Jump to content
Malwarebytes Endpoint Security reached End of Life on August 4th 2021. Click for more details.

Malwarebytes Endpoint Security Known Issues?

bhabel
 Share

Recommended Posts

bhabel

bhabel

Posted
Posted

We recently renewed our subscription. We went from Malwarebytes Anti-Malware for Business to Malwarebytes Endpoint Security. This new version includes the license for Anti-Exploit. Is there a list of known issues with this new version?

Current configuration
Management Console 1.6.1.2897
Anti-Malware for Business 1.80.1.011
Anti-Exploit for Business 1.07.2.1015

New version
 Management Console 1.80.3443
Anti-Malware for Business  1.80.2
Anti-Exploit for Business  1.11.2.55

I've read the release history and checked the forums but I couldn't find a running list of known issues. 

 

Link to post
Share on other sites
djacobson

djacobson

Posted
Posted

Hi @bhabelfor the MBAE portion, the known issues are here - 

 

MBMC's and MBAM's are not posted on this forum, but I can summarize here...

MBAM:

  1. The scan engine can fail to load on machines with excessive local and roaming profiles. Fix is to reduce the amount of profiles or discontinue using MBAM 1.x scanning engine. Popular choices are to use MBBR tool if you wish to continue using the On-Prem product or move to the Cloud product.
  2. The scan engine can also fail to load due to desktop heap memory limitations, this happens when around 80-100 total scans have been performed during a single Windows session. Machines with very long up times can hit this error, mostly servers since they can be up for weeks and months at a time before a reboot. Reboot fixes this error.
  3. MBAM can sometimes encounter issues around Windows Prefetch. Solution is to disable Prefetch or the same as number #1; use MBBR, or move to the Cloud product.
  4. MBAM malicious website blocking real-time engine can encounter conflicts, and cause hangs/lockups, with logon scripts that assign drive shares and/or applications that run from or write to drive shares. The workarounds for this are varied and it is best to open a support ticket if you come across this issue.
  5. Scheduled scan threads can fail to close if another scheduled scan kicks off while the first scheduled scan is still running. Solution is to reduce the recover if missed scan property or alter the other scan's schedule to not overlap with others. 

MBMC:

  1. Users can sometimes encounter an inability to add AD accounts to MBMC Administrators. Solution is to use local MBMC accounts.
  2. Users can also encounter a failure to log on with AD accounts/groups even if successfully added to the Administrators area, most often following upgrading MBMC. Solution is to use local MBMC accounts.
  3. Reports can fail to load if user's decide to not install the IIS 7.5 Express pre-req; either because a newer IIS Express was in place (an example being Server 2012 has IIS 8 Express as default, which is a conflict) or a full IIS instance already in place. Solution is to choose another server where you are free to install IIS 7.5 Express, or uninstall the conflicting IIS 8 Express on the one you are using. IIS 7.5 Express can live along side full IIS 7.5 without conflicts.
  4. Ignore list cannot use wildcards in the middle of a folder path.
  5. Ignore list cannot honor UNC paths.
  6. Ignore list cannot honor user path variables, i.e. %userprofile%, %systemroot%, and so on.
  7. Language options in the policy do not work for anything other than English.
  8. User's who have setup MBMC to connect to an external SQL can get locked out of MBMC if their SQL logon's password expires. There is no place outside of MBMC to change the account and you need the account to logon, catch 22. You must change the SQL logon's password back to what was originally used, or uninstall/reinstall MBMC and use the new SQL logon creds during the external SQL connection step. If you have change control in place that requires the SQL logon to expire, it is best to create two SQL accounts to be assigned to the MBMC database and switch between those accounts before the SQL logon in use has its password set to expire.
  9. Using Windows credentials to connect to external SQL, full or express, is not supported, SQL must be in mixed mode and you must use an SQL logon. Windows creds are only supported when using the embedded SQL Express option.
  10. Roaming and remote clients are not supported, if you wish to support roaming and remote clients, the Cloud product is the correct one to choose.

