Jump to content
JCourtney

Updated Malwarebytes Endpoint Security to v1.9 (

Recommended Posts

So I downloaded and installed Updated Malwarebytes Endpoint Security v1.9 over the 1.8 installation without issue.  So I used the Management Console's client push install to deploy new "upgrade" installations.  They installed without errors and ended up green successfully mark while deploying with domain credentials.

 

However, now if you look at my attached photo, I'm now getting the client has not been registered messages.  Also, did it not uninstall the old clients and just install the new software in addition to the previous version?  On my workstation, it was showing two versions of Malwarebytes in the program list.  Are there now multiple versions of Malwarebytes on these workstations now?

It appeared to uninstall my previous versions of Anti-ransomware, but did it actually reinstall it?  Is the install of Anti-ransomware invisible now?  On the manual installations of the anti-ransomwarebeta it had a visible start menu entry, a visible taskbar icon, and even a shortcut.  Now even though the Management Console is showing the Anti-Ransomware shield, the actual workstations show no traces it's on there like before.

Most if not all my workstations also had the Ransomware Beta manually installed previously. 

So what is going on here exactly?  Is this new version of the Management Console bugged out or what?

 

Malware ERROR Deploy.png

Share this post


Link to post
Share on other sites
Posted (edited)

Hi @JCourtney, ARW hasn't really changed from what you had before, though now MBMC has the ability to install it, pass it some basic items and receive hit information. It still has a non-silent icon. There is a bug that ARW cannot be passed a proxy set within your policy, if you use one, after installation. The push installer has no ability to set that during install like ARW needs. This will be addressed in the future.

The double installs are a problem, though we haven't found that to be caused by the push tool, rather research is pointing to a failure of the services to stop when asked to on the endpoint during the upgrade install. The most common cause for the agent service not stopping when asked is if it is busy/stuck writing a huge logging file. Did you have a lot of fallout on your MBMC's database and endpoints during the Jan '18 FP on the DNS broadcast address? Are there any log files on the clients that exceed 1-5kb in C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\Logs?

 

Edited by djacobson
Grammar/spelling

Share this post


Link to post
Share on other sites

I'll have to go around to some of the workstations and confirm if they do indeed have double installations.  So in the client area on my workstation, it's saying that Anti-ransomwareis installed.   You say it's not supposed to be silent install?  I see no icon, no shortcuts, task manager, no start menu entry and it doesn't appear to be in the add/remove programs list.  How can I confirm for sure that it did indeed get pushed out and installed properly on the workstation?  

Share this post


Link to post
Share on other sites

ARW deployed this way will be contained within the "Malwarebytes Managed Client" entry in add/remove, it doesn't show on its own. MBAM and MBAE do the same, although when MBAE updates over-the-air, it'll make a new separate entry for itself. ARW will show its circular blue and white icon when running.

Are your MB services ok and running? Verify in services.msc.
MEEClientService = server / client comm
MBAMService = MBAM's realtime engine
MBAMScheduler = MBAM's scan task launcher
Malwarebytes Anti-Exploit Service = MBAE's realtime engine
Malwarebytes Anti-Ransomware Service = ARW's realtime engine

The doubled old install can be removed safely without affecting your new install.

Share this post


Link to post
Share on other sites

Yeah. It looks like the service is running correctly.  Just doesn't seem to have a system tray icon anymore.  

Share this post


Link to post
Share on other sites

Management Console reported successful installation.  Any reason why it would be missing?   

Share this post


Link to post
Share on other sites
Posted (edited)

Please run the log collection tool, C:\Program Files (x86)\Malwarebytes' Managed Client\CollectClientLog.exe, as admin, then attach the result and I'll see if there's anything else going on with the installation.

 

Edited by djacobson

Share this post


Link to post
Share on other sites

This install looks fine, no errors that I can see, I am really not sure why your mbarw.exe is not starting. I'm investigating a bit with a teammate on our mbarw lab installs.

Share this post


Link to post
Share on other sites

Does mbarw.exe need to be running to provide protection or is the Malwarebytes Anti-Ransomware Service able to do that?

Share this post


Link to post
Share on other sites

Yes, it does require last I knew - 

 

This is what I am trying to verify on my VM lab as time allows. The key discussed in that linked post is missing in my newer 1.9 managed install, though mbarw.exe is running on my system example, so I do not know what has changed to trigger it. ARW in MBMC does not have a silent mode, so this behavior is not by design.

 

Share this post


Link to post
Share on other sites
Posted (edited)

I'm still working on this JCourtney, I hope to have something here soon.

Edited by djacobson

Share this post


Link to post
Share on other sites

I haven't yet been able to get data on how the trigger to start it has been changed, but I can confirm it is still needed for correct operation.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.