Jump to content
wcutler

issue with malwarebytes

Recommended Posts

currently getting this every 2 minutes on various pcs at our business

bad update?

 

 

Malwarebytes Management Server Notification
--------------------------------------------

Alert Time: 1/27/2018 10:25:24 AM
Server Hostname: VEN-MB-01
Server Domain/Workgroup: venturedyne.local
Server IP: 10
Notification Catalog: Client
Description:
Malware threat detected, see details below:

1/27/2018 10:23:50 AM   CLI-ENG-03      192.  Type: outgoing, Port: 53041, Process: chrome.exe        Blocked web site        159.180.64.71
1/27/2018 10:23:50 AM   CLI-ENG-03      192.   Type: outgoing, Port: 53044, Process: chrome.exe        Blocked web site        159.180.64.71
1/27/2018 10:23:58 AM   VEN-CTX-IT      10.      Type: outgoing, Port: 32305, Process: googleupdate.exe  Blocked web site        172.217.1.46
1/27/2018 10:23:58 AM   VEN-CTX-IT      10.      Type: outgoing, Port: 32306, Process: googleupdate.exe  Blocked web site        172.217.1.46
1/27/2018 10:23:58 AM   VEN-CTX-IT      10.       Type: outgoing, Port: 32307, Process: googleupdate.exe  Blocked web site        172.217.1.46
1/27/2018 10:24:06 AM   VEN-CTX-IT      10.       Type: outgoing, Port: 32309, Process: googleupdate.exe  Blocked web site        172.217.1.46
1/27/2018 10:24:06 AM   VEN-CTX-IT      10.       Type: outgoing, Port: 32310, Process: googleupdate.exe  Blocked web site        172.217.1.46
1/27/2018 10:24:06 AM   VEN-CTX-IT      10.      Type: outgoing, Port: 32311, Process: googleupdate.exe  Blocked web site        172.217.1.46
1/27/2018 10:24:06 AM   VEN-CTX-IT      10.       Type: outgoing, Port: 32312, Process: googleupdate.exe  Blocked web site        172.217.1.46
1/27/2018 10:24:06 AM   VEN-CTX-IT      10.       Type: outgoing, Port: 32313, Process: googleupdate.exe  Blocked web site        172.217.1.46
1/27/2018 10:24:06 AM   VEN-CTX-IT      10      Type: outgoing, Port: 32314, Process: googleupdate.exe  Blocked web site        172.217.1.46
1/27/2018 10:24:06 AM   VEN-CTX-IT      10      Type: outgoing, Port: 32315, Process: googleupdate.exe  Blocked web site        172.217.1.46
1/27/2018 10:24:06 AM   VEN-CTX-IT      10       Type: outgoing, Port: 32316, Process: googleupdate.exe  Blocked web site        172.217.1.46
1/27/2018 10:24:14 AM   VEN-CTX-IT      10.       Type: outgoing, Port: 32318, Process: googleupdate.exe  Blocked web site        172.217.1.46
1/27/2018 10:24:14 AM   VEN-CTX-IT      10.      Type: outgoing, Port: 32319, Process: googleupdate.exe  Blocked web site        172.217.1.46
1/27/2018 10:24:14 AM   VEN-CTX-IT      10.       Type: outgoing, Port: 32320, Process: googleupdate.exe  Blocked web site        172.217.1.46
1/27/2018 10:24:14 AM   VEN-CTX-IT      10       Type: outgoing, Port: 32321, Process: googleupdate.exe  Blocked web site        172.217.1.46
1/27/2018 10:24:46 AM   CLI-ENG-03      192   Type: outgoing, Port: 53054, Process: chrome.exe        Blocked web site        159.180.64.71
1/27/2018 10:24:46 AM   CLI-ENG-03      192.   Type: outgoing, Port: 53057, Process: chrome.exe        Blocked web site        159.180.64.71

Share this post


Link to post
Share on other sites

Currently sitting at over 4000 threats on the MC. One of the IP addresses that is getting block is for our Management Server(console). 

 

Is this just a bad update?

