Jump to content

Installed succesfully but registration failed


Recommended Posts

Hi on about half our PCs where we have done the client push install we get the message 'Installed successfully, but registration failed. Logon failure: unknown user name or bad password' so the PCs aren't showing correctly in the management console. We have added the appropriate files to be excluded on our anti-virus. Wondering if this is anything in particular that has been done incorrectly?

Thanks

Link to post
Share on other sites

Hi @md111 This error is not a show stopper, your install should be fine. The client did not check back into the server within a set hardcoded timeframe. It could be because of firewall, network speed and another security product interfering with our communication. Run these tools and I will investigate.

Step A – Malwarebytes Client Log Set
On the client go to C:\Program Files (x86)\Malwarebytes' Managed Client and run the tool CollectClientLog.exe. Attach the folder it generates.

Step B – Malwarebytes Check Log
Please download and save our diagnostic tool, mbam-check.exe, to your desktop from this link.

Malwarebytes Check Tool

Double-click mbam-check.exe to launch the tool. A black command prompt window will briefly appear, and then a log file will open. The log which opens will be saved to your desktop as CheckResults.txt.

Step C – frst Log
In addition to the check logs, I would like to have you run a tool known as frst. frst will help provide me with a list of installed programs and other information about your computer that will help me see if there are any other problems that are not being detected. Please follow the steps below to run frst.

1.) Please download frst and frst64 from the link below and save it to your desktop:

frst 32 Bit
frst 64 Bit

Note: You need to download the version compatible with your system. If you are not sure which version applies to your system, download both of them and try to run them. Only one of them will run on your computer; that will be the right version. Some traditional Anti-Viruses may false positive the download or running frst, I can assure you it is safe. If this happens, please temporarily disable the AV.

2.) Double-click the purple frst or frst64 icon to run the program. Click Yes when the disclaimer appears.
3.) Click the Scan button
4.) When the scan has finished, it will make 2 log files in the same directory the tool is located, frst.txt and Addition.txt.

Please attach MBMC Client log, CheckResults.txt, frst.txt and Addition.txt in your reply.

 

Link to post
Share on other sites

Hi @md111, it looks like your install is perfectly fine, all drivers and services are running...

Anti-Malware:
R2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [452576 2016-02-09] (Malwarebytes Corporation)
R2 MBAMService; C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [901088 2016-02-09] (Malwarebytes Corporation)
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [27008 2016-02-09] (Malwarebytes Corporation)
R3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [192216 2017-05-30] (Malwarebytes)

Anti-Exploit:
R1 ESProtectionDriver; C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.sys [77408 2017-05-15] ()
R2 MbaeSvc; C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae-svc.exe [155080 2017-05-15] (Malwarebytes Corporation)

Managed Client Communicator:
R2 SCCommService; C:\Program Files (x86)\Malwarebytes' Managed Client\SCComm.exe [149992 2017-04-06] (Malwarebytes)

However, your Managed Client Communicator is unable to communicate back to the server...
Error    2017-05-30 10:03:24.2485    2752    6    Failed to send client status: System.Security.Authentication.AuthenticationException: Logon failure: unknown user name or bad password ---> System.Runtime.InteropServices.COMException (0x8007052E): Logon failure: unknown user name or bad password.

I'll need to check the server side communication to see how deep this goes. on the server, go to Start > All Programs > Malwarebytes Management Server and run Collect System Information. Zip the folder up and attach it.





 

Link to post
Share on other sites

Info    2017-06-01 11:34:54.9181    16988    57    There was a problem scanning [STHOMAS-PC}: System.Net.Sockets.SocketException (0x80004005): A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond
   at System.Net.Sockets.Socket.ReceiveFrom(Byte[] buffer, Int32 offset, Int32 size, SocketFlags socketFlags, EndPoint& remoteEP)
   at SC.Server.WindowsService.ComputerScan.ScanIPAddress(String consoleIP, String consoleLoginName, String ip, String name)

Link to post
Share on other sites

hi @djacobson apologies about the delay, the person who did work on our routers is on Holiday so spoke to his colleague, he is pretty sure that SSL was disabled for TLS. unfortunately until he is back (Monday) I won't know for definite. They were doing some stuff on there with regards to geo-location and blocking attempted access from certain countries, could that have something to do with it?