MBMC Managed Client agent:

  1. MEEClientService, which controls client communication to the MBMC console, can fail to be loaded by Windows during startup or restarts. Issue is mostly on Windows 10 but can affect others. Solution is to change the service's failure condition properties with this command: 
    sc failure "SCCommService" actions= restart/6000/restart/6000/""/6000 reset= 120

    This command will restart the service if it has failed for longer than 6000 ms, which is 6 seconds, it will do that once more on the second failure, the third failure will take no action so that the service doesn't end up in a start stop loop. If the first and second restarts are successful and the service remains up for at least 2 minutes, the failure count is reset. Here's an article that explains the sc failure command set in more detail - https://technet.microsoft.com/en-us/library/cc742019(v=ws.11).aspx

  2. Windows 10 Laptops with Fastboot enabled can shutdown faster than the MEEClientService can send the "I'm offline" signal to MBMC. Results are that the client will show online when it is, in fact, offline. Solution is to disable Fastboot.

 

That's all I can think of off the top of my head.

Link to post
Share on other sites
djacobson

djacobson

Posted
Posted

For the MBAM side, standalone and managed have many differences, though because the engine is unchanged, they both will have the same known issues. For MBAE, standalone and managed are one in the same, however if the Managed Client agent is present, MBAE will automatically go into MBMC managed mode. Standalone MBAE installers can be used to repair/upgrade MBAE, independent of the console. Only MBAE can do this, MBAM cannot.

Link to post
Share on other sites
bhabel

bhabel

Posted
  • Author
Posted
On 4/12/2018 at 2:05 PM, djacobson said:

MBAM malicious website blocking real-time engine can encounter conflicts, and cause hangs/lockups, with logon scripts that assign drive shares and/or applications that run from or write to drive shares. The workarounds for this are varied and it is best to open a support ticket if you come across this issue.

Is this issue present in 1.80.1.1011 as well?

Link to post
Share on other sites
djacobson

djacobson

Posted
Posted

Yes, this issue is part of the MBAM 1.x engine in its entirety, from at least 1.43 to 1.80.2.1012. 1.80.1.1011 was also replaced by 1.80.2.1012 due to a potential vulnerability to man in the middle attacks via the updating mechanism, I would advise you to upgrade your console and clients to the latest to gain the MitM protection.

 

https://www.malwarebytes.com/support/releasehistory/business/

1.80.2 / May 26, 2016

Stability/Issues fixed

Fixed security vulnerability to ensure database updates are downloaded over SSL connections only

Link to post
Share on other sites
djacobson

djacobson

Posted
Posted
4 hours ago, bhabel said:

Do we need to uninstall then reinstall and reinstall or simply install the latest version.  For both the management console and endpoint clients?

FAQ: Where can I download my business products?

https://support.malwarebytes.com/docs/DOC-1161

Upgrade to the latest version of the Malwarebytes Management Console

https://support.malwarebytes.com/docs/DOC-1043

Link to post
Share on other sites
djacobson

djacobson

Posted
Posted
On 4/24/2018 at 8:07 AM, bhabel said:

Can you quantify "excessive"?

I am not able to be exact, it can vary due to the size of the contents within the user profile. All profiles are attempted to be enumerated before a scan begins. For light size profiles, around 50 to 80. For larger profiles, it can be a fair amount less.

 

The Kaspersky issue, I am not sure, I would need to ask.

Link to post
Share on other sites
bhabel

bhabel

Posted
  • Author
Posted
On 4/24/2018 at 8:09 AM, bhabel said:

Thanks, my confusion was the line " To mitigate delays, reinstall your managed clients". I wasn't sure if this meant uninstall then reinstall or simple push the client install and it would upgrade the version.

Just to clarify, this means uninstall then reinstall correct?
 

Link to post
Share on other sites
  • 3 months later...
bhabel

bhabel

Posted
  • Author
Posted
On 4/12/2018 at 2:05 PM, djacobson said:

Hi @bhabelfor the MBAE portion, the known issues are here - 

 

MBMC's and MBAM's are not posted on this forum, but I can summarize here...

