TheRidingMan

MBAE installed but not functioning?

Recommended Posts

My environment already has MBAM Enterprise installed, and I'm using the Management Console.  We recently became licensed for MBAE as well, so I added the license key in on the console without a problem and deployed MBAE to a test machine using a group policy shutdown script.  The software seems to have installed fine.  I see MBAE process running on the test PC, and the console sees MBAE on that client.

But locally I can't launch MBAE.  Nothing happens when I try to launch the GUI.  I understand that this can be controlled via the Management Console, but my on the anti-exploit tab of my policy, the box "do not show anti-exploit traybar icon and program interface" is not checked.  Furthermore, I've tried using the mbae-test utility, and when I try the "Exploit" option, I get no intervention by MBAE.  The calculator app launches even though it should be blocked.  There is no mbae-alert.log file in the programdata\malwarebytes anti-exploit\logs folder.

I tried uninstalling the MBAE and removing folders left over in program files x86 and program data.  I've seen references on these forums to an MBAE cleanup utility, but the link seems to be dead, so I'm not sure what else might need to go (regkeys?).  After a reinstall, again via GP, the behavior is unchanged.  

This ins on a PC running Window 7 Enterprise x64, up to date with windows patches.

Share this post


Link to post
Share on other sites

Hello TheRidingMan,

 

Here is the link to that clean tool you were mentioning:

 

https://forums.malwarebytes.org/applications/core/interface/file/attachment.php?id=199258

 

Can you try that? After doing the removal, can you try installing it manually on the machine as a test? I want to see if it works when you do the manual install. I want to confirm a few things with the manual install. 

Share this post


Link to post
Share on other sites

Thanks, yes, after using the clean_mbae script and reinstalling locally, it's working.  I see the MBAE icon in the system tray where it did not before, I can open the GUI, and the "exploit" option on mbae-test.exe produced a block notification from MBAE.  I also see log files that I didn't see before.  The Malwarebytes Console does not see my test PC has having MBAE installed, though.

I'd still like to determine how to deploy this remotely though.  Do you need to see any of the logs on my test PC?  Looking back over the instructions, there's no mention of entering in the license ID and key.  Do I need to push those to the registry when deploying using the MSI?  Or would that just make those PCs behave like they have the stand-alone version?

Share this post


Link to post
Share on other sites

Hello TheRidingMan,

So to answer the first one, as long as the management software is installed, you just need to restart the service (or computer) and it will re-query the installed products and send the status to the server. It acts like a standalone installation that is managed by the management software on the machine. So it will show up after the restart is done. 

I do not need any logs. You hit the nail on the head to what the issue is. So what is happening is since you are deploying out the management software without anti-exploit packaged, it is deploying it without the key. So when you deploy it standalone through your GP, it installs just fine but doesn't get activated. This prevents the UI from being launched and running. So you can easily push out those registry entries you see to get it activated on all the computers you are deploying. I have used a simple .bat like this before to push it out as well:

 

https://malwarebytes.box.com/s/6oqwak9n6m85ps2ccou2lfhxtsfwphbo

In the script, just replace the x's in the ID and key entries with your own id and key. 

 

This can technically be done at any time pre or post install. But I would do it after you have deployed the GP with the .msi. 

 

Share this post


Link to post
Share on other sites

Yes, including the regkeys in my script worked.  Protection is now running on and endpoint that was installed using GP.  Thanks for your help.  And I should clarify that of course the admin guide mentioned adding regkeys, but not specifically in the context of using the msi or managed version.  I incorrectly assumed the endpoint would get whatever keys or registration info it needed from the server.  Thanks again for your help.

Share this post


Link to post
Share on other sites

Hey TheRidingMan,

 

I will see if I can get that part tweaked a little bit. I do see what you are saying and it is not that clear in scenarios you would use it. 

 

Let me know if you have any other issues! 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.