Malwarebytes on Servers...and a couple other question about feature updates

[deanb1234]

On 8/25/2017 at 12:59 PM, djacobson said:

Portions of EP are supported by servers, and then certain server roles can preclude you from using other pieces. First thing to note is MBARW, the Anti-Ransomware portion, does not support any server OS at all. Create a server specific policy with MBARW disabled for servers.  IF MBARW did support server OS, it will still not help the server at all, the program works on behavior, it would be unable to detect and stop a process running from another machine, i.e. the patient zero workstation. Protect your servers and drive shares by protecting your endpoints.

Next is Anti-Malware, the following environment roles are unsupported for Anti-Malware's real-time. Turn off the Anti-Malware real-time to a server which runs:

• Terminal Services (TS) / Remote Desktop Services (RDS)
• Virtual Desktop Infrastructure (VDI)
• Windows Storage Server
• Server Core
• Citrix XenDesktop
• Citrix XenApp
• VMware View
• VMware VShield

Since your server falls under this, I would suggest creating a more aggressive scan schedule, one that has scans happening at shorter intervals, this will help make up the different in not running the real-time. Anti-Exploit though should be just fine on your server as is.

 

Hello,

I've come across the above info in a couple of threads while researching an issue with the agent taking down several of our servers.  I had a few questions in regards to that and a couple others.

Is there a best practices guide for all of this, I've found guides for the old product but not Endpoint Protection?  Our sales team indicated the new agent was fully compatible with server operating systems, never mentioned disabling real time protection or anything of that nature.  We're deploying globally to almost 1500 servers.

Are there plans on fully supporting a server environment?  The comment about anti-ransomware and real-time protection not helping servers isn't exactly true, especially on RDS servers.  If a user on an RDS farm, or developer with admin rights on a production server opens an infected file and/or is using the server to browse the internet (which happens pretty much every day) then the server is patient zero.

Is there some communication channel that we can subscribe to and receive emails or something for alerts to new versions, issues such as Anti-Ransomware needing to be disabled, cloud console down, etc.  Currently things just happen and we really don't have a clue.

When are exclusions by group coming?  It's very problematic to have all of the server exclusions and all desktop exclusions pushed globally.  Server exclusions themselves conflict but then adding in the desktop portion it makes it even more problematic.

Also is there a UI coming for the endpoints, the consumer version UI is great, not sure why there isn't one for Endpoint Protection.  Being able to manage the client from the endpoint side would simplify things in troubleshooting, especially if you remove an infected host off the network and need to scan offline.

As an organization we're starting to lose confidence in Malwarebytes as a solution for businesses.  Which is a shame really, I like the product and think the scanning engine is second to none, but it appears as if Endpoint Protection is not ready for primetime and more of an extended beta.  There are some basic features that are missing that would really make Endpoint Protection a home run.

Thank you,

Dean

Edited October 5, 2017 by deanb1234
Grammatical errors

[KDawg]

Dean,

Here is out Administrator Guide for Malwarebytes Endpoint Protection (Cloud):

https://support.malwarebytes.com/docs/DOC-1802

What you quoted Dyllon from was previously true for the legacy product this is out of the guide from our other product. This is no longer the case in Endpoint Protection RDS is supported, as well as Anti-Ransomware on sever endpoints.

This is from the EP guide above, we do fully support server OS.

 

From my understanding exclusions by group are in the pipeline as a target feature.

UI we are targeting December release.

I want to apologize for the trouble so far, I am not here to make excuses we need to do better! It is my job to advocate for you our customer. Please let me know if you we need to get management involved in this discussion.

We are committed to restoring your confidence (its actually our motto), our support team will do everything in our power to address any and all concerns, issues, and requested features for your organization. We are proud to have your organization use Malwarebytes, and will continue to work to resolve anything that may come up.

Many Thanks

 

 

 

[Computerdienst]

22 minutes ago, KDawg said:

What you quoted Dyllon from was previously true for the legacy product this is out of the guide from our other product. This is no longer the case in Endpoint Protection RDS is supported, as well as Anti-Ransomware on sever endpoints.

 

Sorry but: where did you get this from? My understanding is, that this is still NOT supported, coming somewhere in q4. 

Edited October 6, 2017 by Computerdienst

[IT_Guy]

16 minutes ago, Computerdienst said:

Sorry but: where did you get this from? My understanding is, that this is still NOT supported, coming somewhere in q4. 

Yes, this is the same thing I was told in my support tickets, Q4 more features coming, Ransomware addon currently broken with memory leak that leads to crashing computer.

[deanb1234]

On 10/6/2017 at 11:08 AM, KDawg said:

Dean,

Here is out Administrator Guide for Malwarebytes Endpoint Protection (Cloud):

https://support.malwarebytes.com/docs/DOC-1802

What you quoted Dyllon from was previously true for the legacy product this is out of the guide from our other product. This is no longer the case in Endpoint Protection RDS is supported, as well as Anti-Ransomware on sever endpoints.

This is from the EP guide above, we do fully support server OS.

 

From my understanding exclusions by group are in the pipeline as a target feature.

UI we are targeting December release.

I want to apologize for the trouble so far, I am not here to make excuses we need to do better! It is my job to advocate for you our customer. Please let me know if you we need to get management involved in this discussion.

We are committed to restoring your confidence (its actually our motto), our support team will do everything in our power to address any and all concerns, issues, and requested features for your organization. We are proud to have your organization use Malwarebytes, and will continue to work to resolve anything that may come up.

Many Thanks

 

 

 

Thank you Kevin.  Sorry I didn't reply earlier, apparently I forgot to select "Notify me of replies at the bottom"  I returned your phone call and spoke with Josh as you were on another call at the time.  We started working on the resource issue we were having that appears to part of the larger bug with anti-ransomware. All though after disabling all realtime protections last week a Hyper-V server went down again due to the resource utilization.

I was also curious as to when more robust reporting was going to be added.  When we were piloting the software we were told it was coming in Aug/Sept time frame.  It was ok to manually copy and paste results with a couple hundred machines in the pilot and make my own reports but now we're over 2,600 with another 1,500 or so to go and it would be great if I could build reports or export to a csv at the bare minimum to provide management with some statistics and also keep up with machines that need our attention.

And one more that just popped into my head.  Is it on the road map to build installers based on group?  Manually sorting almost 3,000 machines has sucked a whole lot!

Thanks,

Dean

[djacobson]

I need to step in and clarify, RDS has been fixed for the Anti-Malware portion. However, ARW's current support is for client OS, Win 7 and up.

 

Here's a quick product matrix for some content I am creating around best practice and initial MBEP group/policy setup. Server OS with ARW is being tested, when it is cleared, the documentation will change to reflect that.

[ksw]

Is there an updated version of this list ?