Kaseya Community

Scripts & Agent Procedures

Malewarebytes Auto Clean infected files - in the works

Posted by LegacyPoster

on Oct 26, 2009 1:00 PM

any updates on this project?

Legacy Forum Name: Scripts Forum,
Legacy Posted By Username: kennedysupport

Posted by LegacyPoster

on Oct 26, 2009 7:07 PM

kennedysupport
any updates on this project?

Here's what I have so far

Script Name: MBAM FULLAUTO

Script Description: 



IF True 

THEN

   Get Variable

     Parameter 1 : 10

     Parameter 2 : 

     Parameter 3 : tempagent

         OS Type : 0

   Write File

     Parameter 1 : #tempagent#\mbam-setup.exe

     Parameter 2 : VSASharedFiles\mbam-setup.exe

         OS Type : 0

   Pause Script

     Parameter 1 : 180

         OS Type : 0

   Execute File

     Parameter 1 : #tempagent#\mbam-setup.exe

     Parameter 2 : #tempagent#\mbam-setup.exe /SP- /VERYSILENT /NOCANCEL

     Parameter 3 : 3

         OS Type : 0

   Pause Script

     Parameter 1 : 300

         OS Type : 0

   Execute File

     Parameter 1 : "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe"

     Parameter 2 : "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runupdate

     Parameter 3 : 3

         OS Type : 0

   Pause Script

     Parameter 1 : 300

         OS Type : 0

   Execute File

     Parameter 1 : "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe"

     Parameter 2 : "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /fullauto

     Parameter 3 : 3

         OS Type : 0

   Pause Script

     Parameter 1 : 900

         OS Type : 0

   Execute File

     Parameter 1 : C:\Program Files\Malwarebytes' Anti-Malware (tech)\unins000.exe

     Parameter 2 : C:\Program Files\Malwarebytes' Anti-Malware (tech)\unins000.exe /VERYSILENT /NORESTART

     Parameter 3 : 3

         OS Type : 0

ELSE

Legacy Forum Name: Scripts Forum,
Legacy Posted By Username: mattb@ghentcomputer.com

