Jump to content
mprott

Endpoints Going Offline

Recommended Posts

This has been a problem that has been plaguing us since we started using Endpoint Protection. We also have clients whose endpoints go down. Not a good look.

Share this post


Link to post
Share on other sites

We are having the exact same issue. Have used the MB uninstall process on each, seems to help for a time then it come down again. Going to Services and restarting the service seems to help each time. We have both Win 7 and Win 10 running, the problem only seems to occur with Win 10

This is really not an acceptable state of affairs. I now must check the status daily (one would think a notification could at least be sent if a machine does not check in after X amount of time...) and then having to go to each endpoint to restart. We have moved most of our operations to Chrome OS (something I HIGHLY recommend to anyone who cares about security) but the remaining machines with this solution are in a constant state of checking and rehabilitating. 

MB, please fix this problem or we and I suspect many others will have to look elsewhere for a security solution.

Thanks,

Mark

Share this post


Link to post
Share on other sites

Hello,

I created a new topic as the old one was related to an issue in 2017. 

Could both of you PM me a zipped export of Application and System Event Viewer logs as we are trying to track this issue down. 

Also--Please PM me the endpoint FQDN name(s) that is/are experiencing this issue (doesn't have to be all of them, just a sample) and account email so we can try to pull more logs remotely.

 

Thank you 

Edited by vbarytskyy

Share this post


Link to post
Share on other sites

You are not alone @mprott or @Markpol, I've created a stop-gap to at least get the Endpoints reporting until the issue is resolved. I also worked with @TonyCummins and created a step-by-step guide using PDQ Deploy (it's handy and it's free) [see below]. I'll reiterate my comment from earlier this month on my findings of the issue and the impact as I know it of the script. Mods, I don't want to interfere with you in tracking down the issue but at the same time I don't want to have blind spots in our visibility. However, that being said if this is counter productive or in anyway hinders your efforts please remove

Quote

I agree that this is troublesome and we also run into this issue, and have with Sophos before switching to Malwarebytes. I truly believe that the issue is with Windows 10 as it wasn't an issue before on Windows 7 (for Sophos or Malwarebytes). Do you have a means to run a batch script on the endpoints, like PDQ Deploy? The below is the script we use to help mitigate the issue.

<Script removed, see below for full details>

Granted this is a stop-gap and not a solution, on occasion will need to be reapplied as updates reset the Agent start mode. When the Agent is in a offline state it does not prevent Malwarebytes from protecting the system, this only affects the communication to the cloud (updating current policies and schedules) and on-demand scanning.

Quote

PDQ Deploy is pretty straight forward but first you need to create the batch script. If you have it in a central location that the endpoints can read, great, if not you'll have to get a little creative. We use the Active Directory NETLOGON location (\\DOMAIN\NETLOGON\Scripts) since everyone can see it. Put the batch script there (either in the root or in a directory like we do so it keeps it tidy. 

Creating the Package in PDQ Deploy

  • Right-Click on Packages Folder
  • Select New Package
  • Give it a name under Properties (I use Reset: Malwarebytes Agent or Service)
  • Select Steps
  • Select Install (Only option available in Free mode)
  • For Step Title name it Run Batch or something along those lines.
  • For Install File click the three dots and locate the batch file you created.
  • Click Save
  • Close dialog box

Running the install package in PDQ Deploy

  • Right-click on the newly created package and select deploy once (or select and press deploy once from top menu)
  • Add each computer on the left side. (You can import from a list like a text file)
  • On the right, select edit and add a credential that has admin access to the workstation.
  • Select Run As: Deploy User.
  • Then click run.
  • If the endpoint has read access and the credentials you are using are correct it will run silently in the background.

