Consumer vs MSP protection

[latitudeit]

I have been using the consumer version of Malwarebytes for some time and have found it effective. As such I decided to look further into MSP options for my customers but when running a trial I found it was not effective and didnt even pick up PUA that are detected out of the box on the consumer edition. As there appears to be little I can do to change the behaviour I am wondering why this is so and what am I missing? I am in the UK - havent found it easy to get in touch with anyone and didnt get any response from the sales team when I asked this question - is there any UK support that can explain this and demonstrate that Malwarebytes can be effective in an MSP environment?

Thanks in advance

[Malwarebytes]

***This is an automated reply***

Hi,

Thanks for posting in the Malwarebytes for Windows Help forum.

If you are having technical issues with our Windows product, please do the following:

Malwarebytes Support Tool - Advanced Options

This feature is designed for the following reasons:

• For use when you are on the forums and need to provide logs for assistance
• For use when you don't need or want to create a ticket with Malwarebytes
• For use when you want to perform local troubleshooting on your own

How to use the Advanced Options:

Spoiler

1. Download Malwarebytes Support Tool
2. Double-click mb-support-X.X.X.XXXX.exe to run the program
   • You may be prompted by User Account Control (UAC) to allow changes to be made to your computer. Click Yes to consent.
3. Place a checkmark next to Accept License Agreement and click Next
4. Navigate to the Advanced tab
5. The Advanced menu page contains four categories:
   • Gather Logs: Collects troubleshooting information from the computer. As part of this process, Farbar Recovery Scan Tool (FRST) is run to perform a complete diagnosis. The information is saved to a file on the Desktop named mbst-grab-results.zip and can be added as an email attachment or uploaded to a forum post to assist with troubleshooting the issue at hand.
   • Clean: Performs an automated uninstallation of all Malwarebytes products installed to the computer and prompts to install the latest version of Malwarebytes for Windows afterwards. The Premium license key is backed up and reinstated. All user configurations and other data are removed. This process requires a reboot.
   •  Repair System: Includes various system-related repairs in case a Windows service is not functioning correctly that Malwarebytes for Windows is dependent on. It is not recommended to use any Repair System options unless instructed by a Malwarebytes Support agent.
   • Anonymously help the community by providing usage and threat statistics: Unchecking this option will prevent Malwarebytes Support Tool from sending anonymous telemetry data on usage of the program.
6. To provide logs for review click the Gather Logs button
7. Upon completion, click OK
8. A file named mbst-grab-results.zip will be saved to your Desktop
9. Please attach the file in your next reply.
10. To uninstall all Malwarebytes Products, click the Clean button.
11. Click the Yes button to proceed. 
12. Save all your work and click OK when you are ready to reboot.
13. After the reboot, you will have the option to re-install the latest version of Malwarebytes for Windows.
14. Select Yes to install Malwarebytes.
15. Malwarebytes for Windows will open once the installation completes successfully.

Screenshots:

Spoiler

 

 

 

 

Spoiler

 

 

 

 

If you are having licensing issues, please do the following: 

Spoiler

For any of these issues:

• Renewals
• Refunds (including double billing)
• Cancellations
• Update Billing Info
• Multiple Transactions
• Consumer Purchases
• Transaction Receipt

Please contact our support team at https://support.malwarebytes.com/hc/en-us/requests/new to get help

If you need help looking up your license details, please head here: Find my premium license key

 

 

Thanks in advance for your patience.

-The Malwarebytes Forum Team

[exile360]

Greetings,

Assuming all settings are configured to their defaults, detections between the consumer and business/MSP versions should be the same, however I would recommend checking to make certain that the product is configured to always detect PUPs.  Additional documentation on PUPs and PUMs (Potentially Unwanted Modifications) can be found in this support article and this support article.

I can provide additional assistance if you were to post a screenshot of the Malwarebytes product's UI that you are using so that I know which specific built you are working with if the above info does not prove helpful.

Thanks

[latitudeit]

On the consumer copy I am running 4.3.0.98 (package 1.0.35263 / component package 1.0.1130)

On the endpoint protection I am running product version 1.2.0.836 (thats pretty much all I can see in add/remove programs)

I tested Ammyy admin executable which is detected on the consumer copy but can be copied without any issued on the MSP endpoint protection. Looking at the policy set online it shows PUPs should be detected?

[exile360]

I see, and did you actually run a scan or attempt executing the Ammyy admin executable?  If not, that explains why it was not detected as Malwarebytes does not use on-access detection methods, meaning a file being copied/created/downloaded will not trigger a detection, however if the file tries to execute in memory, it will be (it will be blocked from actually running in memory and quarantined).  For files on disk and objects in the registry, performing a Threat scan (the default scan type) should detect them, assuming the items are located anywhere that threats are known to hide/install in addition to certain common locations where users frequently store executables and installers (such as the downloads folder, the desktop, temp locations etc.).

You can also check to see if Malwarebytes detects the file by using the right-click scan function in Explorer.

I hope that helps to clarify things a bit.

Also keep in mind that other components of Malwarebytes' protection work differently, stopping threats during different phases of the kill chain/attack chain; for example, the Exploit Protection component monitors processes in memory to look for exploit behaviors/attempts, particularly for at-risk applications which it shields such as most common medial players, office applications, and web browsers (in addition to components of Exploit Protection which are used to harden the system against common exploit methods and vulnerabilities), while the Web Protection component functions within the network stack at the same layer as the built in Windows Firewall to block known unsafe websites and servers, and the Ransomware Protection component monitors disk activity as well as process activity in memory to look for ransomware behavior such as the attempted encryption/deletion of the user's files.

Please let me know if that addresses the issue or not.

Thanks

[latitudeit]

Yes, I did run a scan on each. Here are scan results side by side. I am exploring a little more, appreciate the explanations so far. It has now picked it up - but it only did so after I disabled the option to use malwarebytes in the security center (i noticed this was a difference that was not happening in my consumer edition). Somehow by reverting to windows defender for security center has now meant that malwarebytes detected it on a rescan. Doesn't make much sense to me, but I might get more consistent results this way at least.

[latitudeit]

Yes, I did run a scan on each. Here are scan results side by side. I am exploring a little more, appreciate the explanations so far. It has now picked it up - but it only did so after I disabled the option to use malwarebytes in the security center (i noticed this was a difference that was not happening in my consumer edition). Somehow by reverting to windows defender for security center has now meant that malwarebytes detected it on a rescan. Doesn't make much sense to me, but I might get more consistent results this way at least.

[exile360]

That is odd, did you check Defender to see if it had already quarantined the item the first time?  Perhaps that's why it was not detected since Malwarebytes would not have seen it if Defender got to it first (Defender is an on-access scanner, so it would have detected/quarantined the item as soon as it was created on disk if Defender was active and Defender has signatures to detect the item).