Link to post
Share on other sites

9 hours ago, md111 said:

does the client/server link relay on a external proxy outside the local network

No, for them on-prem solution it is within the network. Disabling SSL and forcing TLS can do this. MBMC can support TLS but you must be on version 1.8.0.3443 and change the configuration of the server a bit. Follow the attached guide.

MBMC_TLS_Support.pdf

Link to post
Share on other sites

Hi @djacobson our IT person who dealt with the server is back from holiday he says he hasn't changed it to TLS. We do have a larger number of our machines now showing online and only about 10 pcs that are definitely on but showing as off-line. 1 is the PC that all the logs came from. Is there anything left to try on it?

Thanks

Link to post
Share on other sites

I could check the server side, but if SSL has not been disabled then I do not quite know why you are getting errors that point to it being disabled.

On the server, go to Start > All Programs > Malwarebytes Management Server and run Collect System Information. Zip the folder up and attach it to the post.  

Link to post
Share on other sites

There are a lot of instances in the logs where machines being scanned and installed to already have the software installed, here's one example out of hundreds:

Info    2017-06-12 13:17:27.0125    3376    55    IP Address 192.0.0.181 remote service control log: Remote client IP address: 192.0.0.181
Remote client hostname: CCARE6-CD
Process username: administrator
NetUse: 0
ServiceIsInstalled: 1060. The specified service does not exist as an installed service.
SetNTService: 0
StartNTService: 0
DeleteNTService: 0
Passed
Info    2017-06-12 13:17:27.0255    3376    55    IP Address 192.0.0.181 execution log: 
12/06/2017 13:17:12    =============== Remote Install Service Log Begin ==============
12/06/2017 13:17:12    Service started.
12/06/2017 13:17:12    Start program: C:\scclientinstall_de23163f_99b0_4467_ab73_a1454f39ff14\sctest.exe
12/06/2017 13:17:12    sctest version: 1.8.3443
12/06/2017 13:17:12    Process id: 4240
12/06/2017 13:17:18    The new sccomm version: 1.8.0.3443
12/06/2017 13:17:18    The new coreclient version: 1.80.2.1012
12/06/2017 13:17:18    The new MBAE version: 1.9.2.1291
12/06/2017 13:17:18    The IP address: 
12/06/2017 13:17:18    Check operating system.
12/06/2017 13:17:18    OS version detected: 6.1
12/06/2017 13:17:18    Check  .NET Framework 3.5.
12/06/2017 13:17:18    .NET Framework 3.5 is installed.
12/06/2017 13:17:18    Check the windows installer version.
12/06/2017 13:17:18    The windows installer version: 5.0.7601.23593
12/06/2017 13:17:18    Check coreclient is installed.
12/06/2017 13:17:18    The coreclient version: 1.80.2.1012
12/06/2017 13:17:18    The MBAE version: 1.09.2.1413
12/06/2017 13:17:18    Check sccomm is installed.
12/06/2017 13:17:18    The sccomm version: 1.8.0.3443
12/06/2017 13:17:18    ****ERROR*****: The sccomm was already installed.
12/06/2017 13:17:18    The sccomm server address: 192.0.0.21
12/06/2017 13:17:18    The sccomm server port: 18457
12/06/2017 13:17:18    Program finished.
12/06/2017 13:17:18    Service stopped.
12/06/2017 13:17:18    =============== Remote Install Service Log End ==============

Info    2017-06-13 17:07:53.5809    3376    44    There was a problem scanning 192.0.0.181:137 () (): System.Net.Sockets.SocketException (0x80004005): A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond

 

I would advise you to stop using the "simulation" function, it's not really worthwhile. A normal push, if/when it fails will provide much more useful data.

