Jump to content
WORKS2016

Malwarebytes Endpoint Protection on VM's

Recommended Posts

Never installed Endpoint Protection on a VM, any objections? Running 2012 Server Standard with two VM's. One is the PDC the other is the Exchange server. I read installing on the PDC can create issues with DNS and DHCP and some configuration, mainly exclusions are recommended. Didn't matter if the PDC was a VM or not. How about a VM / Exchange server? Any issues that it's a VM and does it interfere with mail flow, the information store, etc? 

Thank you.

Share this post


Link to post
Share on other sites

I found this. Maybe it will be of some value.

 

 

Share this post


Link to post
Share on other sites

Do not put on a DC/DNS without reading/doing this - https://support.malwarebytes.com/docs/DOC-2591 

 

Share this post


Link to post
Share on other sites

@AndrewPP The above link is in the resources for Malwarebytes Endpoint Security, the on-premise solution. Is this a concern for Malwarebytes Endpoint Protection, the cloud solution, which this forum is geared toward?

Share this post


Link to post
Share on other sites

@Kalrand that doc-2591 is for MBEP, MBES's Anti-Malware 1.80.2.1012 does not run mwac.sys, that is unique to the MB3 tech. What the KB outlines for DC's, that also run the DNS, is in line with Microsoft's best practices.

@WORKS2016 @gonzo and kalrand, I do have another matrix whipped up to represent the new MB3, 3.5.1.2600, in use with the latest agent updates.

 

646394638_MBEPMatrix.JPG.7e79eb74f8eb154ebceec53eebed57f8.JPG

Edited by djacobson

Share this post


Link to post
Share on other sites

Then I'm confused. We've been running MEP on our AD server with DNS for quite sometime, end of December of last year, and we haven't encountered this issue with the DNS being it's private address. Granted, we've never turned on active protection which may be the key. 

Share this post


Link to post
Share on other sites

If the four real-time detectors are turned off, MBAMService is not run, a different MBIR incident response plugin/service runs.

Share this post


Link to post
Share on other sites

Thank you for the information, but I'm confused. 

There are situations, where you do not enter 127.0.0.1 or do not enter as primary the DC/DNS it self.
There are also multiple Microsoft articles or articles from other IT-Pros, that differ a lot.


Just two examples:
https://blogs.technet.microsoft.com/notesfromthefield/2008/03/25/dns-client-configuration-for-windows-dns-servers/
https://www.dell.com/support/article/de/de/debsdt1/sln155801/best-practices-for-dns-configuration-in-an-active-directory-domain?lang=en

The MS article you refer to also says:
"A combination of the two strategies is possible, with the remote DNS server set as Preferred DNS server, and the local Domain Controller set as Alternate (or vice versa)"
(https://support.microsoft.com/en-us/help/825036/best-practices-for-dns-client-settings-in-windows-2000-server-and-in-w)

 

We use Malwarebytes cloud on a customers network on two virtual DCs, which have each other as primary DNS and themselves as secondary - without issues.
Or do I misunderstand some of your posts?
 

Share this post


Link to post
Share on other sites

You previously stated "Granted, we've never turned on active protection which may be the key "

Correct - If you configure this, you are running the MBIR plugin which has zero IP blocking capability and would see no symptom

If you turn on any realtime protection, MBIR plugin will be replaced by MBAMPlugin and you will see MBAMService started.  

The workaround on our support site was written in response to customers experiencing a problem with ActiveDirectory and DNS on the same host.  DNS was inadvertently blocked, the defect was reproducible, hence the article published. 

If you are not experiencing the issue/never had the issue and have realtime protection enabled, can you please provide some more specifics about your Windows operating system and configuration for each, so we can add to testing.  The defect is in our queue for resolution.

Edited by AndrewPP

Share this post


Link to post
Share on other sites

[...]
You previously stated "Granted, we've never turned on active protection which may be the key "
Correct - If you configure this, you are running the MBIR plugin which has zero IP blocking capability and would see no symptom
[...]

No, that was Kalrand (but interesting for me, too).
I'm wondering, if we use "active protection" - I'm not sure, but I think "yes", if it is the term for "real-time protection".
I like to provide some more information (did not want to hijack this thread, but it was interesting/informational - especially most
bigger companies use more than 2 or 3 DCs).

Here you are - maybe it helps - if you need more info, feel free to ask for:
OS of 2 DCs: 2012 R2
Virtual: yes
Roles: AD, DNS, one is DHCP
Each DC/DNS points 1st to the other DC and 2nd to itself. Example:
DC01: 192.168.0.2/192.168.0.1
DC02: 192.168.0.1/192.168.0.2

MBAM Options:

image.thumb.png.563c20d5a569cb2c28e3c01ab8e29018.png

image.png.fbb8b5014f15f9536d1a4df9fdafccca.png

image.png.3d697ab6da6a6030ca3bfd670a231843.png

image.png.108dbdde44def3603dfbd83a19ab4c12.png
 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.