Kaseya Community

Malewarebytes Auto Clean infected files - in the works

  • any updates on this project?

    Legacy Forum Name: Scripts Forum,
    Legacy Posted By Username: kennedysupport
  • kennedysupport
    any updates on this project?


    Here's what I have so far

    Script Name: MBAM FULLAUTO
    Script Description:

    IF True
    THEN
    Get Variable
    Parameter 1 : 10
    Parameter 2 :
    Parameter 3 : tempagent
    OS Type : 0
    Write File
    Parameter 1 : #tempagent#\mbam-setup.exe
    Parameter 2 : VSASharedFiles\mbam-setup.exe
    OS Type : 0
    Pause Script
    Parameter 1 : 180
    OS Type : 0
    Execute File
    Parameter 1 : #tempagent#\mbam-setup.exe
    Parameter 2 : #tempagent#\mbam-setup.exe /SP- /VERYSILENT /NOCANCEL
    Parameter 3 : 3
    OS Type : 0
    Pause Script
    Parameter 1 : 300
    OS Type : 0
    Execute File
    Parameter 1 : "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe"
    Parameter 2 : "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runupdate
    Parameter 3 : 3
    OS Type : 0
    Pause Script
    Parameter 1 : 300
    OS Type : 0
    Execute File
    Parameter 1 : "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe"
    Parameter 2 : "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /fullauto
    Parameter 3 : 3
    OS Type : 0
    Pause Script
    Parameter 1 : 900
    OS Type : 0
    Execute File
    Parameter 1 : C:\Program Files\Malwarebytes' Anti-Malware (tech)\unins000.exe
    Parameter 2 : C:\Program Files\Malwarebytes' Anti-Malware (tech)\unins000.exe /VERYSILENT /NORESTART
    Parameter 3 : 3
    OS Type : 0
    ELSE


    Legacy Forum Name: Scripts Forum,
    Legacy Posted By Username: mattb@ghentcomputer.com
  • icq для РЅРѕРєРёР° Рµ63 LSS Kinetix Ltd jimm icq nokia dvb dream ss3 jimm 0.6 для nokia PHOTOM 550 джим РјРѕСЂСЂРёСЃРѕРЅ габариты тойота рав 4 скачать конструктор jimm РЅР° компьютер Рекламное агентство Хорошо аська РЅР° lg ke800 Р­РїРѕСЃС‹ РјРёСЂР° аська РЅР° СЃРѕРЅРё www.nevosoft.ru баян icq для nokia n82 Размер платы Р·Р° проведение техосмотра РІ Ставропольском крае jimm для nokia 5230 сайт картинок icq samsung s8000 jet E:\i386\lang собрать jimm РЅР° телефон Страсбург СЃРѕР±РѕСЂ jimm хаттаб Фотосессии Jennifer Lopez настройка jimm РЅР° sony ericsson Лучшие серверы WOW как установить qip РЅР° nokia Utel скачать icq РЅР° телефон 2.6 Ликопрофит ася для телефона samsung бесплатно Картф Р РѕСЃСЃРёРё L-38 jimm sis доступ РІРѕ внутреннюю сеть jimm icq для мобильного бесплатно аренда карна mobile agent jimm aspro картинки девушек icq для lg kf 300 12 СѓСЂРѕРєРѕРІ православия jimm для lg gu230 dragon pfobnf jn eujyf аська РЅР° телефон самсунг СЃ3050 киноафиша РЎРџР± аська РЅР° самсунг e250 определение долей собственности РїСЂРё РїРѕРєСѓРїРєРµ квартиры Рё регистрации её РІ регистрационной палате скачать icq для РЅРѕРєРёР° 6300 A media icq виджет для samsung спецназ фсб ася для s5230 установка perl юота jimm aspro 0.5 2 РџРѕРіРѕРґР° Рё самочувствие человека скачать реферат скачать jimm 0.6 2 евросиб icq 2010 для мобильного фшк иукдшт скачать jimm midp2 комплектация Logan
  • dLIy4T http://guI2vS0jBrn7M3Apkdef81n.com


    [edited by: Anonymous at 7:42 AM (GMT -7) on 3-28-2011] dLIy4T http://guI2vS0jBrn7M3Apkdef81n.com
  • Do you have to have Auto-IT to run your script?

    Legacy Forum Name: Scripts Forum,
    Legacy Posted By Username: billmccl
  • This works great. Found that it works better by taking out the Use Credential step and run everything as the system.

    ReedMikel
    I bought MBAM's Technician's License ($100/yr) several months ago and wrote this script for unattended install and scanning.

