ERROR Boomeranghandler Could not sync Newtonsoft.Json.JsonReaderException

[Happyfox]

One of my agents is throwing the following:

2017-09-21 15:37:07,850-04:00 [26] ERROR BoomerangHandler Could not sync
Newtonsoft.Json.JsonReaderException: Unexpected character encountered while parsing value: <. Path '', line 0, position 0.
   at Newtonsoft.Json.JsonTextReader.ParseValue()
   at Newtonsoft.Json.Serialization.JsonSerializerInternalReader.ReadForType(JsonReader reader, JsonContract contract, Boolean hasConverter)
   at Newtonsoft.Json.Serialization.JsonSerializerInternalReader.Deserialize(JsonReader reader, Type objectType, Boolean checkAdditionalContent)
   at Newtonsoft.Json.JsonSerializer.DeserializeInternal(JsonReader reader, Type objectType)
   at Newtonsoft.Json.JsonConvert.DeserializeObject(String value, Type type, JsonSerializerSettings settings)
   at Newtonsoft.Json.JsonConvert.DeserializeObject[T](String value, JsonSerializerSettings settings)
   at EAEngine.Boomerang.BoomerangHandler.<Sync>d__34.MoveNext()

This particular machine seems to be problematic.  I'm not gathering its asset info like I am my other clients, and I'm unable to execute any tasks on it.  Yes, I have ensured the .NET requirements are met, yes, it has been moved to a non-default policy that includes endpoint protection, and yes, it has been rebooted since the move to another group.  I have also uninstalled/reinstalled and run through toggling its groups with no avail either with multiple restarts in between.  SEP was running on it previously, but I did have it uninstalled first.  Also, I do have the firewall requirements met and am able to reach *.malwarebytes.com, *.mwbsys.com, *.mbamupdates.com, *.mb-cosmos.com over SSL/443.  This client is running Windows 7 Pro with the latest and greatest MS patches...

Errors that succeed the aforementioned include:

...
2017-09-21 15:37:08,957-04:00 [22] ERROR TrayModule System.Security.Principal.IdentityNotMappedException: Some or all identity references could not be translated.
   at System.Security.Principal.SecurityIdentifier.Translate(IdentityReferenceCollection sourceSids, Type targetType, Boolean forceSuccess)
   at System.Security.Principal.SecurityIdentifier.Translate(Type targetType)
   at EAEngine.UserModules.TrayModule.EnforceEndpointInterfacePolicy()
...
2017-09-21 15:37:16,461-04:00 [29] ERROR EAEngine Error posting to Nebula. Url:/api/v1/machine/results
System.AggregateException: One or more errors occurred. ---> System.Web.HttpException: HTTP Request failed to /api/v1/machine/results. Http Code: 400 Reason:Bad Request
	Body Response: <?xml version="1.0" encoding="UTF-8"?>
<Error><Code>InvalidArgument</Code><Message>Unsupported Authorization Type</Message><ArgumentName>Authorization</ArgumentName><ArgumentValue>Bearer scrubbed</ArgumentValue><RequestId>scrubbed</RequestId><HostId>scrubbed=</HostId></Error>
   at EAEngine.Http.EAWebClient.<EnsureSuccessStatusCode>d__21.MoveNext()
...

Thanks for any input or advice you can throw my way in the meantime...

Edited September 21, 2017 by Happyfox
Typo

[rm304]

I am seeing this same error on every machine in domain. 

[wiggy]

Hey Happyfox,

Yep - every PC in our domain is full of those exact same errors as well.

In addition to those three errors you mention -  we also get these as well...

Quote

2017-09-28 06:33:47,435+01:00 [67] ERROR MBAMPlugin Error scheduling ac343baa-4270-4dd4-b677-2a98577d20a2
System.NullReferenceException: Object reference not set to an instance of an object.
   at EAMB3.Commands.ScanCmd.CreateScanParamters(ScanController scanController)
   at EAMBAMPlugin.MBAMPlugin.SchedulesChanged()

Quote

2017-09-28 06:33:50,519+01:00 [92] WARN  MBAMPlugin Unable to get anti-exploit advanced techniques from mbam

 

Would like to get to the bottom of this as something doesn't feel right, even though the PC's in the cloud portal are showing 'green'

cheers,

 

[rm304]

MALWAREBYTES SUPPPORT... ARE YOU THERE????? PLEASE RESPOND!

[Happyfox]

@rm304

I may not be Malwarebytes support, but I did find that it's crucial to have other endpoint protection software removed completely with a restart prior to installing MEP.  I too would love to know some of the details around these exceptions.

 

 @wiggy

Your exceptions look worse than mine!  For a reason still unknown, the functionality appears to work just fine after so long.  I'm still seeing the exceptions though as well, which is unsettling indeed.

Thanks for affirming that I'm not the only one experiencing the issue at least... and even if it's benign, I'd like to see some better exception handling that yields better informational logging.  If I'm misconfiguring something, not adhering to best practice, or screwing something up, I'd like to know about it through logs rather than assume it's a Malwarebytes bug.

[wiggy]

Yeah  - all those errors especially the...

2017-09-28 06:33:50,519+01:00 [92] WARN  MBAMPlugin Unable to get anti-exploit advanced techniques from mbam

...makes me wonder if the agents are actually updating at all - how can you tell?

The cloud console shows all agents green, but those errors must mean something isn't quite right.

[wiggy]

Heard back from MB tech support today after sending them examples of these error logs...

Quote

... there is nothing wrong with the client machines and they are working fine and you are protected. We are aware of this issue and are working to fix this and hide these from the event logs. 

 

[IT_Guy]

It would be nice to have some sort of verification that something other than the endpoint agent is running though.

 

I have these errors on every machine as well, and if you look into the event history these usually lead up to a Kernel Power Failure (Blue screen) followed up by a side-by-side problem with the agent not wanting to start anymore and the machine showing as inactive from the cloud console despite all the services running and everything looking fine.

Edited October 4, 2017 by IT_Guy

[KDawg]

This is we believe this may be an issue on our side with the Boomerang Error, this has been escalated to our development team and we should have an update on what is going on shortly.

[KDawg]

I have included everyone on the thread and your organizational accounts on this escalation @wiggy @rm304 @IT_Guy
 

 

[KDawg]

We are still currently investigating the side by side errors, we have re-enabled boomerang with a fix.

If you are experiencing offline clients please use our clean tool below:

https://downloads.malwarebytes.com/file/mb_clean

From an administrator command prompt run the .exe with a /cloud switch please allow the restart.

Once cleaned please re-install with the prerequisites exe from your cloud console Endpoints > Add

 

If the clients still has any issues or you get a side-by-side error please let me know, or update your current service case.

[808]

Count me in as having similar error messages.  I started to have network share connectivity issues with my 2012 R2 servers after installing MEP as well - though I can't be sure that it is related.