Jump to content

Malwarebytes Endpoint removed automatically


Recommended Posts

The Malwarebytes endpoint protection in my Windows server 2012 R2 is found removed by itself. Even the services were also removed.

I was using Malwarebytes Nebula platform connected to this endpoint. But it shows not connected. The Symantec Endpoint protection installed on the same server was also removed.

Now when I try to re install the agent , I can't. Any installation gives an Error 1303: You have insufficient privileges to access the folder : C:\Program Data.

Is my Server infected? How can I bring it back to normal?                                               

 

Link to post
Share on other sites

  • Staff

I am not directly in the Support organisation, but I suggest you immediately submit a Support Ticket here - Submit a support ticket.  You can also call Support phone number listed in your Console, by clicking on your name at top right, Contact Us.

I am not a Malware incident responder, so the following is some general guidance.

If both protection products were removed, that is a suspicious activity associated with attacks.

If Tamper Proofing had been enabled, it would be very difficult to uninstall Malwarebytes. If Tamper Protection is Off, then turn it on by policy for all other endpoints. 

Run scans on any other servers and endpoints.

I would suggest immediately removing the Server from networking access to your other devices, whilst you investigate. 

If you have a Firewall, consider limiting outbound access only to Malwarebytes management and Symantec, in case an attacker is remote-controlling it.If possible,

Take an image/backup of current state.  -- You may need this for subsequent investigations.  

Possibly recover to a different server, to resume business, whilst investigating

 

Link to post
Share on other sites

  • Staff

This article may give you some ideas, to get back ownership of c:\ProgramData using a Microsoft utility - 

https://serverfault.com/questions/789157/server-admin-cant-modify-folder-permissions

 

But, folders could be locked, or it is indicative of other damage.

PSEXEC -S CMD
takeown /a /f c:\ProgramData
icacls c:\ProgramData /reset /t /c
 
Edited by AdvancedSetup
corrected font issue
Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.