Jump to content

Two Major Issues w/ Endpoint Protection


Recommended Posts

I've got about 150 or so active endpoints and had been having issues off an on with MB randomly running throughout the day and slowing machines down. All our workstations are Windows 10 v. 1803 build 17134.228 and servers are Server 2012 R2 Standard.  We opened a ticket and were advised there was a known issue with the version we had that was causing this and was causing the endpoints to not receive the latest version. We were given an uninstall script to remove MB and advised to redeploy the end point agent, so we did that. 

A few days after this I realized that the End Point Agent had deployed successfully but had not installed the scanning engine. There are errors in the event log that it couldn't establish a secure connection. I only had 29 of our machines that actually had protection running. The cloud console did not give us any alerts or notify us that there was an issue, which is a MAJOR problem with that implementation. There should be warning klaxons going off every time I log in and coming to my email when the agent can't install the actual scanning engine on a machine. Support gave me the direct link it is trying to hit and I don't have any problems popping that in a browser and downloading the scanning engine, and I've manually deployed it to all my servers. 

So anyway, I have an open support case on that and haven't gotten anywhere with it but in the meantime on the machines that DO have protection the issue with them getting slowed down has returned. In fact, it's happening to me right now and about every 5th word I type there is 5-10 seconds of lag. It's also impacting my ERP server and causing that application to run slow, which is costing us serious money. I've got a ton of machines that are unprotected but if I put protection on them I'm afraid it is going to slow them down. 

Has anyone else had similar issues? Any solutions? 

Link to post
Share on other sites

Welcome to the Malwarebytes for business forums. I want to apologize for the hurdles this far, and would like the opportunity to try and help get this resolved for you.

The endpoint agent should install without the workaround you are correct. For this, if you can please upload the logs discussed in the support case, we should be able to gain some additional insight.

As well in regards to the lag, we may be able to see that is with the process monitor logs too. 

Do you have any third party security software, any other Anti-virus in addition to Malwarebytes on the systems affected? 


Link to post
Share on other sites

I've submitted multiple Process Monitor logs and packet capture reports as of now, waiting to hear back from support.  MB has been running constantly at over 50% CPU utilization on my primary domain controller, so obviously that is not good. I captured procmon logs from it and submitted them and I just manually ended the process to restore the server to functionality. Very frustrating issue to continue to have, there is no other AV installed on it either, so not some kind of conflict there. The problem is our users don't have local admin so when they run into this issue they can't just restart the service or kill the process. 

Link to post
Share on other sites

35 minutes ago, Kernel009 said:

We have tickets open for both of these issues as well... just an FYI it's not isolated to you.  Looking for answers ourselves...

Thanks for letting me know. I've been continuing to work with level 2 support and hopefully we're making progress. Just to clarify, are you also having the issue with endpoints not getting updates?

Link to post
Share on other sites

Sorry - didn't mean to post twice in a row and there was no delete option for a post that I could find :)

I haven't actually dug into updates not flowing... but I'll let you know.  One of my wishes is for a more streamlined interface with more column choices so we can for instance see what the current version of the client is so we can identify easily... and perhaps a user editable "Label" field (like Trend Micro has) to easily identify a machine when you have a cryptic naming convention (of someone else's design of course LOL).

Link to post
Share on other sites

So just to update, still don't know why endpoints are not downloading and installing the scanning agent. I downloaded it and deployed it myself with PDQ so my endpoints are protected, but I suspect the next time an update is released they are not going to get it automatically. We'll see. I haven't had any server trouble, support gave me a number of exclusions to set and that has been done. It was not happening too frequently, but it has been over a week since I had any issues so I'm hopeful that problem is resolved.

Workstations are a different story. Still seeing some performance issues there, I was experiencing them myself this morning. After any action there was a noticeable lag, especially when it came to opening a new tab in Chrome or launching a new browser window. I would see the Malwarebytes service spike in resource utilization briefly during this time and when it finished whatever it was doing the action would complete. I rebooted and haven't had any issues, but asking folks in the middle of design to reboot doesn't tend to go over well as it greatly disrupts their workflow and train of thought. I've added some exclusions to applications we use frequently on our workstations but still seeing this issue crop up from time to time. I'm going to test some more exclusions and see what happens. 

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.