MBAM:

  1. The scan engine can fail to load on machines with excessive local and roaming profiles. Fix is to reduce the amount of profiles or discontinue using MBAM 1.x scanning engine. Popular choices are to use MBBR tool if you wish to continue using the On-Prem product or move to the Cloud product.
  2. The scan engine can also fail to load due to desktop heap memory limitations, this happens when around 80-100 total scans have been performed during a single Windows session. Machines with very long up times can hit this error, mostly servers since they can be up for weeks and months at a time before a reboot. Reboot fixes this error.
  3. MBAM can sometimes encounter issues around Windows Prefetch. Solution is to disable Prefetch or the same as number #1; use MBBR, or move to the Cloud product.
  4. MBAM malicious website blocking real-time engine can encounter conflicts, and cause hangs/lockups, with logon scripts that assign drive shares and/or applications that run from or write to drive shares. The workarounds for this are varied and it is best to open a support ticket if you come across this issue.
  5. Scheduled scan threads can fail to close if another scheduled scan kicks off while the first scheduled scan is still running. Solution is to reduce the recover if missed scan property or alter the other scan's schedule to not overlap with others. 

MBMC:

  1. Users can sometimes encounter an inability to add AD accounts to MBMC Administrators. Solution is to use local MBMC accounts.
  2. Users can also encounter a failure to log on with AD accounts/groups even if successfully added to the Administrators area, most often following upgrading MBMC. Solution is to use local MBMC accounts.
  3. Reports can fail to load if user's decide to not install the IIS 7.5 Express pre-req; either because a newer IIS Express was in place (an example being Server 2012 has IIS 8 Express as default, which is a conflict) or a full IIS instance already in place. Solution is to choose another server where you are free to install IIS 7.5 Express, or uninstall the conflicting IIS 8 Express on the one you are using. IIS 7.5 Express can live along side full IIS 7.5 without conflicts.
  4. Ignore list cannot use wildcards in the middle of a folder path.
  5. Ignore list cannot honor UNC paths.
  6. Ignore list cannot honor user path variables, i.e. %userprofile%, %systemroot%, and so on.
  7. Language options in the policy do not work for anything other than English.
  8. User's who have setup MBMC to connect to an external SQL can get locked out of MBMC if their SQL logon's password expires. There is no place outside of MBMC to change the account and you need the account to logon, catch 22. You must change the SQL logon's password back to what was originally used, or uninstall/reinstall MBMC and use the new SQL logon creds during the external SQL connection step. If you have change control in place that requires the SQL logon to expire, it is best to create two SQL accounts to be assigned to the MBMC database and switch between those accounts before the SQL logon in use has its password set to expire.
  9. Using Windows credentials to connect to external SQL, full or express, is not supported, SQL must be in mixed mode and you must use an SQL logon. Windows creds are only supported when using the embedded SQL Express option.
  10. Roaming and remote clients are not supported, if you wish to support roaming and remote clients, the Cloud product is the correct one to choose.

MBMC Managed Client agent:

  1. MEEClientService, which controls client communication to the MBMC console, can fail to be loaded by Windows during startup or restarts. Issue is mostly on Windows 10 but can affect others. Solution is to change the service's failure condition properties with this command: 
    
sc failure "SCCommService" actions= restart/6000/restart/6000/""/6000 reset= 120

    This command will restart the service if it has failed for longer than 6000 ms, which is 6 seconds, it will do that once more on the second failure, the third failure will take no action so that the service doesn't end up in a start stop loop. If the first and second restarts are successful and the service remains up for at least 2 minutes, the failure count is reset. Here's an article that explains the sc failure command set in more detail - https://technet.microsoft.com/en-us/library/cc742019(v=ws.11).aspx

  2. Windows 10 Laptops with Fastboot enabled can shutdown faster than the MEEClientService can send the "I'm offline" signal to MBMC. Results are that the client will show online when it is, in fact, offline. Solution is to disable Fastboot.

 

That's all I can think of off the top of my head.

On 4/12/2018 at 2:05 PM, djacobson said:

Hi @bhabelfor the MBAE portion, the known issues are here - 

 

MBMC's and MBAM's are not posted on this forum, but I can summarize here...

