Jump to content

Management Console Client Push Install shows The Network Path Was Not Found


Recommended Posts

Running the Malwarebytes  Management Console for the Endpoint Security. Server is 2016 Standard. I have confirmed all the networking components and services are running correctly.

Under Admin | Client Push Install tab | when I use any Scan Option, i.e. Scan IP range, Scan IP Addresses and Scan Computers Under, Malwarebytes Console never sees all the computers on my network. I included a screen shot (below) of the machines currently viewable on that server, but MBW does not see them all. Tried several variations and still no love. Cannot load MWB via Console if it cannot see them all. 

Please help with any suggestions, appreciated!

mwb console not seeing all computers on the network 52818 346 pm cleaned up.png

Link to post
Share on other sites

The picture didn't make it so I am going off of common reasons why no machines would show up. Do you have netbios enabled (Microsoft has had it turned off via updates since Nov 2016) and are you trying to push across to another subnet? Netbios protocol going across subnets will require you to have a server in a WINS server role in order for the information to be able to make back from the subnet. Other items that needs to be open through the Windows firewall (including when it is "disabled"); WMI, remote administration and ports 135, 137 and 445 must be open. A machine being able to pinged does not mean the traffic can flow. Try to net use the workstations harddrive from the server, and that should give you a better approximation of potential discovery and install success.

Link to post
Share on other sites

I can see the picture now :) it doesn't look so bad. MBMC has a hardcoded timer within which it expects the client to respond back. The install might be ok, we'll need to grab some client logs to verify


Step A – Malwarebytes Client Log Set
On the client go to C:\Program Files (x86)\Malwarebytes' Managed Client and run the tool CollectClientLog.exe as an admin.

Step B – FRST Log
Please follow the steps below to run frst.

1.) Please download frst and frst64 from the link below and save it to your desktop:

frst 32 Bit
frst 64 Bit

Note: You need to download the version compatible with your system. If you are not sure which version applies to your system, download both of them and try to run them. Only one of them will run on your computer; that will be the right version. Some traditional Anti-Viruses may false positive the download or running frst, I can assure you it is safe. If this happens, please temporarily disable the AV.

2.) Double-click the purple frst or frst64 icon to run the program. Click Yes when the disclaimer appears.
3.) Click the Scan button
4.) When the scan has finished, it will make 2 log files in the same directory the tool is located, frst.txt and Addition.txt.

Please attach MBMC Client log, frst.txt and Addition.txt in your reply.

Link to post
Share on other sites

Is the .net 3.5 feature enabled on the endpoints? The logs are filled with the clients failure to respond to the server, the logs are also still showing lots of connection failures as if the network is still not open and access denied on the endpoints. Other than the ports, make sure those firewall predefined roles are open for WMI and remote administration, the open ports will not work without these.

Info    2018-05-28 16:06:40.6189    4628    90    IP Address 192.168.123.35 remote service control log: Remote client IP address: 192.168.123.35
Remote client hostname: ELIZABETH-HP-7
Process username: SYSTEM
ServiceIsInstalled: 1060. The specified service does not exist as an installed service.
SetNTService: 5
System error 5 has occurred. Access is denied. Failed to create remote service.
Info    2018-05-28 16:06:40.6189    4628    90    Delete folder: \\192.168.123.35\C$\scclientinstall_81f2e6ff_c17a_46b4_8dfe_41f276bab37a
Error    2018-05-28 16:06:40.6189    4628    90    There was an error deleting that folder: System.UnauthorizedAccessException: Access to the path '\\192.168.123.35\C$\scclientinstall_81f2e6ff_c17a_46b4_8dfe_41f276bab37a' is denied.
   at System.IO.__Error.WinIOError(Int32 errorCode, String maybeFullPath)
   at System.IO.Directory.Delete(String fullPath, String userPath, Boolean recursive, Boolean checkHost)
   at SC.Server.WindowsService.ComputerTest.TestIPAddress(RemoteInstallClientInfo clientInfo, String originAdminName, String& newAdminName, String adminPassword, Boolean isSupportSignleCancel, String curSccommVersion, String curMbamVersion, String curMbaeVersion, String localDomain, String localNetBiosDomain, String localAdminName, String localAdminPassword, Boolean useWMI)
Info    2018-05-28 16:06:40.6502    4628    90    IP 192.168.123.35 simulation result: System error 5 has occurred. Access is denied. Failed to create remote service.
Info    2018-05-28 16:06:40.6502    4628    90    IP 192.168.123.35 simulation result: Detection failed. Access is denied. Failed to create remote service.
Info    2018-05-28 16:06:40.6502    4628    90    Modify remotely install client: ELIZABETH-HP-7    0 ms
Info    2018-05-28 16:06:40.6658    4628    90    Thread [90] scan task exited.

 

Could you run these tools on an example client instead of the server?

Link to post
Share on other sites

Hi there, thank you for getting back to me.

.Net Framework 3.50 is not enabled on the 2016 Server.  We have .net Framework 4.6 partially installed (see screen shot attached.) I am presuming on the server I need to enable .Net Framework 3.50 as well?

