Jump to content
Malwarebytes Endpoint Security reached End of Life on August 4th 2021. Click for more details.

Deploying Malwarebytes Via GPO

uaorK
 Share

Recommended Posts

uaorK

uaorK

Posted
Posted

Hello,

I have created a GPO by following this guide: https://www.empsn.org.uk/knowledge-base/malwarebytes-deploy-to-your-network-with-gpo/ and it "kind of" works.

So far 10 devices have received the .msi install of Malwarebytes. One user is remote and the other nine are internal/on the network.

Does anyone have any ideas why after restarting their devices my other users do not receive the install of Malwarebytes?

Link to post
Share on other sites
  • Staff
knguyen1

knguyen1

Posted
  • Staff
Posted

Hello @Calebxx1

There may be a few reasons for this. First you should check that the computers have the GPO Policy first. Then you can check to see if there were any errors which should usually be in event viewer.

You can also take the MSI/EXE file and try to install locally on that machine to see if there is something preventing a standard install. It is also possible Malwarebytes is installing on these machines but those machines are not communicating with the cloud console. Did you verify on any of the problematic machines to see if Malwarebytes did install but didn't register to the cloud console?

Thank you, 

Link to post
Share on other sites
uaorK

uaorK

Posted
  • Author
Posted

Hi @knguyen1,

 

Thanks for reaching out.

 

I've verified the MSI/EXE file can be installed locally on machines and nothing is preventing a standard install. PC is then seen in the console. I have also verified on other machines that it is not installed.

 

I took a look at the Event Viewer like you recommended; Event Viewer > Windows Logs > Application, and I've noticed a warning and an error that the source column says is related to Malwarebytes Endpoint Agent.

Take a look and let me know what you think please.

The warning says: 

Quote

2020-02-09 12:36:38,599 [3 ] WARN  MachineImpl Computer is registered on a domain, but that domain is currently unreachable System.DirectoryServices.ActiveDirectory.ActiveDirectoryServerDownException: The server is not operational.

Name: "mednetstudy.com"
 ---> System.Runtime.InteropServices.COMException: The server is not operational.

   at System.DirectoryServices.PropertyValueCollection.PopulateList()
   at System.DirectoryServices.PropertyValueCollection..ctor(DirectoryEntry entry, String propertyName)
   at System.DirectoryServices.PropertyCollection.get_Item(String propertyName)
   at System.DirectoryServices.ActiveDirectory.PropertyManager.GetPropertyValue(DirectoryContext context, DirectoryEntry directoryEntry, String propertyName)
   --- End of inner exception stack trace ---
   at System.DirectoryServices.ActiveDirectory.PropertyManager.GetPropertyValue(DirectoryContext context, DirectoryEntry directoryEntry, String propertyName)
   at System.DirectoryServices.ActiveDirectory.Domain.GetDomain(DirectoryContext context)
   at EAEngine.MachineImpl.GetNameAndNics()
 

The error says:

Quote

2020-02-09 12:35:37,712 [27] ERROR SiriusWrapper Error checking for updates; status code: 
System.Net.Http.HttpRequestException: An error occurred while sending the request. ---> System.Net.WebException: The remote name could not be resolved: 'sirius.mwbsys.com'
   at System.Net.HttpWebRequest.EndGetRequestStream(IAsyncResult asyncResult, TransportContext& context)
   at System.Net.Http.HttpClientHandler.GetRequestStreamCallback(IAsyncResult ar)
   --- End of inner exception stack trace ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at EAEngine.SiriusIntegration.SiriusWrapper.<CheckForUpdates>d__23.MoveNext()
 

 

Link to post
Share on other sites
  • Staff
knguyen1

knguyen1

Posted
  • Staff
Posted

Hello @Calebxx1

For the first warning, that looks like a domain error that isn't related to us.

For the error, please make sure these network access requirements are met - https://support.malwarebytes.com/hc/en-us/articles/360039025153-Network-access-requirements-and-firewall-settings-for-Malwarebytes-Cloud-Platform

Are you using any command arguments or variables like veriify_network=1?

Network variable
The optional “VERIFY_NETWORK” parameter checks connectivity during Endpoint Agent installation.
When this parameter is set to “VERIFY_NETWORK=1”, the Endpoint Agent installer checks for network connectivity and successful DNS resolution against the following hosts
• cloud.malwarebytes.com
• sirius.mwbsys.com

Thank you, 

Link to post
Share on other sites
uaorK

uaorK

Posted
  • Author
Posted

Hi @knguyen1,

I have tried to add what is listed in the article https://support.malwarebytes.com/hc/en-us/articles/360039025153-Network-access-requirements-and-firewall-settings-for-Malwarebytes-Cloud-Platform previously, but cannot figure out where in the Firewall you add these links.

I navigated to Control Panel > Windows Firewall > Advanced Settings > Outbound and created a New Rule with port 443, but I don't see any option to add the addresses in there. I've done a lot of googling and youtubing to, but have not been able to find a tutorial or documentation that details more specifically how to do this.

Can you give me further direction than what the article there is providing please.

