Realizing protection not working on endpoints

[ChrisHaag]

We have repeatedly had the case that on several endpoints the protection was not working. We could not figure out why yet, but suspect a relation to updates of the engine from 3.1 to 3.3. But that is not the point of this post.

Today we found out that 5 endpoints had no protection since several days. No protection means for us that in the MWB cloud console the indicator next to the endpoint is gray instead of green for an otherwise up and running endpoint. Schedules scan obviously do not run. If we open iptest.malwarebytes.org on such an unprotected PC, there is no blocking.

One user today attempted to manually start a scan and there was no context menu. That is how we discover something is wrong.  No context menu means no protection. We then looked at the list of users online in our internal chat system, looked up their corresponding AD computer names and compared that with the MWB cloud console. A boring and time consuming manual task…

To be safe we would have to do such a check let’s say twice a day. Or we would have to ask our users to right click the MWB icon in the tray twice a day and check there is a context menu.

It may be hard to display such issues in the MWB cloud console as the question is how to figure out if a PC is not switched on (“user on vacation” situation) or if there is an issue with MWB. Maybe there is another option...

We have the MWB icon visible in the tray all the time so that users can see whether MWB has been loaded. It would really help us if the icon could be gray in case the protection is not working. That’s what our users here are used to from their home PCs protected with MWB consumer: gray means no full protection, blue means MWB is OK. We could instruct users to report to us if the MWB icon is gray in the tray. And if the MWB client would report that to the cloud (as long as the required communication component is still working) it would help even more.

Currently we are in the situation of not knowing whether our company is well protected or not. We just do no know how many endpoints are unprotected.

Would you consider implementing the “gray icon” feature?

[Kalrand]

We had a similar issue where the endpoint would be offline in Cloud Console. After starting the service MBEndpointAgent it would appear online. We then changed the startup to automatic delayed to prevent this from happening, which we roll out via script when needed. There is a delay option in the Cloud Console Policy under Startup Options but I don't know whether it affects the Agent or not. However we do have this enabled and have seen a decline in endpoints that are offline.

Edited February 6, 2018 by Kalrand

[ChrisHaag]

12 minutes ago, Kalrand said:

However we do have this enabled and have seen a decline in endpoints that are offline.

Thanks for you help Kalrand. First, we try to avoid delaying the startup of any security measure as we have to train our users to wait before they start clicking. Protection should start with the system. Earlier means safer. 

Anyway, the purpose of my post was not primarily to find out what we can do against endpoints not being protected. In fact we would like to be aware of our overall level of security. Today we have "limited vision". Everything looks good, but the reality is that endpoints are not protected. 

[Kalrand]

I just noticed today one endpoint that are offline. MBEndpointAgent service is stopped and start mode set to Automatic. The policy does have "Delay Real-Time Protection when Malwarebytes starts" so this option doesn't help in this regard. I have altered the start mode on this endpoint to Automatic Delayed Start previously because it went offline but it's now back to Automatic.

Edited February 9, 2018 by Kalrand

[Kalrand]

Also of note right-clicking on the task tray icon does not allow the option to start threat scan nor is there a context menu option to scan (new feature).

[ChrisHaag]

21 hours ago, Kalrand said:

Also of note right-clicking on the task tray icon does not allow the option to start threat scan nor is there a context menu option to scan (new feature).

As said, for us the #1 indicator MWB is not working on an endpoint is if there is nothing displayed when right clicking the MWB icon in the tray. 

We have de-installed, rebooted the PC and installed MWB again in such cases. Then it was working fine. 

You may also test whether the protection is working by opening iptest.malwarebytes.org. 

We have fooled ourselves in one case where the "Start threat scan" would not appear on the tray icon. It might take a minute or so after rebooting. 

Back to topic...does someone from Malwarebytes have a comment on what I initially posted? Do others feel the same as we do?

