event viewer logging MBAM issues

[TonyCummins]

I have my multiple endpoints logging bunches of issues.......can anyone tell me whats going on please. 

2017-11-09 07:27:44,011-07:00 [26] WARN  MBAMPlugin Unable to get anti-exploit advanced techniques from mbam

2017-11-09 07:16:30,729-07:00 [22] WARN  MBAMPlugin Unable to get anti-exploit advanced techniques from mbam

2017-11-09 07:16:20,121-07:00 [26] WARN  MachineImpl Computer is registered on a domain, but that domain is currently unreachable System.DirectoryServices.ActiveDirectory.ActiveDirectoryOperationException: The requested authentication method is not supported by the server.
 ---> System.Runtime.InteropServices.COMException: The requested authentication method is not supported by the server.

   at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)
   at System.DirectoryServices.DirectoryEntry.Bind()
   at System.DirectoryServices.DirectoryEntry.get_AdsObject()
   at System.DirectoryServices.PropertyValueCollection.PopulateList()
   at System.DirectoryServices.PropertyValueCollection..ctor(DirectoryEntry entry, String propertyName)
   at System.DirectoryServices.PropertyCollection.get_Item(String propertyName)
   at System.DirectoryServices.ActiveDirectory.PropertyManager.GetPropertyValue(DirectoryContext context, DirectoryEntry directoryEntry, String propertyName)
   --- End of inner exception stack trace ---
   at System.DirectoryServices.ActiveDirectory.PropertyManager.GetPropertyValue(DirectoryContext context, DirectoryEntry directoryEntry, String propertyName)
   at System.DirectoryServices.ActiveDirectory.Domain.GetDomain(DirectoryContext context)
   at EAEngine.MachineImpl.GetNameAndNics()

2017-11-09 07:16:19,341-07:00 [26] ERROR PolicyHandlerWeb Error getting verion information from sirius. Attempting to continue with existing plugins
System.Threading.Tasks.TaskCanceledException: A task was canceled.
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Sirius.SiriusClient.<CheckForUpdates>d__18.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at EAEngine.SiriusIntegration.SiriusWrapper.<GetPluginVersionInfo>d__19.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at EAEngine.Policies.PolicyHandler.<InstallPlugins>d__14.MoveNext()

2017-11-09 07:16:19,341-07:00 [26] ERROR SiriusWrapper Error loading package information from sirius
System.Threading.Tasks.TaskCanceledException: A task was canceled.
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Sirius.SiriusClient.<CheckForUpdates>d__18.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at EAEngine.SiriusIntegration.SiriusWrapper.<GetPluginVersionInfo>d__19.MoveNext()

2017-11-09 07:16:14,957-07:00 [26] ERROR EAWebClient Error PostWithRetryForever
System.OperationCanceledException: The operation was canceled.
   at System.Threading.CancellationToken.ThrowOperationCanceledException()
   at Polly.Retry.RetryEngine.<ImplementationAsync>d__1`1.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Polly.Policy.<ExecuteAsync>d__100.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at EAEngine.Http.EAWebClient.<PostAsync>d__19.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at EAEngine.Http.EAWebClient.<PostWithRetryForever>d__20.MoveNext()
 

 

[dedmondson]

I am getting a ton of those also. 

[TonyCummins]

35 minutes ago, dedmondson said:

I am getting a ton of those also. 

I created a support ticket also, ill report back what they tell me

[TonyCummins]

Received reply from support this morning....simply telling me the following:
 

Quote

Can you please install .net framework 4.7 on each computer and as well on the Domain controller : 

https://www.microsoft.com/en-us/download/details.aspx?id=56116

(this version solves some bug with the older .net framework).

Are you using any other security suite or  proxy/firewall/VPN in your environment?

 

 

 

I replied with a screenshot of the .net 4.7 installed.and told him i used the full mbam installer on all my endpoints and asked if the pre-requisite installer wasn't supposed to check - install anything that mbam will need to run correctly. 
Also asked if the FRST logs i sent in show wats running and installed, Which to me answered the 2 questions i was asked in the 1st reply to my support case !!
so now ill wait another 24 hours plus to hear their reply.

 

[TonyCummins]

Finally received a reply just now, asking me to run the FRST and send the logs to support !!  Which i did when requested to do last Friday. My confidence in support is weaning day by day, seems like i'm getting the same canned reply to all my tickets and like today a second time asking for the same info tells me the support thread / emails are not being read.

[TonyCummins]

Update: I managed to get tech support and they did a remote session to a couple of the effected endpoints. After some troubleshooting i was assured that all protection was enabled and running correctly and that the events were "background noise"  He tested on his VM and changed the startup type to delayed and received no more of these events. Mentioned that many people had reported the issue and dev was working on a solution>

[JLR]

Was there ever a resolution to this?  I am also seeing.

[TonyCummins]

Nope...I still have event viewer full of alerts

[djacobson]

This is unimportant info from an attempt to update the plugin, that update was probably pulled. The "WARN  MBAMPlugin Unable to get anti-exploit advanced techniques from mbam" bit refers to a time when the MBAE advanced settings pieces were not yet part of the cloud portal. The rest looks to coincide with the updates that were taking place in early Nov to move the plugin from 3.0.6 to 3.1.8. The Endpoint Agent service, despite a few changes here and there in other updates to tone it down, writes with extreme verbosity to Event Viewer. Real product issues will be located in the program's own logging information. Event Viewer info is not really used by us for diagnostics.

[rramin]

Hello all.  I was experiencing the same issue on a single Windows 8.1 workstation on a domain.  The station was visible in the cloud console, but it wouldn't show any info.  I uninstalled/reinstalled MBEP, removed all traces of it in the registry and file system, and nothing helped.  I also noticed that I was getting seemingly unrelated GroupPolicy EventID 1090 errors and was unable to view RSoP info, possibly due to WMI errors.  As this was a legacy client that I inherited from a completely incompetent IT provider, I decided to reset some key items using Tweaking.com's Windows Repair to make sure all services were set to their defaults.  So I ran the following repairs:

Reset Service Permissions
Repair WMI
Repair Hosts File
Remove Policies Set By Infections
Restore Important Windows Services
Set Windows Services to Default Startup

After repair and rebooting, I right-clicked on the MBEP icon in the System Tray and the "Start Threat Scan" message came up (I usually use this as a quick way to determine if it has initially synced with the cloud console and installed all components).  I then checked the console and the station was there and all station info was now populated.  Lastly, my Group Policy issues were also resolved.  Now all i have to do is cancel my support ticket with MB.

Hopefully this helps.

Robert

 

Edited January 25, 2018 by rramin
Wasn't done.