Posted by LegacyPoster

on Oct 27, 2009 6:20 AM

icq РґР»СЏ РЅРѕРєРёР° Рµ63 LSS Kinetix Ltd jimm icq nokia dvb dream ss3 jimm 0.6 РґР»СЏ nokia PHOTOM 550 РґР¶РёРј РјРѕСЂСЂРёСЃРѕРЅ РіР°Р±Р°СЂРёС‚С‹ С‚РѕР№РѕС‚Р° СЂР°РІ 4 СЃРєР°С‡Р°С‚СЊ РєРѕРЅСЃС‚СЂСѓРєС‚РѕСЂ jimm РЅР° РєРѕРјРїСЊСЋС‚РµСЂ Р РµРєР»Р°РјРЅРѕРµ Р°РіРµРЅС‚СЃС‚РІРѕ РҐРѕСЂРѕС€Рѕ Р°СЃСЊРєР° РЅР° lg ke800 РРїРѕСЃС‹ РјРёСЂР° Р°СЃСЊРєР° РЅР° СЃРѕРЅРё www.nevosoft.ru Р±Р°СЏРЅ icq РґР»СЏ nokia n82 Р Р°Р·РјРµСЂ РїР»Р°С‚С‹ Р·Р° РїСЂРѕРІРµРґРµРЅРёРµ С‚РµС…РѕСЃРјРѕС‚СЂР° РІ РЎС‚Р°РІСЂРѕРїРѕР»СЊСЃРєРѕРј РєСЂР°Рµ jimm РґР»СЏ nokia 5230 СЃР°Р№С‚ РєР°СЂС‚РёРЅРѕРє icq samsung s8000 jet E:\i386\lang СЃРѕР±СЂР°С‚СЊ jimm РЅР° С‚РµР»РµС„РѕРЅ РЎС‚СЂР°СЃР±СѓСЂРі СЃРѕР±РѕСЂ jimm С…Р°С‚С‚Р°Р± Р¤РѕС‚РѕСЃРµСЃСЃРёРё Jennifer Lopez РЅР°СЃС‚СЂРѕР№РєР° jimm РЅР° sony ericsson Р›СѓС‡С€РёРµ СЃРµСЂРІРµСЂС‹ WOW РєР°Рє СѓСЃС‚Р°РЅРѕРІРёС‚СЊ qip РЅР° nokia Utel СЃРєР°С‡Р°С‚СЊ icq РЅР° С‚РµР»РµС„РѕРЅ 2.6 Р›РёРєРѕРїСЂРѕС„РёС‚ Р°СЃСЏ РґР»СЏ С‚РµР»РµС„РѕРЅР° samsung Р±РµСЃРїР»Р°С‚РЅРѕ РљР°СЂС‚С„ Р РѕСЃСЃРёРё L-38 jimm sis РґРѕСЃС‚СѓРї РІРѕ РІРЅСѓС‚СЂРµРЅРЅСЋСЋ СЃРµС‚СЊ jimm icq РґР»СЏ РјРѕР±РёР»СЊРЅРѕРіРѕ Р±РµСЃРїР»Р°С‚РЅРѕ Р°СЂРµРЅРґР° РєР°СЂРЅР° mobile agent jimm aspro РєР°СЂС‚РёРЅРєРё РґРµРІСѓС€РµРє icq РґР»СЏ lg kf 300 12 СѓСЂРѕРєРѕРІ РїСЂР°РІРѕСЃР»Р°РІРёСЏ jimm РґР»СЏ lg gu230 dragon pfobnf jn eujyf Р°СЃСЊРєР° РЅР° С‚РµР»РµС„РѕРЅ СЃР°РјСЃСѓРЅРі СЃ3050 РєРёРЅРѕР°С„РёС€Р° РЎРџР± Р°СЃСЊРєР° РЅР° СЃР°РјСЃСѓРЅРі e250 РѕРїСЂРµРґРµР»РµРЅРёРµ РґРѕР»РµР№ СЃРѕР±СЃС‚РІРµРЅРЅРѕСЃС‚Рё РїСЂРё РїРѕРєСѓРїРєРµ РєРІР°СЂС‚РёСЂС‹ Рё СЂРµРіРёСЃС‚СЂР°С†РёРё РµС‘ РІ СЂРµРіРёСЃС‚СЂР°С†РёРѕРЅРЅРѕР№ РїР°Р»Р°С‚Рµ СЃРєР°С‡Р°С‚СЊ icq РґР»СЏ РЅРѕРєРёР° 6300 A media icq РІРёРґР¶РµС‚ РґР»СЏ samsung СЃРїРµС†РЅР°Р· С„СЃР± Р°СЃСЏ РґР»СЏ s5230 СѓСЃС‚Р°РЅРѕРІРєР° perl СЋРѕС‚Р° jimm aspro 0.5 2 РџРѕРіРѕРґР° Рё СЃР°РјРѕС‡СѓРІСЃС‚РІРёРµ С‡РµР»РѕРІРµРєР° СЃРєР°С‡Р°С‚СЊ СЂРµС„РµСЂР°С‚ СЃРєР°С‡Р°С‚СЊ jimm 0.6 2 РµРІСЂРѕСЃРёР± icq 2010 РґР»СЏ РјРѕР±РёР»СЊРЅРѕРіРѕ С„С€Рє РёСѓРєРґС€С‚ СЃРєР°С‡Р°С‚СЊ jimm midp2 РєРѕРјРїР»РµРєС‚Р°С†РёСЏ Logan

Posted by LegacyPoster

on Oct 27, 2009 9:50 AM

dLIy4T http://guI2vS0jBrn7M3Apkdef81n.com

[edited by: Anonymous at 7:42 AM (GMT -7) on 3-28-2011] dLIy4T http://guI2vS0jBrn7M3Apkdef81n.com

Posted by LegacyPoster

on Oct 27, 2009 6:51 PM

Do you have to have Auto-IT to run your script?

Legacy Forum Name: Scripts Forum,
Legacy Posted By Username: billmccl

Posted by LegacyPoster

on Oct 27, 2009 7:42 PM

This works great. Found that it works better by taking out the Use Credential step and run everything as the system.

ReedMikel

I bought MBAM's Technician's License ($100/yr) several months ago and wrote this script for unattended install and scanning.

I saw a post in this thread where somebody mentioned Safe mode. I usually like to scan using AV products in Safe mode too, but the tech at MB told me to NOT scan in Safe mode with their product. He said it does a better job in Normal mode. So I stripped the Safe mode portion out of my script.

Script Notes:
- Replace below with, you guessed it, your email address.

- MBAM installs in a subfolder named MBAM inside agent's temp dir.

- IF section tests whether the latest version of MBAM is installed on agent by checking the CHANGES.RTF (revision history) file. You'll want to change the 1.41 to whatever version you have.

- Save your MBAM installer as VSASharedFiles\Security\MBAM\mbam-tech.exe

- I have another script that uninstalls MBAM. I manually schedule that script after I'm convinced MBAM has removed the infections...

