Jump to content

Recommended Posts

I've been encountering issues with a few endpoints recently. When I install the endpoint protection agent the cloud doesn't detect it. I've tried re-installing the agent, rebooting the endpoint and no luck? So I've seen this issue at one of our Windows Server 2008 (32bit) servers and a couple of Windows 7 pro x64 clients on our shop-floor. 

I can provided more detailed info as needed.

Thank you.

Link to post
Share on other sites
  • Staff

Hello,

 

I want to have you collect me the diagnostic logs from the server so I can see why it is not collecting. You will have to run this command in command line:

Note: you may need to load an admin command prompt to run the command.

“C:\Program Files\Malwarebytes Endpoint Agent\MBCloudEA.exe –diag”

You can do it by using:

cd C:\Program Files\Malwarebytes Endpoint Agent\

Then use:


MBCloudEa.exe -diag

 

pastedImage_5.png

 

This will save a file on the desktop called MBDiagnostics. Send me that file and I can see why your server is not connecting. 

Link to post
Share on other sites
  • Staff

Hey King,

Is this server by chance on service pack 1 of 2008? It looks like it is not able to reach out and talk to our sirius.mwbsys.com address. The error it is giving that it does not have a common algorithm which normally points to a TLS/SSL issue. For 2008 at least, we have some instructions here on how to fix it if that is the case:

 

https://support.malwarebytes.com/docs/DOC-1897

 

Can you get the logs from one of the other endpoints as well so I can confirm that they are all having the same issue and not just 1 offs for each? 

Edited by Rsullinger
Forgot the link to the article that I wanted to give :/
Link to post
Share on other sites
  • Staff

Hey King,

This looks like a separate issue for this:

 

System.Net.Http.HttpRequestException: An error occurred while sending the request. ---> System.Net.WebException: The remote server returned an error: (407) Proxy Authentication Required.

 

Much like the 2008, it is trying to contact our sirius server but it is failing on proxy authentication. Do these computers have a proxy on them that must be met? if not, they may have something in the IE proxy settings that needs to be cleared. Some adware will do this for example. 

If this is a proxy that the clients must use, during install of the product you can specify a proxy the client will use. That is mainly information for future use, for now, you would just need to go to the same directory as you collected the logs and run this instead:

 

MBCloudEA.exe -proxy.server 1.2.3.4 -proxy.port 906 -proxy.user Malware  -proxy.password Bytes

 

Just replace the information there with the information of your actual proxy. After that, restart the service for Malwarebytes endpoint agent and it will connect to the server.

Edited by Rsullinger
Link to post
Share on other sites

Hello Rsullinger:

This or the rest of the Win7 x64 clients that have this problem do not go through any proxy (this setting is disabled in IE) I noticed I am not able to ping sirius.mwbsys.com from any of these clients. Not even from the ones that are working normally / sync'd with the cloud. Is this normal behavior? 

Thanks! 

Link to post
Share on other sites
  • Staff

Hey King,

 

Alright. We are detecting a proxy from something, you shouldn't be able to ping it but should be able to resolve it. It doesn't look like it is able to resolve it based on the logs. Do you mind running FRST on one of the machines. It will show me what is installed and if there is any proxy settings set on an account. Sometimes it may be on another account and we are detecting it from that. You can send me the FRST logs if you don't want to post it directly on the forums. To do this:

 

1: Please download FRST from the link below and save it to your desktop:

FRST 32-bit version: https://downloads.malwarebytes.com/file/FRST

FRST 64-bit version: https://downloads.malwarebytes.com/file/FRST64

2: Double-click the purple FRST icon to run the program. Click Yes when the disclaimer appears.

3: Click the Scan button

4: When the scan has finished, it will make 2 log files in the same directory the tool is run, FRST.txt and Addition.txt. Please attach both files in your reply.
 

Link to post
Share on other sites
  • Staff

Thank you for those! So it looks like there is a proxy set under the system account which we seem to be finding:

 

ProxyEnable: [.DEFAULT] => Proxy is enabled.
ProxyServer: [.DEFAULT] => 10.10.1.66:8080

 

Is that something that may have been setup by the company on a network level? If not, once that is removed, then the clients will connect to the server like normal. 

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.