A few thoughts and questions after running Endpoint Protection on trial

[wiggy]

We are current users of the older Endpoint Security product with the three agents rolled out to our end users (Anti-malware, anti-exploit and Anti-Ransomware)

We are currently trialling the new cloud Endpoint Protection

Firstly  - all PCs that we have installed Endpoint Protection onto so far, show up in the webconsole OK (all green), we can initiate scans, updates and asset update commands and the console reports back as complete when done - which is great, no obvious problems....

1. Our policy requests that the endpoints check for updates every hour - I have no idea if this is happening? Is there a log somewhere?

2. I notice that on the PC's that had their existing three Endpoint Security agents automatically uninstalled by the new Cloud Endpoint Protection agent , there seem to be remnants of the old product left - for example ALL the updated PC's still have this in their startup process..

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run    Malwarebytes TrayApp    C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\mbamtray.exe

If this reference is still there, then what else may still be lingering from the old Endpoint Security software, and could it interfere with Endpoint Protection at some point?

3. A number of PCs have Endpoint errors in their application event log, for example this one appears on PC startup...

2017-09-08 15:05:51,555+01:00 [24] WARN  MBAMPlugin Unable to get anti-exploit advanced techniques from mbam

Is this the new Endpoint Protection, or a hangover from the old Endpoint Security - should I be concerned?

4. This new Endpoint Protection software has x7 layers of defence built-in which is great, but I know from personally running mbam consumer premium version that there have been times when one of these layers stops working - not good, but at least I knew, because of the orange exclamation mark in the tray icon.

without an end user interface on Endpoint Protection (or an option to deploy one) we lose easy visibility into these basic things, not to mention the ability to right click and manually scan a file, which was useful.

As admins, security is not a guessing game - we need to be 100% sure that we understand our security defence apps and we need to be 100% sure that they are working as we believe they should.

As it stands, there's an assumption that all is well and is working as it should - certainly our cloud console is happy that everything is deployed and communicating properly - but personally, given the anomalies I've mentioned above, I'd like a little more evidence on hand.

cheers!

[IT_Guy]

On 9/8/2017 at 11:32 AM, wiggy said:

We are current users of the older Endpoint Security product with the three agents rolled out to our end users (Anti-malware, anti-exploit and Anti-Ransomware)

We are currently trialling the new cloud Endpoint Protection

Firstly  - all PCs that we have installed Endpoint Protection onto so far, show up in the webconsole OK (all green), we can initiate scans, updates and asset update commands and the console reports back as complete when done - which is great, no obvious problems....

1. Our policy requests that the endpoints check for updates every hour - I have no idea if this is happening? Is there a log somewhere?

2. I notice that on the PC's that had their existing three Endpoint Security agents automatically uninstalled by the new Cloud Endpoint Protection agent , there seem to be remnants of the old product left - for example ALL the updated PC's still have this in their startup process..

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run    Malwarebytes TrayApp    C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\mbamtray.exe

If this reference is still there, then what else may still be lingering from the old Endpoint Security software, and could it interfere with Endpoint Protection at some point?

3. A number of PCs have Endpoint errors in their application event log, for example this one appears on PC startup...

2017-09-08 15:05:51,555+01:00 [24] WARN  MBAMPlugin Unable to get anti-exploit advanced techniques from mbam

Is this the new Endpoint Protection, or a hangover from the old Endpoint Security - should I be concerned?

4. This new Endpoint Protection software has x7 layers of defence built-in which is great, but I know from personally running mbam consumer premium version that there have been times when one of these layers stops working - not good, but at least I knew, because of the orange exclamation mark in the tray icon.

without an end user interface on Endpoint Protection (or an option to deploy one) we lose easy visibility into these basic things, not to mention the ability to right click and manually scan a file, which was useful.

As admins, security is not a guessing game - we need to be 100% sure that we understand our security defence apps and we need to be 100% sure that they are working as we believe they should.

As it stands, there's an assumption that all is well and is working as it should - certainly our cloud console is happy that everything is deployed and communicating properly - but personally, given the anomalies I've mentioned above, I'd like a little more evidence on hand.

cheers!

Excellent points all around, you are absolutely right security is not a guessing game. We need to be 100% sure our machines are safe because you know what? If one of our machines gets hacked/encrypted/corrupted while running this software I guarantee Malwarebytes won't stand up and say, that was our fault, here is a refund to mitigate your losses. Considering the cloud costs as much as the individual licenses I think we were safer running individual instances on each computer rather than rely on this buggy client the cloud is pushing. Half my endpoints are saying they are offline (including the one I'm currently writing from) and I'm just supposed to take their word for it that the machines are ok and safe and everything is scanning properly. If they can't even get the connection to report whether the machine is turned on or not, how can we reasonably believe that the endpoints are actually scanning anything and not just sucking up memory?

This cloud control idea is good on paper but the execution leaves much to be desired. The cloud should have all the tools necessary to remotely monitor/manipulate endpoints, ping them, update them, run other diagnostic reports on them.

[spnkzss]

On 9/8/2017 at 11:32 AM, wiggy said:

As admins, security is not a guessing game - we need to be 100% sure that we understand our security defence apps and we need to be 100% sure that they are working as we believe they should.