Script Name: MalwareBytes.org - installs/runs mbam.exe & scans

Script Description: Tests if MBAM(tech) is installed.  If yes, updates mbam and does a /fullscan.  If not, copies mbam from KServer and installs it, then does a fullscan.  Sends an emails containing results of scan from log file...



IF Test File 

   Parameter 1 : #vAgentConfiguration.agentTempDir#\mbam\changes.rtf

   Contains :Version 1.41

THEN

   Use Credential - (Continue on Fail)

         OS Type : -1

   Send Message - (Continue on Fail)

     Parameter 1 : Checking for updates to MBAM, downloading & installing if found...

     Parameter 2 : 1

         OS Type : 0

   Execute Shell Command

     Parameter 1 : "#vAgentConfiguration.agentTempDir#\mbam\mbam.exe" /runupdate

     Parameter 2 : 0

         OS Type : 0

   Pause Script - (Continue on Fail)

     Parameter 1 : 20

         OS Type : 0

   Send Message

     Parameter 1 : Currently scanning your machine for infections. Please do not close the Malwarebytes program as it will interrupt the scan. We will be notified automatically when the scan finishes and will resume work on this PC at that time. Thank you.

     Parameter 2 : 1

         OS Type : 0

   Execute Shell Command

     Parameter 1 : "#vAgentConfiguration.agentTempDir#\mbam\mbam.exe" /logtofile C:\MBAMLog.txt

     Parameter 2 : 0

         OS Type : 0

   Execute Shell Command - (Continue on Fail)

     Parameter 1 : "#vAgentConfiguration.agentTempDir#\mbam\mbam.exe" /fullauto

     Parameter 2 : 0

         OS Type : 0

   Get Variable - (Continue on Fail)

     Parameter 1 : 6

     Parameter 2 : 

     Parameter 3 : MachineID

         OS Type : 0

   Get Variable

     Parameter 1 : 1

     Parameter 2 : c:\MBAMLog.txt

     Parameter 3 : ScanLog

         OS Type : 0

   Send Email - (Continue on Fail)

     Parameter 1 : 

     Parameter 2 : MBAM Scan on #MachineID#.

     Parameter 3 : #ScanLog#

         OS Type : 0

ELSE

   Use Credential

         OS Type : 0

   Delete File - (Continue on Fail)

     Parameter 1 : #vAgentConfiguration.AgentTempDir#\mbamSetup.exe

         OS Type : 0

   Write File

     Parameter 1 : #vAgentConfiguration.AgentTempDir#\mbamSetup.exe

     Parameter 2 : VSASharedFiles\Security\MBAM\mbam-tech.exe

         OS Type : 0

   Pause Script

     Parameter 1 : 10

         OS Type : 0

   Execute Shell Command

     Parameter 1 : "#vAgentConfiguration.AgentTempDir#\mbamSetup.exe" /SP- /VERYSILENT /SUPPRESSMSGBOXES /NOCANCEL /DIR=#vAgentConfiguration.agentTempDir#\mbam

     Parameter 2 : 0

         OS Type : 0

   Pause Script

     Parameter 1 : 20

         OS Type : 0

   Execute Shell Command

     Parameter 1 : "#vAgentConfiguration.agentTempDir#\mbam\mbam.exe" /logtofile C:\MBAMLog.txt

     Parameter 2 : 0

         OS Type : 0

   Execute Shell Command

     Parameter 1 : "#vAgentConfiguration.agentTempDir#\mbam\mbam.exe" /runupdate

     Parameter 2 : 0

         OS Type : 0

   Pause Script

     Parameter 1 : 20

         OS Type : 0

   Execute Shell Command

     Parameter 1 : "#vAgentConfiguration.agentTempDir#\mbam\mbam.exe" /fullauto

     Parameter 2 : 0

         OS Type : 0

   Get Variable

     Parameter 1 : 6

     Parameter 2 : 

     Parameter 3 : MachineID

         OS Type : 0

   Get Variable

     Parameter 1 : 1

     Parameter 2 : c:\MBAMLog.txt

     Parameter 3 : ScanLog

         OS Type : 0

   Send Email

     Parameter 1 : 

     Parameter 2 : #MachineID#: MBAM scan completed

     Parameter 3 : #ScanLog#

         OS Type : 0

I wish I could remember who to credit for some of the code I used. I think that's where I got the IF code from...

Legacy Forum Name: Scripts Forum,
Legacy Posted By Username: mattb@ghentcomputer.com

Posted by LegacyPoster

on Oct 27, 2009 9:37 PM

Is there different mbam-setup.exe downloads from Malwarebytes for Free, Tech and Corporate? Or is it the same one and when you register it (Corporate) it allows the additional features?

Thanks!

Legacy Forum Name: Scripts Forum,
Legacy Posted By Username: billmccl

Posted by LegacyPoster

on Oct 27, 2009 9:52 PM

billmccl
Do you have to have Auto-IT to run your script?

You will need AutoIt to compile the script. To run it on a remote client, all you have to do is copy the executable (and setup file for Malwarebytes) over and run it.

Legacy Forum Name: Scripts Forum,
Legacy Posted By Username: SMason

Posted by LegacyPoster

on Oct 27, 2009 9:53 PM

billmccl
Is there different mbam-setup.exe downloads from Malwarebytes for Free, Tech and Corporate? Or is it the same one and when you register it (Corporate) it allows the additional features?

Thanks!

The license will unlock proactive scanning and protection. Besides this, I have observed no difference. You will still need to purchase these licenses if your intention is to run Malwarebytes on any business computers due to their agreement.

Legacy Forum Name: Scripts Forum,
Legacy Posted By Username: SMason

Posted by LegacyPoster

on Oct 27, 2009 10:27 PM

My script is 100% Kaseya. Not sure if you were asking both of us...

Legacy Forum Name: Scripts Forum,
Legacy Posted By Username: ReedMikel

Posted by LegacyPoster

on Nov 20, 2009 2:08 AM

ReedMikel have you tested your script on Windows 7?

Also, do you know if the MSP version of mbam would need to be registered before the script works?

Legacy Forum Name: Scripts Forum,
Legacy Posted By Username: saputo444

Posted by LegacyPoster

on Nov 20, 2009 8:23 AM

SMason

Here is what I came up with. Disclaimer: this code is being shared as a proof of concept only. If you like the product, I strongly advise purchasing licenses or you may face potential legal action from the vendor.

This script covers everything discussed thus far. The install, update, and scan (with /fullauto switch) are all silent. It will only scan the C: drive. The desktop icon is removed. The log file first goes to C:\temp\mbam-log.txt and then to a predetermined email address. If a user is not logged in, the scan will run with the agent credential.

I left out the reboot and uninstall because I think those items should be scheduled appropriately by the engineer running this script.

First, the Kaseya portion:

Script Name: Malwarebytes

Script Description: For testing purposes only!



IF User Is Logged In 

   Parameter 1 : 

THEN

   Write File

     Parameter 1 : C:\temp\automb.exe

     Parameter 2 : VSASharedFiles\automb.exe

         OS Type : 0

   Write File

     Parameter 1 : C:\temp\mbam-setup.exe

     Parameter 2 : VSASharedFiles\mbam-setup.exe

         OS Type : 0

   Execute File

     Parameter 1 : C:\temp\automb.exe

     Parameter 2 : 

     Parameter 3 : 1

         OS Type : 0

   Get Variable

     Parameter 1 : 6

     Parameter 2 : 

     Parameter 3 : machine

         OS Type : 0

   Get Variable

     Parameter 1 : 1

     Parameter 2 : C:\temp\mbam-log.txt

     Parameter 3 : log

         OS Type : 0

   Send Email

     Parameter 1 : 

     Parameter 2 : Scan completed on #machine#

     Parameter 3 : #log#

         OS Type : 0

   Delete File

     Parameter 1 : C:\temp\automb.exe

         OS Type : 0

   Delete File

     Parameter 1 : C:\temp\mbam-setup.exe

         OS Type : 0

ELSE

   Use Credential

         OS Type : 0

   Write File

     Parameter 1 : C:\temp\automb.exe

     Parameter 2 : VSASharedFiles\automb.exe

         OS Type : 0

   Write File

     Parameter 1 : C:\temp\mbam-setup.exe

     Parameter 2 : VSASharedFiles\mbam-setup.exe

         OS Type : 0

   Execute File

     Parameter 1 : C:\temp\automb.exe

     Parameter 2 : 

     Parameter 3 : 1

         OS Type : 0

   Get Variable

     Parameter 1 : 6

     Parameter 2 : 

     Parameter 3 : machine

         OS Type : 0

   Get Variable

     Parameter 1 : 1

     Parameter 2 : C:\temp\mbam-log.txt

     Parameter 3 : log

         OS Type : 0

   Send Email

     Parameter 1 : 

     Parameter 2 : Scan completed on #machine#

     Parameter 3 : #log#

         OS Type : 0

   Delete File

     Parameter 1 : C:\temp\automb.exe

         OS Type : 0

   Delete File

     Parameter 1 : C:\temp\mbam-setup.exe

         OS Type : 0

The mbam-setup.exe file is the installer downloaded from the website. The automb.exe file is a script I wrote with AutoIt. Here is the source:

AutoItSetOption("TrayIconHide", "1")



; Install Malwarebytes

Run(@ComSpec & " /c " & 'C:\temp\mbam-setup.exe /SP- /VERYSILENT /DIR=C:\MBAM', "", @SW_HIDE)



; After setup completes, run an update to get the latest definitions.

