QuickBooks PayRoll Update failing

[PTechS]

I have found that when I stop the MalwareBytes service that QuickBooks is able to update payroll.
Any version of QuickBooks

QuickBooks files are on a network drive.

What exclusion do I need to add to allow QB to update while MalwareBytes is running?

[djacobson]

Hi @PTechS, if QB has a list of folder areas or network addresses used for the update, these locations can be added to Malwarebytes' exclusions area to help.

[PTechS]

Adding the exclusions for the Malware scans and adding the mapped network drives to the exclusions seems to have helped. That leaves the server to scan the local folders though the end user machines won't scan the excluded folders except for watching for ransomware, which is a bit concerning.
Does adding the folders as exclusions keep MalwareBytes from scanning the folders on a full system scan?
I just need MalwareBytes to not lock files and not actively scan the QBs files.

[djacobson]

Network drives are not scanned by the end-user workstation with the MBEP software, they are also no longer available to be scanned via the context menu option. This is something MBAM 1.x was able to do and if you are familiar with that older option, you may notice that MBEP's context menu option goes grey when attempting to right click network drives and engage the option. Drives like these should be scanned using an MB install on the hosting server where the drives are local and can be scanned as normal.

As far as ransomware, if a workstation is hit it wouldn't matter what drive the ransomware is encrypting, or if that location happened to be ignored. We are looking at the malware's behavior itself, things like this are not running from your drive share in the QB folders, they are running in memory to attack the file system. The exclusions relieve whichever particular real-time engines that the exclusions can be, or are, applied to within the extra "Exclusion applied To" option set. The exclusions are for MBEP to ignore the excluded items, and what they are doing, not what is happening to them via something else. 

The main consequence and concern around what's been brought up in the previous paragraphs, is to be aware that an attack on an unprotected workstation can reach anything to which that workstation has access. Say there's an unprotected workstation, and it got ransomware and began to encrypt the system. When the attack is finished with the local drives and moves on to the network drives/shares, even if the server hosting the share has MBEP installed, the share is in danger in this scenario. The attack is in the unprotected workstation's memory, and the protected server's MBEP real-time cannot see that. It is vital to protect your servers by protecting all your workstations.