Reports of how long scans take

[j_french]

Hello,

I would like to be able to do a report or somehow capture the metrics of how long full scans are taking on the sytems.  Is there a way to capture the scan time information?  Also, is there  a way to cancel the scans applied to systems if the scans are taking to long to complete?

 

Thank You

[gonzo]

Every scan log tells you the amount of time that the scan required.  My full scan will take a different amount of time than your full scan, because they are two different worlds that must be scanned.  It is not one size fits all.  You should also know that a full scan run in the background will take longer than a full scan run "on demand."  You can cancel an in-process scan, but based on the criteria already mentioned, you would need to run several scans in each mode to determine what "too long" means to you.

One more item on this topic...a scan that is interrupted by your computer entering sleep mode will screw up the "scan time" that is reported, because the time reported is based on system time.

If you're running MB4, click on the SCANNER panel and select the REPORTS tab.  Every scan in the last 30 days is listed there.

[j_french]

Hi

We are running Malwarebytes Suite:

Malwarebytes Anti-Exploit version 1.13.2.127, Malwarebytes managed client 1.9.3671, and Anti Ransomware business 0.9.18.806

Malwarebytes managed console 1.9.0.3671. How do I generate a report on thousands of systems to show when the scans started and when the scans on those systems completed? I need to monitor system scans, to ensure that they are complete prior to 7:30am.

Also, is there  a way to end the scans if they don't complete in time for the start of the business day at 7:30am? We don't want the scans to run during the business hours.

Thank You

[exile360]

Greetings,

I thought it worth mentioning that you really don't need to run a full scan on every endpoint every single day.  This is a major waste of power/resources as the scan engine in Malwarebytes is actively maintained by the Developers and Researchers at Malwarebytes to target the specific locations used by malware as well as checking all loading points, active processes, active threads in memory as well as all common storage locations where downloads, temporary files and files from browsers and other at-risk web facing applications are stored and the locations checked can be modified at any time by the Malwarebytes Researchers whenever any new location is discovered to be in use by the bad guys and changes can be rolled out in database updates (so no application updates are required to target new locations for newly discovered threats by the default Threat scan).  Typically a Threat scan takes anywhere from under 1 minute on powerful hardware depending on the number of files and locations that it has to check, to 30 minutes or more, though average scan times tend to be anywhere from 5-20 minutes in duration.

I will report your requests to the Product team for consideration but I just wanted to clarify things regarding how the scan engine in Malwarebytes works and is intended as it may help alleviate the issues you are trying to address with these requests.  I still like your ideas though as they could be very useful for instances where one or more devices is having issues completing scans and is good for ITs trying to keep track of the status of all the endpoints they manage so I do hope that these capabilities make it into the product at some point, though of course that decision is up to the Product team.

[j_french]

We have full scans twice a week for the physical systems that run during the evening hours.  We have full scans on the weekends for the PVDI systems.  Management is wanting to know if the scans are completed by the start of business hours (7:30am) for all of these thousands of systems. Is there a powershell command that could be run to gather this information? How do I know if a system is having an issue with the scan and isn't finishing by morning? How do I determine if the scans are taking too long to complete? How do I determine if all of the systems got a successful scan?

Also, is there a way to have the scans scheduled, but stopped if they haven't completed by business working hours (7:30am)?

[gonzo]

Endpoint Security is a whole different world, as you are aware.  It stores data in a SQL database.  There is no customizable reporting on the product, but you can create reports from the SQL data.  Customer Success can get you a schema that will enable that option for you.  Powershell would still need to get at the SQL data to do any reporting.  However, I think there are bigger issues at play that I would like to address...I hope that's okay.

Management Console runs as a combination of executable and services on a server, connecting to a SQL database which may be on the same server or on a separate one.  All server-database communications run through an agent (middle man), as do communications between server and all of your workstations.  Bandwidth usage can get rather intense at times, so we use policies to distribute the communication workload.  Policy changes cause a bandwidth spike, as does initiation of a scan and reporting of the results.  Coupled with this is the number of threads that are available to do the work in the server CPU.  Both can cause queueing of communications between client and server.  If the SQL database is on the same machine, the load on the server is increased to support that as well.  If you experience a malware attack, all affected computers/workstations will simultaneously start eating your bandwidth to send alerts about the malware.  That can lead to queueing of communications to the SQL database, and can be magnified if periodic disk maintenance is not performed to assure you have adequate disk space.  Its a balancing act!

The second issue is full scans.  You have Anti-Exploit and Anti-Ransomware along with Anti-Malware.  That means that the methods malware would use to inflict damage are rendered unusable.  It doesn't really matter what is present if it can't do its dirty work.  Anti-Exploit and Anti-Ransomware look for the first signs of behavior that is of concern to you.  Virtually all malware utilizes several process steps that enable it to do its job.  If you block the process, you block the malware.  You could trim those full scans back considerably without worry, and trust your real-time protection to take care of you.

Lastly, have you compared Malwarebytes Endpoint Protection to Endpoint Security?  It has the reporting you are looking for, it offloads much of the work that is slowing you down, and is updated often.  I see the value in both product lines, but to me, its a function of the environment that the software will be protecting.  Its worth mentioning

[j_french]

How can I get assistance with the schema that can help with the reports from the SQL data? Can I get assistance with the powershell or schema for the reports?

[j_french]

What is difference between Malwarebytes Endpoint Protection to Endpoint Security? 

[exile360]

You should find the information in this support article to be helpful in comparing the two.

[gonzo]

For Endpoint Security, we have a Excel-based tool available.  Support can get that for you.  You can also get the schema so you know what fields are there, and in which tables you can find those fields in.

Endpoint Security has the Management Console, Anti-Malware 1.9, Anti-Exploit 1.13.x (available option) and Anti-Ransomware 0.9.x (available option).  The Management Console is installed on a server, and the SQL database is installed on a separate server (best idea) or on the same server as the Management Console (can cause issues).  It can work with thousands of clients, but optimizing performance can be tricky.

Endpoint Protection is the newer cloud-based product that contains all of the same functionality that Endpoint Security has (which you have grown accustomed to).  You do not need to run a server or a SQL server to support your environment.  Control of the clients that protect your computers is driven by our cloud services.  It is faster, requires no maintenance, has better reporting, and also offers availability of limited forensics.  It is also updated on a regular basis.

Honestly speaking, I think it is better suited to your needs.

[j_french]

How do I contact support? I would like to get the excel based tool and the schema.

[exile360]

You may contact Support by clicking the Submit a ticket link found at the top of this page and selecting the option for Business customers.

I hope this helps.

Thanks

[gonzo]

The manager of our Customer Success team would like to have a conversation with you, but has been having problems reaching you.  He could probably provide assistance to you in a number of ways if you are willing.