 

image.png.9a57c66606c28bcff562939379cf2c65.png

Share this post


Link to post
Share on other sites

MysteryFCM

  • Forum Deity
  •  
  • MysteryFCM
  • Staff
  •  
  • 6,768 posts
  • Location: Tyneside, UK

I'm currently talking to both one of the developers and one of the support team (he's been able to reproduce it) to try and find out what is going on.

As soon as we have an update as to the cause, I'll post back.


 

Steven Burn

Web Protection Team Lead

staff.png

Follow us: Twitter, Become a fan: Facebook

Share this post


Link to post
Share on other sites

All our servers are down with this bad update. DNS down, Exchange down, etc...

I was able to get a FIX! logging into the servers and turning off "Website Blocking" on Anti MAlware fixed DNS and remote connectivity and ping issues. However Exchange is still not working, I have uninstalled MBAM and still not working so appears it might have quarantined a service, exe or something and this is now borked. Looking at restoring my servers to before the update and leaving the MBAM server offline, and blocking the update source on the internet.

Share this post


Link to post
Share on other sites

Yeah, we are seeing it too - I just made an account while researching what happened.

We're using Malwarebytes Corporate (I think an older non-centralized client?) set to auto-update every hour. The 8:00AM definitions update started blocking... as far as I can tell, almost everything. Anybody with website protection started blocking our RMM servers (so every client machine is showing offline because the connection to our management servers are blocked). In addition, it's blocking regular stuff like Google.

The 9:00AM update went through and it's still blocking...

Share this post


Link to post
Share on other sites

I have this version and it doesn't have the Web Blocker problem or Memory utilization issues the recent updates are having. All of my clients run Malwarebytes End Point Protection - I have a lot of support tickets open and I have fielding calls most of this morning regarding the current issues.

Appreciate the updates and good information.

This update is working great - I don't have my work PC automatically update anything. So that worked out in my favor this morning.

 

image.png.858cb395d73cc7430e5e8ef2ab52eb05.png

Share this post


Link to post
Share on other sites

It's blocking all local traffic too. We turned off Protection Mode on the policy and are waiting for it to push out to clients. The ones that have gotten the new policy are working, but obviously not longer have protection.

Watching for updates here.

Share this post


Link to post
Share on other sites

Same issue at our company as well, serveral of our businesses are reporting ever couple of minutes. We are on version 2018.01.27.06.

 

Share this post


Link to post
Share on other sites

We arent sure if updates from the MBAM server are going out as the problem seems to stop all traffic (ping, DNS, etc...). I am having to get onto each of my servers using vSphere client, luckily all of my clients are offline today.

Share this post


Link to post
Share on other sites

We just updated to version 2018.01.27.07 and the issue is still occurring. Major fail from MB, and what's more annoying, is they push out updates with no support working right now.

Share this post


Link to post
Share on other sites
2 minutes ago, RayPL said:

We just updated to version 2018.01.27.07 and the issue is still occurring. Major fail from MB, and what's more annoying, is they push out updates with no support working right now.

Almost as bad as that issue where it clashed with Microsoft's Endpoint Protection and made everything grind to a halt!

Share this post


Link to post
Share on other sites

Having the same problem here. Had to be some update installed this morning. Things were working fine about 7:30, but starting about 8:30 I started getting calls that people can't access some sites or email. I can't use TeamViewer or Remote Desktop to access servers or workstations so I'm left using Out of Band solutions.

Any ideas on how to fix this remotely?

Share this post


Link to post
Share on other sites

MysteryFCM

  • Forum Deity
  •  
  • MysteryFCM
  • Staff
  •  
  • 6,768 posts
  • Location: Tyneside, UK

I'm currently talking to both one of the developers and one of the support team (he's been able to reproduce it) to try and find out what is going on.

As soon as we have an update as to the cause, I'll post back.


 

Steven Burn

Web Protection Team Lead

staff.png

Follow us: Twitter, Become a fan: Facebook

Share this post


Link to post
Share on other sites
1 minute ago, schester said:

Having the same problem here. Had to be some update installed this morning. Things were working fine about 7:30, but starting about 8:30 I started getting calls that people can't access some sites or email. I can't use TeamViewer or Remote Desktop to access servers or workstations so I'm left using Out of Band solutions.

Any ideas on how to fix this remotely?

Not possible unless they are virtual and you can direct connect to the host.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.