    I saw a post in this thread where somebody mentioned Safe mode. I usually like to scan using AV products in Safe mode too, but the tech at MB told me to NOT scan in Safe mode with their product. He said it does a better job in Normal mode. So I stripped the Safe mode portion out of my script.

    Script Notes:
    - Replace below with, you guessed it, your email address.

    - MBAM installs in a subfolder named MBAM inside agent's temp dir.

    - IF section tests whether the latest version of MBAM is installed on agent by checking the CHANGES.RTF (revision history) file. You'll want to change the 1.41 to whatever version you have.

    - Save your MBAM installer as VSASharedFiles\Security\MBAM\mbam-tech.exe

    - I have another script that uninstalls MBAM. I manually schedule that script after I'm convinced MBAM has removed the infections...

    Script Name: MalwareBytes.org - installs/runs mbam.exe & scans
    Script Description: Tests if MBAM(tech) is installed. If yes, updates mbam and does a /fullscan. If not, copies mbam from KServer and installs it, then does a fullscan. Sends an emails containing results of scan from log file...

    IF Test File
    Parameter 1 : #vAgentConfiguration.agentTempDir#\mbam\changes.rtf
    Contains :Version 1.41
    THEN
    Use Credential - (Continue on Fail)
    OS Type : -1
    Send Message - (Continue on Fail)
    Parameter 1 : Checking for updates to MBAM, downloading & installing if found...
    Parameter 2 : 1
    OS Type : 0
    Execute Shell Command
    Parameter 1 : "#vAgentConfiguration.agentTempDir#\mbam\mbam.exe" /runupdate
    Parameter 2 : 0
    OS Type : 0
    Pause Script - (Continue on Fail)
    Parameter 1 : 20
    OS Type : 0
    Send Message
    Parameter 1 : Currently scanning your machine for infections. Please do not close the Malwarebytes program as it will interrupt the scan. We will be notified automatically when the scan finishes and will resume work on this PC at that time. Thank you.
    Parameter 2 : 1
    OS Type : 0
    Execute Shell Command
    Parameter 1 : "#vAgentConfiguration.agentTempDir#\mbam\mbam.exe" /logtofile C:\MBAMLog.txt
    Parameter 2 : 0
    OS Type : 0
    Execute Shell Command - (Continue on Fail)
    Parameter 1 : "#vAgentConfiguration.agentTempDir#\mbam\mbam.exe" /fullauto
    Parameter 2 : 0
    OS Type : 0
    Get Variable - (Continue on Fail)
    Parameter 1 : 6
    Parameter 2 :
    Parameter 3 : MachineID
    OS Type : 0
    Get Variable
    Parameter 1 : 1
    Parameter 2 : c:\MBAMLog.txt
    Parameter 3 : ScanLog
    OS Type : 0
    Send Email - (Continue on Fail)
    Parameter 1 :
    Parameter 2 : MBAM Scan on #MachineID#.
    Parameter 3 : #ScanLog#
    OS Type : 0
    ELSE
    Use Credential
    OS Type : 0
    Delete File - (Continue on Fail)
    Parameter 1 : #vAgentConfiguration.AgentTempDir#\mbamSetup.exe
    OS Type : 0
    Write File
    Parameter 1 : #vAgentConfiguration.AgentTempDir#\mbamSetup.exe
    Parameter 2 : VSASharedFiles\Security\MBAM\mbam-tech.exe
    OS Type : 0
    Pause Script
    Parameter 1 : 10
    OS Type : 0
    Execute Shell Command
    Parameter 1 : "#vAgentConfiguration.AgentTempDir#\mbamSetup.exe" /SP- /VERYSILENT /SUPPRESSMSGBOXES /NOCANCEL /DIR=#vAgentConfiguration.agentTempDir#\mbam
    Parameter 2 : 0
    OS Type : 0
    Pause Script
    Parameter 1 : 20
    OS Type : 0
    Execute Shell Command
    Parameter 1 : "#vAgentConfiguration.agentTempDir#\mbam\mbam.exe" /logtofile C:\MBAMLog.txt
    Parameter 2 : 0
    OS Type : 0
    Execute Shell Command
    Parameter 1 : "#vAgentConfiguration.agentTempDir#\mbam\mbam.exe" /runupdate
    Parameter 2 : 0
    OS Type : 0
    Pause Script
    Parameter 1 : 20
    OS Type : 0
    Execute Shell Command
    Parameter 1 : "#vAgentConfiguration.agentTempDir#\mbam\mbam.exe" /fullauto
    Parameter 2 : 0
    OS Type : 0
    Get Variable
    Parameter 1 : 6
    Parameter 2 :
    Parameter 3 : MachineID
    OS Type : 0
    Get Variable
    Parameter 1 : 1
    Parameter 2 : c:\MBAMLog.txt
    Parameter 3 : ScanLog
    OS Type : 0
    Send Email
    Parameter 1 :
    Parameter 2 : #MachineID#: MBAM scan completed
    Parameter 3 : #ScanLog#
    OS Type : 0



    I wish I could remember who to credit for some of the code I used. I think that's where I got the IF code from...