Examples

Batch File: Reset Malwarebytes Agent (Offline in Cloud)


@ECHO OFF
START /WAIT net stop "MBEndpointAgent">nul 2>&1
timeout /T 3 /nobreak>nul
START /WAIT net start "MBEndpointAgent">nul 2>&1
sc config "MBEndpointAgent" start= delayed-auto

 

 

Edited by Kalrand

Share this post


Link to post
Share on other sites

I definitely appreciate the contribution @Kalrand, I am open to whatever is able to help others! 

But others, don't be discouraged if this particular tactic is not able to help you! The offline client issue is a bit of a quagmire, there are a myriad of different root causes that present the same symptom; offline clients. Service not starting (like Kalrand is dealing with here), Win 10's fastboot option, Windows not waiting long enough when the service is told to start and Windows moves on, HTTPS protocol problem still being on SSL 3 instead of TLS 1.1 / 1.2, SSL filtering/SSL proxy features on in network appliances with Malwarebytes URL's not whitelisted, bad certs, agent upgrade failed while copying its files from Windows\Temp due to something preventing access, and so on. That is what has made this a hard thing to solve for everyone and something that appears long standing, but not all offline client issues are the same and many people experience more than one on the same environment. If you are plagued with this issue symptom and the suggestions in this thread haven't helped your situation, open a ticket with the B2B support team so they can review your client's info to identify which thing is causing your clients to show offline.

Share this post


Link to post
Share on other sites

@djacobson, we are also having similar issues; however, in our case, the computers are on 24/7 yet some endpoints's icons will switch from green to grey (off-line) and stop being scanned. When I uninstall MWB/restart/reinstall MWB/restart on the endpoint, the endpoint's icon goes back to green. Any ideas on the cause?

Share this post


Link to post
Share on other sites

Apologies for coming across this so late in the week @theyzer! 

We've had a series of agent updates recently, it's possible some could need a restart to finish it.

There's also a recent virtual adapter issue that's popped up, this is related to engine version 1.2.0.680, in some cases it is having trouble downloading the plugins, so you may not have the items needed to run scans or the Malwarebytes Service (mbamservice.exe). Malwarebytes Endpoint Agent service (MBCloudEA.exe) and the tray icon (Endpoint Agent Tray.exe) are likely still running.

We can confirm the version and some of the behavior in logs from the machine, though let's move the conversation about that back to your thread - https://forums.malwarebytes.com/topic/245780-green-icon-for-endpoints-in-console-turns-grey-and-stops-scanning/

 

Share this post


Link to post
Share on other sites

I'm also experiencing this issue with a handful of endpoints in my environment. I have roughly 80 endpoints and about 6 or so no longer check in to the dashboard. If I redeploy the endpoint, they will check in once and then stop checking in again. I also noticed that the malwarebyets icon is missing from the system tray on all of these problematic endpoints. Malwarebytes Service is running on all problematic machines. Malwarebytes Endpoint Agent service is not started. If I manually start the service, they will check in and MB shows up in the system tray. Any help getting this resolved would be greatly appreciated.

Share this post


Link to post
Share on other sites

I should clarify that some of the problematic endpoints do have the Malwarebytes Endpoint Agent service started, but do not check in to the dash board. Restarting the service doesn't fix the problem.

Share this post


Link to post
Share on other sites

@brainerdmobil, you may be running into a different cause than we were. Since I posted my message, we have not run into that problem (of course!!). All our endpoints have maintained the Service since we uninstalled/restarted/reinstalled/restarted the endpoints this last time. Crossing fingers that whatever was causing the problem got fixed this last time since we've had no issues since.

Share this post


Link to post
Share on other sites
On 6/19/2018 at 9:50 PM, mprott said:

This has been a problem that has been plaguing us since we started using Endpoint Protection. We also have clients whose endpoints go down. Not a good look.

When you say "offline" I assume you mean endpoint is still installed on the endpoint computer and you can see it on the cloud console but it does not communicate with the console anymore. We are having the same problem. Computers that were scanning on schedule stop and don't appear to be turned on. I have been using the cmd prompt uninstall the reinstalling. It seems to work, it is just a pain.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.