As it stands, there's an assumption that all is well and is working as it should - certainly our cloud console is happy that everything is deployed and communicating properly - but personally, given the anomalies I've mentioned above, I'd like a little more evidence on hand.

cheers!

I am not quoting this to bitch, but I am quoting this to show my support.  This is a frame of mind that I believe needs to be used for this product to work in the future.

Rob

[exile360]

Regarding having a user interface, I believe the thinking is that you, as the IT/Sysadmins should be the only ones with access to the product's interface/settings/functions etc. and providing a UI to the end user would expose the system to their whims, and since we assume they are not experts in PC security (which is why your organization employs individuals such as yourselves), we do not wish to give them the opportunity to do things like terminate any protection components, create exclusions, delete logs or anything else that might interfere with your performance of your responsibilities.

I assume that day to day you do not lay hands on every system in use in your environment, so functions like a UI and right-click context menu scans don't seem overly useful to me personally, however you may have a use case for them which we have not accounted for so if this is the case, please explain and we'll certainly consider it.

That said, there should be alerts from the product to you who manage it whenever something has gone wrong, so upon that point we definitely agree.  If any protection component isn't functional or there are signs of infection, you should be alerted so that you may take whatever steps may be required to resolve the issue.  How and where those alerts are delivered I leave to you and the Product team to determine, but I believe things such as server logs, email notifications and cloud management have all been discussed.  I am not an expert on this product and my personal expertise is more in the realm of the consumer product, so I don't have all of this information, however I have pointed others who do to this thread so that they might address your concerns.

[spnkzss]

If, let's say, the software is installed but not communicating with "home", there is currently, no way to scan, or test to see if the break is at the individual PC or with the cloud solution  Let's say you have an outbreak, and you have disconnected a bunch of computers from the network,  which then includes the internet, you currently have no way to scan.  Let's continue to say that you are troubleshooting a computer and you are sitting in front of it, I currently have no way of knowing if a scan is running, what version is installed, when it was last updated, when were the last scans done on it (other than stopping to log into the portal, assuming I can get there).

As an IT Administrator, I could go on for another 15 minutes about why I want full abilities to see what a piece of software is doing while sitting directly in front of the PC.  Most of all, being able to set a scan running while I'm sitting there or telling my coworker to "try this", then let me know when it's done and I'll come help.

Please don't take this as a jab, because it's not, it actually helps me understand the "mentality" behind the software development of this product.  The fact that you say " so functions like a UI and right-click context menu scans don't seem overly useful to me personally" tells me you've never been in our shoes and/or don't understand the SMB/Enterprise environments.

Rob

[exile360]

I don't take it as a jab at all, in fact, it's because we desire customer/user feedback that these sections of the forums exist because we actively seek your input to make our products and services better in order to suit your needs  .

That said, on the flip side, we've been told repeatedly by many sysadmins that they desire no UI whatsoever and even no sign at all (no shortcuts, no folders (if possible)) that the product is installed/running, because they know that their users are liable to try and tinker with and/or disable it, especially if they're trying to do something not allowed by the company such as using a P2P app or visiting unsafe websites on work systems.  They also don't want to run the risk of them falling victim to a targeted phishing attack by allowing something to open/execute because they believe it's from a trusted source when in fact it's a spoofed email or website.

I take your points though, and they do make sense so I can see the case for both ways of deploying the software and I'm sure that we can come up with a solution that fits both types of scenarios.  Perhaps some kind of portable tool that shows you all of our logs/info/history/protection status for that system when you plug in a USB device containing it and execute it, and also either comes with the portable build of Malwarebytes so that you may scan the endpoint if you wish, or has a function that works like a front-end to execute a scan on-demand on that endpoint using the installed copy of the product.  That would satisfy the majority of your requirements without upsetting the admins who wish to keep the software's presence hidden from their users.

Edited October 19, 2017 by exile360

[spnkzss]

I don't want to remember to have anything on me, like a USB.  Maybe have it be an option on install, select light client or full client.  In other AV software, you select it in the policy whether they can override or turn off scanning.  Or to turn off scanning or add exceptions, require a password to do so.  You should be able to handle 100% of this through policies, so even if you go one way, it's EASY to switch it all back the other way.  That is a key mindset to an enterprise solution.

I can understand the concept of a limited interface, but in practice, it never works out right and I never get the warm and fuzzy.  If I don't have the warm and fuzzy, I typically find another product that will give me the warm and fuzzy.

[exile360]

Certainly, an option to choose interactive or non-interactive deployment is absolutely possible I'm sure.  In fact, back in the MBAM 1.x days we did have an option similar to this where there was a command to hide/show the tray icon, so I'm sure that it could be accomplished with Malwarebytes 3 with some tweaks to the code.  We already support password protection for virtually all functions, so that aspect is already covered.

As for warm and fuzzy, believe me, that's a feature we're always trying to deliver in all of our products.  Sadly, it's been very hit and miss, but we are trying.

Thanks again for all the feedback/ideas.  I will make certain that they are heard by the people who make the decisions about what goes into the product.  If you have any other ideas or requests, please do not hesitate to let us know.