Endpoint and Chrome

[AverageCiscoGuy]

So i guess this is kind of a two part post. So we just replaced our on prem endpoint clients with the cloud endpoint clients and that seemed to go fine using the mbam clean tool.

The problem some of our users are seeing is their chrome and firefox will lock up for 20+ minutes and just be frozen. I have turned off Web Protection and Anti Exploit to see if that fixes it, i haven't heard an update on the issue yet but i was curious if anyone has ran into this issue before.

Part two,
We have two policies, one for our computers and the other for our virtual machines/VDI's that DO NOT use anti exploit. I realized that using the endpoint installer provided it only uses the default policy and i can't install an endpoint solely to a specific policy like we kind of could with the on prem solution (install with anti exploit, one without). Is there a way besides installing then moving the machine to the correct policy to install the specific client to that specific policy?

[AverageCiscoGuy]

Update on the issue:

Had to uninstall all 600 computers that had the malware bytes cloud client because turning off all services still caused ALL browsers to stop working.

[IT_Guy]

Check your event log and resource monitor to see what's going on. There are a few different "issues" with MWB EPP, depending on what's going on in your event logs and resource monitors will determine which problem is affecting you.

[KDawg]

Average Cisco guy, can you take a look at the policy for the affected endpoints please let me know if the Self Protection module is enabled on these problem endpoints?

As well with this option disabled are we able to get the client machines running smoothing 

[IT_Guy]

9 minutes ago, KDawg said:

Average Cisco guy, can you take a look at the policy for the affected endpoints please let me know if the Self Protection module is enabled on these problem endpoints?

As well with this option disabled are we able to get the client machines running smoothing 

I think he said in his post that turning off all of the services did not help?

[djacobson]

On 11/10/2017 at 1:23 PM, AverageCiscoGuy said:

Is there a way besides installing then moving the machine to the correct policy to install the specific client to that specific policy?

For both the cloud product and the on-prem, the answer is no. Both products include a default setup to run under until the machine checks-in. The illusion with the older on-prem is that you are sending the group and that group's policy with the created installer so it has it already, which is not the case. For the on-prem, what is really happening is that you are pre-sorting it, so when the machine checks-in, it will then be placed under the group you specified, which will then conform to the policy assigned to the chosen group. If the machine never finishes checking-in, it will still run but it will be running a default setup, not the chosen group's policy.

For the cloud product, your install will tie into the default group and default policy, which is setup to not have Endpoint Protection turned on, it is instead defaulted to Incident Response for maximum system compatibility on initial push as not every machine will be able to run all the realtime protections available in the Endpoint Protection piece. The machines will then need to be manually sorted into whatever group/policy you would like them to run under after it checks-in to the cloud console. There is no equivalent "pre-sort" functionality for the cloud product.

[kahml]

What, exactly, does this mean:

Quote

as not every machine will be able to run all the realtime protections available in the Endpoint Protection piece.

 

[IT_Guy]

1 minute ago, kahml said:

What, exactly, does this mean:

 

Yeah, why is this the first we are hearing not all computers might be able to run Epp modules?

[djacobson]

We haven't been able to fully put out content for you guys because of all the firefighting we've been having to do but it has been brought up here a few times. Read "not all computers" as "servers". It is server OS and server roles that can preclude you from using everything within EP. This post of mine mentions it, you were on that thread IT_Guy, not sure why you are saying this is the first you have heard of it - 

 

[AverageCiscoGuy]

Sorry for a late response, we had a firefight when this issue happened to the whole company and we had to uninstall then install and completely disable all services until we can figure some stuff out. I have a ticket with MB and they've collected logs and had a remote session with no luck so far. It appears that the Anti Exploit even when disabled in the settings for all browsers will still keep the browsers hanging when closed and freeze after being used for a little bit. Something with DLL injection and i would assume Sophos but like i said our on prem version anti exploit didn't have any issues with Sophos and the MBAE client.

So for now i'll wait to reply to this until i can hear back from the team, o far they've been very helpful in the situation. I also created a thread in the comments and suggestion section for the groups and policy thing since i cannot replicate our previous installer settings without manually moving clients and what not. That post is here if anyone is interested: