Kaseya Community

global ignore list?

This question is answered

We have several items setup as part of our GPO that show up on malwarebytes as "false positives" as they are non critical (disable firewall notify, etc).

 

is there a way to setup a global ignore list like other enterprise level AV software?

 

Verified Answer
  • At this point, MalwareBytes doesn't have the API in place for Kaseya to remotely handle the exclusions list.  That said, this is one of the priority pieces that is in the works for KAM 1.1, with a release currently slated for late Q1 / early Q2 (march / april) timeframe.

    Regards,

    Travis

    Kaseya Support

  • All of the exclusions are stored by default in

    %user profiles%\all users\application data\malwarebytes\Malwarebytes' Anti-Malware\ignore.dat

    You can update the exclusions you need on an endpoint running KAM, then copy that endpoint's ignore.dat to the other endpoints that need the same exclusion list.  

    If you want to have the updated exclusion list automatically set on any new installs, you can replace the ignore.dat in

    .\Kaseya\WebPages\ManagedFiles\VSAHiddenFiles\kam\installer

    with the updated ignore.dat, and this will be the default exclusion list for all new installs going forward. 

    Travis
    Kaseya Support 

All Replies
  • We have this as well.

    We use TeamViewer heavily as a remote admin tool.  Malwarebytes blocks it for some unknown reason.  How do I exclude this process from being blocked?

    Seems like a very basic feature to me.



    [edited by: jdvuyk at 3:52 PM (GMT -8) on 2-3-2011] .
  • At this point, MalwareBytes doesn't have the API in place for Kaseya to remotely handle the exclusions list.  That said, this is one of the priority pieces that is in the works for KAM 1.1, with a release currently slated for late Q1 / early Q2 (march / april) timeframe.

    Regards,

    Travis

    Kaseya Support

  • Thanks for the update Travis.

    Hmmm... Personally, I would consider FULL global control of the clients a pretty basic feature for a distributed, enterprise grade managed app. Without this feature, its not much more than a standalone app with a couple agent procedures cooked up to do very basic procedures (install, uninstall, show versions)

    It sounds like at this point, its a pretty useless piece of software in practice for several of your customers. Considering its going to sit unused for at least a quarter, possibly as much as a half year, hopefully the sales dept will be understanding and pro-rate our maintenance on this part of the solution since we cant actually use what we purchased. At least I know that contacting my rep to discuss is my next step.

    Dont get me wrong, as a product the Malwarebytes platform is awesome. Just useless if we have to touch each and every one of our 500+ agents to make it fit into our environment.

  • I have to agree with cameramonkey.  This is a basic feature really.  If this wasn't available for KAV there would be an outcry.  I cant see why KAM is that much different.  We now have to limit our rollout as well and be prepared to pull any installation that is having issues because there is no way to control its functionality.

  • Taking off my support hat for a few minutes, so I can reply as a former end user.  Before coming to Kaseya I was out in the field, and we used a standard antivirus solution for our clients, but had MalwareBytes on USB to clean and remove any infections that Trend / McAfee / AVG / whatever either couldn't detect or couldn't remove.  For this type of use, the current implementation of KAM is a viable option.

    All that said, I agree that some means of setting a global set of excludes is important, and hope to have a manual workaround put together in the next couple days, as I gather the information needed from the dev team.  Full central management of excludes is still waiting on MBAM to finish the implementation on their end.  

    Regards,

    Travis

    Kaseya Support

  • Dont get me wrong, MBAM is awesome . We did the same as you here and ran the free version as required when we found infections.

    Our whole team literally got excited when the KAM announcement was made and we purchased ASAP. The intro pricing didnt hurt either. ;)

    Based on your description of the time frame the developers gave you, I just think it got pushed out the door about 3-6 months too early to be considered a fully viable enterprise level app.

    I have no doubt once they finish doing the updates and finish the management interface it will be even more awesome than before.

  • All of the exclusions are stored by default in

    %user profiles%\all users\application data\malwarebytes\Malwarebytes' Anti-Malware\ignore.dat

    You can update the exclusions you need on an endpoint running KAM, then copy that endpoint's ignore.dat to the other endpoints that need the same exclusion list.  

    If you want to have the updated exclusion list automatically set on any new installs, you can replace the ignore.dat in

    .\Kaseya\WebPages\ManagedFiles\VSAHiddenFiles\kam\installer

    with the updated ignore.dat, and this will be the default exclusion list for all new installs going forward. 

    Travis
    Kaseya Support 

  • COOL! Its not a polished solution, but definitely a workaround worth looking at..

    I assume we could also create a procedure to replace that dat file for existing installs as well.

    Thanks for the workaround!

  • Here is a quick agent procedure I wrote a while back to update the ignore.dat file for MBAM deployments before it was an Add-On module.  You need to upload a master copy of ignore.dat that has the exclusions you want on all systems to somewhere on the Kaseya Server.  This script looks for the ignore.dat in a subfolder structure of VSASharedFiles\AppInstalls\MalwareBytes, but you could put it in some other structure and simply edit the script after you import it.  Hope this helps.

    Regards,

    Matt

    Kaseya Professional Services

    <?xml version="1.0" encoding="utf-8"?>

    <ScriptExport xmlns:xsi="www.w3.org/.../XMLSchema-instance" xmlns:xsd="www.w3.org/.../XMLSchema" xmlns="www.kaseya.com/.../Scripting">

     <Procedure name="Malwarebytes (Copy Ignore List)" treePres="3" id="897351998">

       <Body description="">

         <If description="">

           <Condition name="True" />

           <Then>

             <Statement name="WriteFile" continueOnFail="false">

               <Parameter xsi:type="StringParameter" name="Path" value="%allusersprofile%\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\ignore.dat" />

               <Parameter xsi:type="StringParameter" name="ManagedFile" value="VSASharedFiles\AppInstalls\MalwareBytes\ignore.dat" />

               <Parameter xsi:type="BooleanParameter" name="DeleteAfter" value="False" />

             </Statement>

           </Then>

         </If>

       </Body>

     </Procedure>

    </ScriptExport>

  • Hi,

    I have read this document before submitting a ticket with Kaseya, I have tried to edit the ignorelist in the software of Malwarebytes, but this is a "file and folder" ignore list.

    I want to ignore a ip adres and does not know how to set a IP Adres to ignore in the index.dat file

    09:06:16 IP-BLOCK 193.200.164.51 (Type: outgoing, Port: 50582, Process: iexplore.exe)

    any help would be appriciated

    Frank

    questions after Kaseya closed the ticket and asking me to ask questions in this Forum

    how can i enter a ip adress only in this exclusionlist?

    When will there be a Exclusionlist managed by Kaseya?

    furthermore the people of malwarebytes.org forum are also helping us out with problems related to false positives. here my example.

    forums.malwarebytes.org/index.php

    Thanks for letting me know.

  • hey Travis, how's that April/May timeline going?  Or did I miss the announcement?

    /snark

  • cameramonkey

    hey Travis, how's that April/May timeline going?  Or did I miss the announcement?

    /snark

    I never did say a year!

    /snark x2

    The issue we've run into is that MBAM still hasn't given us the ability to create or modify the ignore.dat.  The "ongoing discussions" have outlasted two program managers so far, but I'm still hopeful that we'll get the functionality sooner rather than later.

     

    Regards,

    Travis

     

  • LOL

  • BRAVO!!! Well played sir!

    You and me both on the hopey-changey. I'm still sitting here  half a year on with all but 6 of my licenses idle because they havent released this critical feature yet.

    Of the few I do have out in the field, one shared workstation has generated 3 "ZOMG!!! the sky is falling we're infected!" events simply because MBAM detects inane things as simple and harmless as the fact that we set the control panel to legacy view.

    My rep talked me down once from the ledge by pointing out  that although I paid for them the clock doesnt start ticking until I deploy so i'm technically not out any $$ yet, but eventually there comes a point that I just cant leave that money on the table.

    Its also leaving us with a bad taste in our mouth on your other offerings. For example we are looking at the new MDM tools, but they are a bit feature light right now.  your sales team assured everyone during the launch demo that although there are some key features (like Blackberry support, etc) missing, they will be available "soon". As a customer, how do I know something similar isnt going to happen with this new product as well? (fool me once shame on you, fool me twice, shame on me, etc.)

    So whats the address of the MBAM offices so I can send a horses's head to get their attention? LOL

  • This is causing us and our clients wayyyyy to much greif.  It is blocking many of their banking apps and we need to have a custom ignore.dat per client  (now 42).  How hard can this be to incorporate into KAM and KAV?  Plus the fact we cannot set how often updates are pulled and when.  We are getting eaten alive by FDIC auditors due to our lack of control.