[Kalrand]

On 2/10/2018 at 8:42 AM, ChrisHaag said:

As said, for us the #1 indicator MWB is not working on an endpoint is if there is nothing displayed when right clicking the MWB icon in the tray. 

Oh, sorry. I must have missed that.

[djacobson]

If the agent service is not online or able to start, common to Win 10 with fastboot on, the protection plugin will not be installed, or an endpoint upgrade failed and the plugin is no longer running. You can confirm by looking for the plugin install / uninstall logs in C:\ProgramData\Malwarebytes Endpoint Agent\Logs.

[RyanZ]

On 2/10/2018 at 5:42 AM, ChrisHaag said:

As said, for us the #1 indicator MWB is not working on an endpoint is if there is nothing displayed when right clicking the MWB icon in the tray. 

We have de-installed, rebooted the PC and installed MWB again in such cases. Then it was working fine. 

You may also test whether the protection is working by opening iptest.malwarebytes.org. 

We have fooled ourselves in one case where the "Start threat scan" would not appear on the tray icon. It might take a minute or so after rebooting. 

Back to topic...does someone from Malwarebytes have a comment on what I initially posted? Do others feel the same as we do?

A little background here, we are an MSP partner and we install the MB Endpoint Protection product on endpoints and also have the cloud console for monitoring the endpoints.  We have noticed that endpoints are going into a state of "offline + 7 days" all of the time.  These are endpoints that are shutdown nightly and are used every single weekday, some have been offline for weeks.  We have noticed the same thing, when the MWB Tray Icon is not responsive, we know right away there is an issue, also, every time and endpoint goes into an "offline + 7 days" state, the tray icon is bugged and does not work.  We have reinstalled, ran the mb-clean tool, turned on delayed start, and turned off web protection, and randomly clients will go into this broken state again after some time again and then they have no protections.  

The reply from staff regarding fastboot did not apply to us.  

I spoke to Malwarebytes Support and they indicated this is a known issue, they are working in it, this has been a known issue for some time, and there is not an expected date of resolution.  I have reached out to my account rep with Malwarebytes and am asking for a partial refund, we all are paying for a product that does not work as advertised.  Right now we are seeing failure rates around 30% for both Mac and PC, on different networks, on different OSs, and in different geographical areas. 

If enough people start demanding refunds, contacting support with complaints, and applying some heat, we may start to get some resolution to this issue.  I feel like I was deceived when I enrolled / purchased the product, this was a known issue at that time and sales did not bother to mention it to me at all.  Extremely disappointing.

[Kalrand]

We had quite a few agents not report to the MEP Cloud in the beginning, this would show them as offline. Since we saw this particular behavior before with Sophos and Windows 10 we did what we did there, set the agent start mode to auto (delayed start). This cut down the offline endpoints to nearly zero. We scripted it for convenience, see below for the command we use.

sc config "MBEndpointAgent" start= delayed-auto

 

[mprott]

On 5/2/2018 at 7:48 PM, RyanZ said:

I spoke to Malwarebytes Support and they indicated this is a known issue, they are working in it, this has been a known issue for some time, and there is not an expected date of resolution.  I have reached out to my account rep with Malwarebytes and am asking for a partial refund, we all are paying for a product that does not work as advertised.  Right now we are seeing failure rates around 30% for both Mac and PC, on different networks, on different OSs, and in different geographical areas. 

If enough people start demanding refunds, contacting support with complaints, and applying some heat, we may start to get some resolution to this issue.  I feel like I was deceived when I enrolled / purchased the product, this was a known issue at that time and sales did not bother to mention it to me at all.  Extremely disappointing.

Bravo. This is clearly an issue for a lot of users and very negatively impacts one of the most fundamental value-adds of the cloud product. What's the value of the cloud-console if 10-30% of your endpoints may not be online? Are they protected? Are they receiving new protection updates? Who knows?!  

What's worse is that it seems that MB has squarely put the time/opporunity-cost of the fix onto the customer!

Simply can't recommend this product until this fundamental issue is resolved.