    Legacy Forum Name: Scripts Forum,
    Legacy Posted By Username: mattb@ghentcomputer.com
  • Is there different mbam-setup.exe downloads from Malwarebytes for Free, Tech and Corporate? Or is it the same one and when you register it (Corporate) it allows the additional features?

    Thanks!

    Legacy Forum Name: Scripts Forum,
    Legacy Posted By Username: billmccl
  • billmccl
    Do you have to have Auto-IT to run your script?


    You will need AutoIt to compile the script. To run it on a remote client, all you have to do is copy the executable (and setup file for Malwarebytes) over and run it.

    Legacy Forum Name: Scripts Forum,
    Legacy Posted By Username: SMason
  • billmccl
    Is there different mbam-setup.exe downloads from Malwarebytes for Free, Tech and Corporate? Or is it the same one and when you register it (Corporate) it allows the additional features?

    Thanks!


    The license will unlock proactive scanning and protection. Besides this, I have observed no difference. You will still need to purchase these licenses if your intention is to run Malwarebytes on any business computers due to their agreement.

    Legacy Forum Name: Scripts Forum,
    Legacy Posted By Username: SMason
  • My script is 100% Kaseya. Not sure if you were asking both of us...

    Legacy Forum Name: Scripts Forum,
    Legacy Posted By Username: ReedMikel
  • ReedMikel have you tested your script on Windows 7?

    Also, do you know if the MSP version of mbam would need to be registered before the script works?

    Legacy Forum Name: Scripts Forum,
    Legacy Posted By Username: saputo444
  • SMason
    Here is what I came up with. Disclaimer: this code is being shared as a proof of concept only. If you like the product, I strongly advise purchasing licenses or you may face potential legal action from the vendor.

    This script covers everything discussed thus far. The install, update, and scan (with /fullauto switch) are all silent. It will only scan the C: drive. The desktop icon is removed. The log file first goes to C:\temp\mbam-log.txt and then to a predetermined email address. If a user is not logged in, the scan will run with the agent credential.

    I left out the reboot and uninstall because I think those items should be scheduled appropriately by the engineer running this script.

    First, the Kaseya portion:
    Script Name: Malwarebytes
    Script Description: For testing purposes only!

    IF User Is Logged In
    Parameter 1 :
    THEN
    Write File
    Parameter 1 : C:\temp\automb.exe
    Parameter 2 : VSASharedFiles\automb.exe
    OS Type : 0
    Write File
    Parameter 1 : C:\temp\mbam-setup.exe
    Parameter 2 : VSASharedFiles\mbam-setup.exe
    OS Type : 0
    Execute File
    Parameter 1 : C:\temp\automb.exe
    Parameter 2 :
    Parameter 3 : 1
    OS Type : 0
    Get Variable
    Parameter 1 : 6
    Parameter 2 :
    Parameter 3 : machine
    OS Type : 0
    Get Variable
    Parameter 1 : 1
    Parameter 2 : C:\temp\mbam-log.txt
    Parameter 3 : log
    OS Type : 0
    Send Email
    Parameter 1 :
    Parameter 2 : Scan completed on #machine#
    Parameter 3 : #log#
    OS Type : 0
    Delete File
    Parameter 1 : C:\temp\automb.exe
    OS Type : 0
    Delete File
    Parameter 1 : C:\temp\mbam-setup.exe
    OS Type : 0
    ELSE
    Use Credential
    OS Type : 0
    Write File
    Parameter 1 : C:\temp\automb.exe
    Parameter 2 : VSASharedFiles\automb.exe
    OS Type : 0
    Write File
    Parameter 1 : C:\temp\mbam-setup.exe
    Parameter 2 : VSASharedFiles\mbam-setup.exe
    OS Type : 0
    Execute File
    Parameter 1 : C:\temp\automb.exe
    Parameter 2 :
    Parameter 3 : 1
    OS Type : 0
    Get Variable
    Parameter 1 : 6
    Parameter 2 :
    Parameter 3 : machine
    OS Type : 0
    Get Variable
    Parameter 1 : 1
    Parameter 2 : C:\temp\mbam-log.txt
    Parameter 3 : log
    OS Type : 0
    Send Email
    Parameter 1 :
    Parameter 2 : Scan completed on #machine#
    Parameter 3 : #log#
    OS Type : 0
    Delete File
    Parameter 1 : C:\temp\automb.exe
    OS Type : 0
    Delete File
    Parameter 1 : C:\temp\mbam-setup.exe
    OS Type : 0