And I will need to look at each computer to see if .Net Framework 3.50 is installed on each of the computers. That's what you are asking, correct? :)

.net.PNG

Link to post
Share on other sites

The 4.6 is ok on the server, the 3.5 is just needed on the clients. 

The firewall predefined things are in GPMC and in the machine's firewall settings locally. Here's an example from GPMC, under Computer Configuration > Policies > Administrative Templates > Network > Network Connections > Windows Firewall > Domain Profile.

1604095950_DomainProfiletree.jpg.60b92e1f78eabf00c5010d1f84ad449e.jpg

pastedImage_6.jpg.0360c39da192a5ba1971c1fa62f0616a.jpg

pastedImage_3.jpg.3936d6d3399b6cc29232317c1bc22fd0.jpg

Link to post
Share on other sites

Update - I realize I did not mention that I did indeed do this:  GPMC, under Computer Configuration > Policies > Administrative Templates > Network > Network Connections > Windows Firewall > Domain Profile> the Windows Firewall settings you suggested, and then did a gpupdate /force. 

Side things to mention: I am logging is as the domain administrator when I work on MWB Console. The workstations have Microsoft Security Essentials, but no other antivirus/spy software. 

Link to post
Share on other sites

RPC and WMI appear to be closed. The push installer is also failing to obtain IP's from every machine on your subnets. The MBMC console uses netbios, in order to receive traffic back from subnets other than the one the server is on, there needs to be a WINS server role setup. We'll go over more of this in your pre-sales meeting today with Jacob.

Error    2018-06-04 15:25:26.5559    3992    40    System.Exception: The RPC server is unavailable. Please allow WMI through Windows Firewall. ---> System.Runtime.InteropServices.COMException: No such interface supported
 

Link to post
Share on other sites

Thank you Dyllon Jacobson for your assistance in figuring out what was wrong with my system today! THANK YOU!

For posterity sake:  for some reason, it was pulling a bogus IP address (192.168.123.26) --- which is an IP we've never used/assigned to a server (nor anything else.) No clue where this .26 IP address came from. The correct IP is 192.168.123.25. Dyllon looked at one of the workstations that was not connecting, specifically in it's c:\ProgramData\SCCOMM\logs\sccomm.txt and immediately we saw the bogus .26 IP address. Changed the XML in the C:\Program Files (x86)\Malwarebytes Management Server\PackageTemplate\SCComm.xml to the CORRECT IP, and ALL IS WELL WORKING GREAT!!!!!

crrm mwb troubleshooting scomm.PNG

crrm mwb troubleshooting scomm had the wrong ip address.PNG

Link to post
Share on other sites

p.s. just looked at System tab and saw that the Description says it's trying to set Server Address to the bogus .26 IP address...is that a left over/bad message from the .XML I wonder? It looks like things are working, so that's my guess. But if you could let me know what you think...2137747658_abouttosetserveraddressto192_168_123_26.thumb.PNG.de2be580dcb374872fe6225dd8cf7b68.PNGt it 

Link to post
Share on other sites

@ThatOneGirl may I have you make a new server and client log from that machine?

Server:
Navigate to C:\Program Files (x86)\Malwarebytes Management Server, run CollectServerLog.exe as admin.

Client:
Navigate to C:\Program Files (x86)\Malwarebytes' Managed Client, run CollectClientLog.exe as admin.

Upload to our PM and I'll check it out.

 

Link to post
Share on other sites

I just PM'd you the Server's CollectSErve3rLog.exe. However, on that specific machine 1BCY etc, it gave me errors when I ran it:  No process is associated with this object. And.  Program Compatibility Assistant Windows Detected  that this Program Did not Run Correctly.  So, I went to a different machine that was giving the same info about .26 

THUS, I ran it from a different machine HPPRODESK2 so that you'd have the report

Thank you in advance for looking into this :)

 

 

Link to post
Share on other sites

TIP: Server's own IP address is set through "Server Configuration" function.  It is written to SCCOMM.XML from there. 
Consider rebuilding ClientSetup.Exe or MSI packages, as one may contain spurious IP.
Consider using an FQDN fully qualified domain name rather than an IP Address, which will assist in future, if ever you need to move the server to another address.
See screenshots.

  

image.png.3dfcbf8bab627e185cf72798db431b02.pngimage.png.13d9ad1bfe391092b26db021fc829521.png

image.png

Edited by AndrewPP
Link to post
Share on other sites

@AndrewPP  the server's address was correct, the address the clients had was not, this does not apply to her situation. Additionally I already switched her to using FQDN during our web session.

@ThatOneGirl when the tool gives that error, it requires admin elevation. Right click and run as admin. I'll look through what's been submitted already.

Link to post
Share on other sites

@ThatOneGirl even under an admin account, those tools need specific elevation. 

The logs from the server look perfect. The logs from that client, I have no idea where it is trying to get the 26 address from, we can try changing the sccomm.xml and sccomm.exe.config stuff out on that one. 

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.