Link to post
Share on other sites
exile360

exile360

Posted
Posted

Greetings,

You might find the following links to be helpful:

https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-firewall/create-an-outbound-port-rule
https://www.howtogeek.com/school/windows-network-security/lesson5/
https://www.howtogeek.com/112564/how-to-create-advanced-firewall-rules-in-the-windows-firewall/

Some of it is pretty basic and I'm sure you don't need most of it, but there are some more detailed entries there that will hopefully prove helpful.

Link to post
Share on other sites
  • Staff
knguyen1

knguyen1

Posted
  • Staff
Posted

Hi Caleb,

This should be for the clients only. The error message of not being able to resolve shouldn't affect the ability to get the Malwarebytes Endpoint Agent installed unless you are using a verify_network variable. By default it is disabled. If you are, you can remove the variable from your installation policy and that should at least allow the Endpoint Agent to install, though you may still encounter issues where the Endpoint Agent cannot communicate with our servers.

Link to post
Share on other sites
uaorK

uaorK

Posted
  • Author
Posted

I do not believe I have made a modification to "verify_network variable" because I do not know where to locate this.

I have been able to install Malwarebytes through the EndPoint Agent Deployment tool on my PC, but then I uninstalled it because the method I would like to see everything installed through is GPO because I have remote users. After removing and restarting my computer I have some logs: 

2020-02-11 09:57:38,895 [1 ] ERROR MBAMPlugin Could not remove uninstall log file. C:\ProgramData\Malwarebytes Endpoint Agent\Logs\mbamuninstall.log 
System.IO.IOException: The process cannot access the file 'C:\WINDOWS\TEMP\mbamuninstall.log' because it is being used by another process.
   at System.IO.__Error.WinIOError(Int32 errorCode, String maybeFullPath)
   at System.IO.File.InternalDelete(String path, Boolean checkHost)
   at EAMBAMPlugin.MBAMPlugin.UninstallCleanup()
2020-02-11 09:57:27,710 [1 ] ERROR TrayModule RemoveRegistryLocalMachineSettings
System.ArgumentException: Cannot delete a subkey tree because the subkey does not exist.
   at System.ThrowHelper.ThrowArgumentException(ExceptionResource resource)
   at Microsoft.Win32.RegistryKey.DeleteSubKeyTree(String subkey, Boolean throwOnMissingSubKey)
   at EAEngine.UserModules.TrayModule.RemoveRegistryLocalMachineSettings()

I verified the clients are having issues. I opened cmd prompt and used "telnet COMPUTERNAME 443" and the console responded with: 

Connecting To MEDNET-1KHFVZ1...Could not open connection to the host, on port 443: Connect failed

Let me know if any of this is helpful.

Link to post
Share on other sites
uaorK

uaorK

Posted
  • Author
Posted

I do not believe I have made a modification to "verify_network variable" because I do not know where to locate this.

I have been able to install Malwarebytes through the EndPoint Agent Deployment tool on my PC, but then I uninstalled it because the method I would like to see everything installed through is GPO because I have remote users. After removing and restarting my computer I have some logs: 

2020-02-11 09:57:38,895 [1 ] ERROR MBAMPlugin Could not remove uninstall log file. C:\ProgramData\Malwarebytes Endpoint Agent\Logs\mbamuninstall.log 
System.IO.IOException: The process cannot access the file 'C:\WINDOWS\TEMP\mbamuninstall.log' because it is being used by another process.
   at System.IO.__Error.WinIOError(Int32 errorCode, String maybeFullPath)
   at System.IO.File.InternalDelete(String path, Boolean checkHost)
   at EAMBAMPlugin.MBAMPlugin.UninstallCleanup()
2020-02-11 09:57:27,710 [1 ] ERROR TrayModule RemoveRegistryLocalMachineSettings
System.ArgumentException: Cannot delete a subkey tree because the subkey does not exist.
   at System.ThrowHelper.ThrowArgumentException(ExceptionResource resource)
   at Microsoft.Win32.RegistryKey.DeleteSubKeyTree(String subkey, Boolean throwOnMissingSubKey)
   at EAEngine.UserModules.TrayModule.RemoveRegistryLocalMachineSettings()

I verified the clients are having issues. I opened cmd prompt and used "telnet COMPUTERNAME 443" and the console responded with: 

Connecting To MEDNET-1KHFVZ1...Could not open connection to the host, on port 443: Connect failed

Also,

I ran rsop.msc to view which GPO were applied to my PC and it shows that the GPO I created is apart of my PC. I have attached a file to demonstrate this.

Let me know if any of this is helpful.

gpo.PNG

Link to post
Share on other sites
uaorK

uaorK

Posted
  • Author
Posted
12 hours ago, knguyen1 said:

Hi @Calebxx1

You may need to use this support tool on your machine to properly clean up the previous installation - https://support.malwarebytes.com/hc/en-us/articles/360038524734

Again I'd like to confirm if you've already created an outbound rule for Windows Firewall to allow port 443 TCP. 

Thank you, 

I tried running that mbstcmd and it said this app can't run on your PC and to find a version for my PC. I'm running Windows 10 Pro (a second image is attached).

Sorry, here I ran Telenet MYPCNAME 443 on my local machine/client and it came back with this:

443.thumb.PNG.19bd66d4513a5a2dc8b3388675a8a674.PNG

 

mbtool.PNG

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.