    The mbam-setup.exe file is the installer downloaded from the website. The automb.exe file is a script I wrote with AutoIt. Here is the source:
    AutoItSetOption("TrayIconHide", "1")

    ; Install Malwarebytes
    Run(@ComSpec & " /c " & 'C:\temp\mbam-setup.exe /SP- /VERYSILENT /DIR=C:\MBAM', "", @SW_HIDE)

    ; After setup completes, run an update to get the latest definitions.
    Sleep("2000")
    If ProcessExists("mbam-setup.exe") Then
    ProcessWaitClose("mbam-setup.exe")
    EndIf
    Run(@ComSpec & " /c " & 'C:\MBAM\mbam.exe /runupdate', "", @SW_HIDE)

    ; Delete any previous log files and the desktop icon.
    ProcessWait("mbam.exe")
    ProcessWaitClose("mbam.exe")
    Run(@ComSpec & " /c " & 'del C:\temp\mbam-log.txt /s /f /q', "", @SW_HIDE)
    Run(@ComSpec & " /c " & 'del "%USERPROFILE%\Application Data\Malwarebytes\Malwarebytes'' Anti-Malware\Logs\*.txt" /s /f /q', "", @SW_HIDE)
    Run(@ComSpec & " /c " & 'del "C:\Documents and Settings\All Users\Desktop\Malwarebytes'' Anti-Malware.lnk" /s /f /q', "", @SW_HIDE)

    ; Ensure Malwarebytes only scans the C: drive.
    Run(@ComSpec & " /c " & 'reg add "HKCU\Software\Malwarebytes'' Anti-Malware" /v selectedrives /d C:\', "", @SW_HIDE)
    Sleep("2000")

    ; Kick off a full scan. Some threats will not be removed until the computer is rebooted.
    Run(@ComSpec & " /c " & 'C:\MBAM\mbam.exe /fullauto', "", @SW_HIDE)
    ProcessWait("mbam.exe")
    ProcessWaitClose("mbam.exe")

    ; Copy the log file to somewhere easy. This will help for reporting.
    Run(@ComSpec & " /c " & 'copy "%USERPROFILE%\Application Data\Malwarebytes\Malwarebytes'' Anti-Malware\Logs\*.txt" "C:\temp\mbam-log.txt"', "", @SW_HIDE)


    Let me know what you guys think.



    Script looks good, testing it i had a few troubles, found that i missed copying and pasting some of the script code so when i went to compile it, wouldnt work..all good now.

    Only problem i have is now at Step 5 in the Then statement, failing at the applying variable. Any ideas?

    Legacy Forum Name: Scripts Forum,
    Legacy Posted By Username: Commander
  • I do not have Win7 installed anywhere yet. I am not an early-adopter. I prefer to wait quite some time for Microsoft to get all the bugs out of new operating systems Smile

    MBAM "Technician's License" version has never required me to register it.

    saputo444
    ReedMikel have you tested your script on Windows 7?

    Also, do you know if the MSP version of mbam would need to be registered before the script works?


    Legacy Forum Name: Scripts Forum,
    Legacy Posted By Username: ReedMikel
  • billmccl
    Is there different mbam-setup.exe downloads from Malwarebytes for Free, Tech and Corporate? Or is it the same one and when you register it (Corporate) it allows the additional features?

    Thanks!


    The /fullauto switch is only running the Quick Scan with the Free version for me.

    Legacy Forum Name: Scripts Forum,
    Legacy Posted By Username: gdanner
  • I'm fairly sure the downloads are different for each version. I say that because I never register it when installing on an agent , yet it supports all the switches listed in the command pdf.

    the /fullauto does a full scan for me with the Technician's License version. And, it runs silently.

    I can tell you their handling of command line switches is anything but intuitive. e.g. they support a /logtofile switch. But, it does not work if used with other switches on the same command line. e.g. mbam.exe /fullauto /logtofile c:\temp\ScanLog.txt will scan, but does not create the log file in specified location. It only works if you run it all by itself: mbam.exe /logtofile c:\temp\ScanLog.txt So you have to execute one instance of mbam.exe *before* you do a scan just to set the log file location. That's the oddest handling of switches I have ever seen Confused

    Legacy Forum Name: Scripts Forum,
    Legacy Posted By Username: ReedMikel