Line 22773: Info    2017-06-13 10:45:26.7602    3376    34    Failed to connect to 192.0.0.131: System error 67 has occurred.  The network name cannot be found.  
    Line 22774: Info    2017-06-13 10:45:26.7602    3376    34    IP 192.0.0.131 simulation result: System error 67 has occurred.  The network name cannot be found.  
    Line 22931: Info    2017-06-13 10:45:40.2282    3376    40    Failed to connect to 192.0.0.82: System error 67 has occurred.  The network name cannot be found.  
    Line 22932: Info    2017-06-13 10:45:40.2711    3376    40    IP 192.0.0.82 simulation result: System error 67 has occurred.  The network name cannot be found.  
    Line 23079: Info    2017-06-13 10:45:54.1272    3376    40    Failed to connect to 192.0.0.86: System error 67 has occurred.  The network name cannot be found.  
    Line 23080: Info    2017-06-13 10:45:54.1272    3376    40    IP 192.0.0.86 simulation result: System error 67 has occurred.  The network name cannot be found.  
    Line 23145: 13/06/2017 10:45:48    ****ERROR*****: The sccomm was already installed.
    Line 23192: 13/06/2017 10:45:49    ****ERROR*****: The sccomm was already installed.
    Line 23193: 13/06/2017 10:45:49    ****ERROR*****: The sccomm register result: 
    Line 23216: Info    2017-06-13 10:45:57.8593    3376    37    Failed to connect to 192.0.0.28: System error 86 has occurred.  The specified network password is not correct.  
    Line 23217: Info    2017-06-13 10:45:57.8593    3376    37    IP 192.0.0.28 simulation result: System error 86 has occurred.  The specified network password is not correct.  
    Line 23258: Info    2017-06-13 10:46:00.9086    3376    40    Failed to connect to 192.0.0.88: System error 67 has occurred.  The network name cannot be found.  
    Line 23259: Info    2017-06-13 10:46:00.9086    3376    40    IP 192.0.0.88 simulation result: System error 67 has occurred.  The network name cannot be found.  
    Line 23321: 13/06/2017 10:45:59    ****ERROR*****: The sccomm was already installed.
    Line 23428: 13/06/2017 10:45:59    ****ERROR*****: The sccomm was already installed.
    Line 23480: Info    2017-06-13 10:46:09.4072    3376    71    Failed to connect to 192.0.0.105: System error 67 has occurred.  The network name cannot be found.  
    Line 23481: Info    2017-06-13 10:46:09.4072    3376    71    IP 192.0.0.105 simulation result: System error 67 has occurred.  The network name cannot be found.  
    Line 23492: Info    2017-06-13 10:46:09.6842    3376    71    Failed to connect to 192.0.0.106: System error 86 has occurred.  The specified network password is not correct.  
    Line 23493: Info    2017-06-13 10:46:09.7102    3376    71    IP 192.0.0.106 simulation result: System error 86 has occurred.  The specified network password is not correct.  
    Line 23598: Info    2017-06-13 10:46:16.2286    3376    33    Failed to connect to 192.0.0.67: System error 67 has occurred.  The network name cannot be found.  
    Line 23599: Info    2017-06-13 10:46:16.2286    3376    33    IP 192.0.0.67 simulation result: System error 67 has occurred.  The network name cannot be found.  
    Line 23778: Info    2017-06-13 10:46:31.4487    3376    33    Failed to connect to 192.0.0.71: System error 67 has occurred.  The network name cannot be found.  
    Line 23779: Info    2017-06-13 10:46:31.4487    3376    33    IP 192.0.0.71 simulation result: System error 67 has occurred.  The network name cannot be found.  
    Line 23913: 13/06/2017 10:46:32    ****ERROR*****: The sccomm was already installed.
    Line 23987: 13/06/2017 10:46:34    ****ERROR*****: The sccomm was already installed.

 

For all these machines that are failing to install because the software is already installed, these must be some sort of permission or network setting preventing them from accessing and communicating to the server's hosted IIS website: 192.0.0.21:18457

What does it look like if you put 192.0.0.21:18457 in the browser on a client that cannot register?

Link to post
Share on other sites

My bad @md111, I forgot a part of the URL. Use this address:

https://192.0.0.21:18457/SCClientService/

It should look like this at first (I'm using an FQDN for my test environment so my address is going to be different):

594ab9b74ed85_browsingtoiiswebpage.JPG.572fa897e46006b35188971f0d99f4d1.JPG

 

 

If you click to continue, you should hopefully get the page that the client's see:

594ab9bb48244_browsingtoiiswebpage2.thumb.JPG.644fa05c637de62aa1013284da37d7ac.JPG

Link to post
Share on other sites

  • 2 months later...
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.