Sleep("2000")

If ProcessExists("mbam-setup.exe") Then

	ProcessWaitClose("mbam-setup.exe")

EndIf

Run(@ComSpec & " /c " & 'C:\MBAM\mbam.exe /runupdate', "", @SW_HIDE)



; Delete any previous log files and the desktop icon.

ProcessWait("mbam.exe")

ProcessWaitClose("mbam.exe")

Run(@ComSpec & " /c " & 'del C:\temp\mbam-log.txt /s /f /q', "", @SW_HIDE)

Run(@ComSpec & " /c " & 'del "%USERPROFILE%\Application Data\Malwarebytes\Malwarebytes'' Anti-Malware\Logs\*.txt" /s /f /q', "", @SW_HIDE)

Run(@ComSpec & " /c " & 'del "C:\Documents and Settings\All Users\Desktop\Malwarebytes'' Anti-Malware.lnk" /s /f /q', "", @SW_HIDE)



; Ensure Malwarebytes only scans the C: drive.

Run(@ComSpec & " /c " & 'reg add "HKCU\Software\Malwarebytes'' Anti-Malware" /v selectedrives /d C:\', "", @SW_HIDE)

Sleep("2000")



; Kick off a full scan. Some threats will not be removed until the computer is rebooted.

Run(@ComSpec & " /c " & 'C:\MBAM\mbam.exe /fullauto', "", @SW_HIDE)

ProcessWait("mbam.exe")

ProcessWaitClose("mbam.exe")



; Copy the log file to somewhere easy. This will help for reporting.

Run(@ComSpec & " /c " & 'copy "%USERPROFILE%\Application Data\Malwarebytes\Malwarebytes'' Anti-Malware\Logs\*.txt" "C:\temp\mbam-log.txt"', "", @SW_HIDE)

Let me know what you guys think.

Script looks good, testing it i had a few troubles, found that i missed copying and pasting some of the script code so when i went to compile it, wouldnt work..all good now.

Only problem i have is now at Step 5 in the Then statement, failing at the applying variable. Any ideas?

Legacy Forum Name: Scripts Forum,
Legacy Posted By Username: Commander

Posted by LegacyPoster

on Nov 20, 2009 9:38 PM

I do not have Win7 installed anywhere yet. I am not an early-adopter. I prefer to wait quite some time for Microsoft to get all the bugs out of new operating systems Smile

MBAM "Technician's License" version has never required me to register it.

saputo444
ReedMikel have you tested your script on Windows 7?

Also, do you know if the MSP version of mbam would need to be registered before the script works?

Legacy Forum Name: Scripts Forum,
Legacy Posted By Username: ReedMikel

Posted by LegacyPoster

on Nov 20, 2009 11:46 PM

billmccl
Is there different mbam-setup.exe downloads from Malwarebytes for Free, Tech and Corporate? Or is it the same one and when you register it (Corporate) it allows the additional features?

Thanks!

The /fullauto switch is only running the Quick Scan with the Free version for me.

Legacy Forum Name: Scripts Forum,
Legacy Posted By Username: gdanner

Posted by LegacyPoster

on Nov 21, 2009 2:55 AM

I'm fairly sure the downloads are different for each version. I say that because I never register it when installing on an agent , yet it supports all the switches listed in the command pdf.

the /fullauto does a full scan for me with the Technician's License version. And, it runs silently.

I can tell you their handling of command line switches is anything but intuitive. e.g. they support a /logtofile switch. But, it does not work if used with other switches on the same command line. e.g. mbam.exe /fullauto /logtofile c:\temp\ScanLog.txt will scan, but does not create the log file in specified location. It only works if you run it all by itself: mbam.exe /logtofile c:\temp\ScanLog.txt So you have to execute one instance of mbam.exe *before* you do a scan just to set the log file location. That's the oddest handling of switches I have ever seen Confused

Legacy Forum Name: Scripts Forum,
Legacy Posted By Username: ReedMikel

CCleaner /auto runs doesn't clean

Temp File Cleaning

Clean up outlook temp files

Cleaning Temp Files/Automation Question

Auto Recover not working!

Malewarebytes Auto Clean infected files - in the works