MBAM:

  1. The scan engine can fail to load on machines with excessive local and roaming profiles. Fix is to reduce the amount of profiles or discontinue using MBAM 1.x scanning engine. Popular choices are to use MBBR tool if you wish to continue using the On-Prem product or move to the Cloud product.
  2. The scan engine can also fail to load due to desktop heap memory limitations, this happens when around 80-100 total scans have been performed during a single Windows session. Machines with very long up times can hit this error, mostly servers since they can be up for weeks and months at a time before a reboot. Reboot fixes this error.
  3. MBAM can sometimes encounter issues around Windows Prefetch. Solution is to disable Prefetch or the same as number #1; use MBBR, or move to the Cloud product.
  4. MBAM malicious website blocking real-time engine can encounter conflicts, and cause hangs/lockups, with logon scripts that assign drive shares and/or applications that run from or write to drive shares. The workarounds for this are varied and it is best to open a support ticket if you come across this issue.
  5. Scheduled scan threads can fail to close if another scheduled scan kicks off while the first scheduled scan is still running. Solution is to reduce the recover if missed scan property or alter the other scan's schedule to not overlap with others. 

MBMC:

  1. Users can sometimes encounter an inability to add AD accounts to MBMC Administrators. Solution is to use local MBMC accounts.
  2. Users can also encounter a failure to log on with AD accounts/groups even if successfully added to the Administrators area, most often following upgrading MBMC. Solution is to use local MBMC accounts.
  3. Reports can fail to load if user's decide to not install the IIS 7.5 Express pre-req; either because a newer IIS Express was in place (an example being Server 2012 has IIS 8 Express as default, which is a conflict) or a full IIS instance already in place. Solution is to choose another server where you are free to install IIS 7.5 Express, or uninstall the conflicting IIS 8 Express on the one you are using. IIS 7.5 Express can live along side full IIS 7.5 without conflicts.
  4. Ignore list cannot use wildcards in the middle of a folder path.
  5. Ignore list cannot honor UNC paths.
  6. Ignore list cannot honor user path variables, i.e. %userprofile%, %systemroot%, and so on.
  7. Language options in the policy do not work for anything other than English.
  8. User's who have setup MBMC to connect to an external SQL can get locked out of MBMC if their SQL logon's password expires. There is no place outside of MBMC to change the account and you need the account to logon, catch 22. You must change the SQL logon's password back to what was originally used, or uninstall/reinstall MBMC and use the new SQL logon creds during the external SQL connection step. If you have change control in place that requires the SQL logon to expire, it is best to create two SQL accounts to be assigned to the MBMC database and switch between those accounts before the SQL logon in use has its password set to expire.
  9. Using Windows credentials to connect to external SQL, full or express, is not supported, SQL must be in mixed mode and you must use an SQL logon. Windows creds are only supported when using the embedded SQL Express option.
  10. Roaming and remote clients are not supported, if you wish to support roaming and remote clients, the Cloud product is the correct one to choose.

MBMC Managed Client agent:

  1. MEEClientService, which controls client communication to the MBMC console, can fail to be loaded by Windows during startup or restarts. Issue is mostly on Windows 10 but can affect others. Solution is to change the service's failure condition properties with this command: 
    
sc failure "SCCommService" actions= restart/6000/restart/6000/""/6000 reset= 120

    This command will restart the service if it has failed for longer than 6000 ms, which is 6 seconds, it will do that once more on the second failure, the third failure will take no action so that the service doesn't end up in a start stop loop. If the first and second restarts are successful and the service remains up for at least 2 minutes, the failure count is reset. Here's an article that explains the sc failure command set in more detail - https://technet.microsoft.com/en-us/library/cc742019(v=ws.11).aspx

  2. Windows 10 Laptops with Fastboot enabled can shutdown faster than the MEEClientService can send the "I'm offline" signal to MBMC. Results are that the client will show online when it is, in fact, offline. Solution is to disable Fastboot.

 

That's all I can think of off the top of my head.

Is this list of known issues still current?

Malwarebytes Management Console
1.8.1

Malwarebytes Anti-Malware for Business
1.80.2

Malwarebytes Anti-Exploit for Business
1.12.2.90

Link to post
Share on other sites
djacobson

djacobson

Posted
Posted

MBMC 1.8.1.3476 does have some corrections over 1.8.0.3443 but does not address all that was put here yet, see the release history for what was changed for the newer patch build - https://www.malwarebytes.com/support/releasehistory/business/

1.8.1 / May 21, 2018

Improvements

  • Improved logic to show endpoints offline after missed check-ins in large environments

Fixes

  • Addressed an issue where certain endpoints may fail to check-in due to duplicate key value
  • Fixed an issue where server was not receiving database updates depending on the update frequency set
  • Addressed an issue where certain Active Directory accounts could not log-in after upgrading
Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.