Jump to content

Recommended Posts

We have used Malwarebytes for 2 years. We are licensed for 250 clients but typically have only 180-190 managed. In early June I upgraded our server to 1.8.0.3443 and pushed updated clients to all our workstations.Up until the upgrade, things had been working well. The day after I pushed the new clients I had duplicates in my console. For example, instead of computer ABC being listed once, it was listed twice (same name, IP, and MAC). From the console, if you looked looked at the system log for one of the two, all the entries consistently listed the machine with the same name, etc. On the second entry, the system log showed that the machine originally had a different name, IP, and MAC that at some point change. For some duplicates the system log showed that an entry would change back and forth from its original name, IP, and MAC to the one it finally ended up with. 

After a few days, tech support said I that the problem was that I was using the express SQL instead of a full blown install. So, we built a new management server (Win 2012 R2, MS SQL 2014) and gave it the same name and IP as our original server. Clients did not automatically register so I did a search (all were registered to a different server) and pushed the Malwarebytes client back out to them. Machines registered and everything was looking good until the next morning when I once again had duplicates (same as above).

This time tech support said I needed to download and run mb-clean-managed.msi. We ran it on a few and reinstalled the client. So far, those machines have not "duplicated" while others have. My questions, (1) why? (the tech support person had no explanation) and (2) are there any command line switches so I can push this through a GPO? Although this post is reasonably short, my frustration level is pretty high in that the tech support back and forth was a series of short emails over a 3-4 week period.  

Link to post
Share on other sites

Tech support got back to me with the syntax to run mb-clean-managed through gp. But - We still have duplicates.

 
I used GPO's to create a folder on each domain (c:\mbam) and copy mb-clean-managed.msi into that folder. The GPO then scheduled the cleaner to run.
 
After the cleaner ran, I removed all the clients from the console. They were all just in the default "Ungrouped Clients" list. I gave it a few hours, just to make sure no clients checked in to the server just in case I missed any.
 
Then, I created a fresh group (manually not an OU import) called "fXXXXXX". I also created a new Policy to assign to them all. I then did a push install. Everything went well.
 
The next morning I found several duplicates in the management console. Below is an example -
 
jmXXXX800 and gXXXX800 were both installed yesterday (Thursday) afternoon. They registered with the server and everthing looked good. This morning, there were two gXXXX800's and jmXXXX800 has disappeared. The system log of one gXXXX800 shows all entries were for gXXXX800 with the correct IP and MAC address. The system log for the second gXXXX800 shows that all the entries were for jmXXXX800 until 5:51 a.m. this morning. The entries listing jmXXXX800 have that computer's IP and MAC address. Starting at 5:51 a.m. the entries switched to gXXXX800 and list that computers IP and MAC.
 
We have checked the following to eliminate them as possibilities.
 
1. Both domain controllers were functioning fine and do not show any events around this time.
2. There were no issues with DHCP or DNS.
3. The event logs on gXXXX800 and jmXXXX800 do not show any errors or critical events around this time.
4. Nagios XI did not log any events around this time
5. 5:51 a.m. is outside our window for backups, updates, scans, etc.
 
While I wait for tech support, does anyone have any ideas?
Link to post
Share on other sites

  • 2 weeks later...

I am assuming no one has any ideas. Apparently tech support does not either.

I sent logs, files, etc. regarding the above on Friday, July 7. 

I was thrilled to get a response that same day that I had a new Tech support engineer and he was escalating the case.

I emailed Monday, July 10 to see if there was any progress. I received a reply (again same day) that they would have an update for me on Tuesday, July 11.

No email on July 11. I emailed July 12 - no response. I emailed July 13 - no response. It is Monday, July 17 - still nothing.

Link to post
Share on other sites

Hi @RandyM, thank you for being so patient with us, I apologize about the lack of replies on your case. From what I can tell so far, is that it was passed from an agent in our European office to a US based one, but nothing after that. I'll check-in with the agent on your ticket now to see what's going on there.

To give you a heads up about the duplicate issue you are facing, there is not a fix you can do yourself right now. We've gotten some sporadic tickets with this issue and have isolated this down to a problem within the database code. We will be releasing a patch for the console to fix it, but for now, we'll just need to let it be. There's no need to waste your time reinstalling or trying to clear database entries, these will just come back anyway. Hold tight and we will get you fixed.

Link to post
Share on other sites

FYI - One interesting thing I did not notice before....

If you do a scan (under Push Install), the clients that are duplicated show up with the execution result of "Client software has been installed and registered to another server". I had not noticed that behavior before.

Link to post
Share on other sites

Yes, that is a symptom of the issue. The clients all have unique, well supposed to be unique, ID's that are assigned to them on first check-in. When this client checks in later on in its normal process, it will see a machine already there with that ID now and assumes it's itself but tied to another server.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.