Jump to content
Simon_2016

Correct method to update Anti-Exploit

Recommended Posts

Hello,

I've upgraded the management console and server to 1.8.0.3443.

I've upgraded the anti-exploit agent on the same management server to 1.09.2.1413

However, when I run the client push update in order to update all clients it lists v 1.09.2.1291 and not 1.09.2.1413. How do I get the server to push out this edition?

Thanks

Simon

Share this post


Link to post
Share on other sites

Hey Simon,

 

I wanted to confirm something. By upgraded the anti-exploit on the same management server, you meant the client on the server itself correct? If so, how did you upgrade it? 

Share this post


Link to post
Share on other sites

Thanks for getting back Ron.

I upgraded the anti-exploit agent on the management server by running the mbae-setup1.09.2.1413.msi

Thanks

Simon

Share this post


Link to post
Share on other sites

Hey Simon,

 

I understand now, thank you. So aside from the deployment of what MBMC currently has in it and doing a manual install like you did, the only other way of updating endpoint agent clients is to use the automatic update feature that is in mbae. With the setting enabled your clients will reach out and get the latest version and install it without you having to do anything manual. If you go into the policy your clients are on in the management console, you should see the anti-exploit tab at the top. In the upper right corner should be the option for automatic updates. If you want to enable that, it will allow your clients to update when the latest version is released automatically. So if you set that and have your clients check in and get the policy update, they will reach out and get the newest anti-exploit version shortly after that. 

Share this post


Link to post
Share on other sites

Hey Simon,

 

It may because of this one:

 

https://sirius.mwbsys.com

 

Sirius is where anti-exploit goes to check in and get updates as well. So make sure that is added along with all of them being allowed outbound 443. That should allow you to connect and get it. Once you do that, restarting the computer should prompt it to reach out to the server and update. If it doesn't update after about 10 minutes, collect the C:\Programdata\Malwarebytes anti-exploit log directory from one of the computers and I can take a look at why that is occurring! 

Share this post


Link to post
Share on other sites

Hi Ron,

I've now added that additional URL https://sirius.mwbsys.com but the clients are still reporting old versions of Anti-exploit.

How can I get the logs securely to you? When I open them they appear as gibberish.

Thanks again

Simon

Share this post


Link to post
Share on other sites

Hello,

Please see the attached C:\Programdata\Malwarebytes anti-exploit logs in zip format from a client that is affected.

I have also checked that the automatic update box is ticked on the client.

Thanks

Simon

MBAE.zip

Share this post


Link to post
Share on other sites

Hey SImon,

 

I am not seeing any errors in those logs. Do you happen to have any network firewall restriction that prevents .exe's from being downloaded from CDN's like that? From a few customers I worked with this is not uncommon and will stop our program from updating. It reaches out to those addresses when a service is restart happens (or through the day) to check if it has the latest version. If it doesn't, it pulls the .exe package directly and runs it under the system account. If you don't, we may need to get a wireshark log next after a service restart occurs. But lets look into the .exe possibility first. 

Share this post


Link to post
Share on other sites

Hello,

I've asked whether or not access to cdn's and in particular  https://data-cdn.mbamupdates.com are restricting exe downloads and I've been told no.

Using wireshark I can see (after stop/starting MalwareBytes Anti_exploit service)  that the endpoint is successfully reaching out to 52.22.111.103 which is Sirius.mwbsys.com by my reckoning. I can't see any attempted connections to data-cdn.mbamupdates.com which seems to translate to 92.122.164.242. I can get a copy of these logs over to you if you have a secure method?

Thanks

Simon

Share this post


Link to post
Share on other sites

Hey Simon,

 

I do apologize for that. I was out of the office and did not see these messages until I came back today. If the files are small enough, you can safely send me a PM and I can look into that file to see what it is attempting to do. 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.