-Exploit\mbae-svc.exe
64
C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae-svc.exe
C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.exe
C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.exe
C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae-cli.exe

Anti-Malware:
32
C:\Program Files\Malwarebytes’ Anti-Malware\mbam.exe
C:\Program Files\Malwarebytes’ Anti-Malware\mbamgui.exe
C:\Program Files\Malwarebytes’ Anti-Malware\mbamapi.exe
C:\Program Files\Malwarebytes’ Anti-Malware\mbamhelper.exe
C:\Program Files\Malwarebytes’ Anti-Malware\mbampt.exe
C:\Program Files\Malwarebytes’ Anti-Malware\mbamscheduler.exe
C:\Program Files\Malwarebytes’ Anti-Malware\mbamservice.exe
64
C:\Program Files (x86)\Malwarebytes’ Anti-Malware\mbam.exe
C:\Program Files (x86)\Malwarebytes’ Anti-Malware\mbamgui.exe
C:\Program Files (x86)\Malwarebytes’ Anti-Malware\mbamapi.exe
C:\Program Files (x86)\Malwarebytes’ Anti-Malware\mbamhelper.exe
C:\Program Files (x86)\Malwarebytes’ Anti-Malware\mbampt.exe
C:\Program Files (x86)\Malwarebytes’ Anti-Malware\mbamscheduler.exe
C:\Program Files (x86)\Malwarebytes’ Anti-Malware\mbamservice.exe

Managed Client Communicator:
32
C:\Program Files\Malwarebytes' Managed Client\SCComm.exe
64
C:\Program Files (x86)\Malwarebytes' Managed Client\SCComm.exe

Edited by djacobson
spelling
Link to post
Share on other sites

Thanks, Dyllon.  I did not know that Windows Defender was running on this machine.  That could be the issue.  I have already created scan exclusions for Malwarebytes in Trend Micro OfficeScan.  Installation doesn't appear to be an issue on a wide number of other workstations that have OfficeScan already installed and running, so perhaps it is Defender that is the culprit.  I'll check it out.

Link to post
Share on other sites

Defender was running, but then it was running on all of the machines in my test group.  Disabling Defender did not make a difference.  Even though I had created scan exclusions for Malwarebytes in Trend Micro OfficeScan, I unloaded OfficeScan on problem machine #1.  Anti-Exploit still would not install correctly.  I temporarily disabled the local Windows firewall.  After several attempts, I finally got Anti-Exploit to install properly.  I went back to problem machine #2 and re-installed the client.  This time, Anti-Exploit installed properly, as well.  I have no idea why as I didn't make any changes on the workstation.  Both machines show Anti-Exploit protection on.  

The only glitch in the whole thing is that the daily scheduled scans still will not run (this was happening before, as well).  Any ideas what might be preventing that when everything else appears to be working?

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    No registered users viewing this page.


Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.