Kaseya Community

Malewarebytes Auto Clean infected files - in the works

  • We are running mbam along side KES and its working well. No performace issues and res shield is great
    Jack at MBAM gave us a good vb script that with some tweaks is working really well(less stress than a kes install!)

    Legacy Forum Name: Scripts Forum,
    Legacy Posted By Username: Steve Morris
  • I'm pulling my hair out on this... we also have the tech version, but for whatever reason, I have tremendous problems getting the logging to work consistently. using /logtofile, the log often is never created. Has anyone else had this issue? I've literally gone back and forth with mbam tech support for months on it, with the result being that they eventually just gave up on it with me.

    I've even gone so far as to not use /logtofile and instead use these commands to grab the log:

    del /Q "%AppData%\Malwarebytes\Malwarebytes' Anti-Malware\logs\*.txt"

    copy /Y "%AppData%\Malwarebytes\Malwarebytes' Anti-Malware\logs\*.txt" "#vAgentConfiguration.agentTempDir#\mbam\mbam.log"


    But even that has been inconsistent in working. I've tried ReedMikel's in the forum here and that has had the same problem.

    Anyway, just wondering if anyone has had similar experience/problems like this.

    Legacy Forum Name: Scripts Forum,
    Legacy Posted By Username: fisofo
  • In some cases, a log will not be created because certain types of malware prevent MBAM.exe from even executing. For this reason, some of us have scripted the renaming of this file before attempting to launch.

    The very worst types of malware prevent all executables from running. There isn't much we can do as far as automation when this happens.

    Despite all of this, I am not ruling out a buggy application (Malwarebytes) to be the culprit either.

    Legacy Forum Name: Scripts Forum,
    Legacy Posted By Username: SMason
  • SMason
    In some cases, a log will not be created because certain types of malware prevent MBAM.exe from even executing. For this reason, some of us have scripted the renaming of this file before attempting to launch.

    The very worst types of malware prevent all executables from running. There isn't much we can do as far as automation when this happens.

    Despite all of this, I am not ruling out a buggy application (Malwarebytes) to be the culprit either.


    I've definitely seen that before, however I can reproduce the issue easily on a brand new clean Virtual machine of XP. Running mbam manually works fine of course, and I can see mbam.exe running for awhile when mbam.exe /fullauto is run, so I'm pretty positive it's doing *something* Wink

    In any case, I just saw in their forums that 1.42 is on the verge of release... perhaps by some miracle they have resolved some of the issues we've had with 1.41, I'll wait and see.

    Legacy Forum Name: Scripts Forum,
    Legacy Posted By Username: fisofo
  • MBAM's programmers must have been drunk the night they wrote the code for the /LogToFile command line switch Smile It took me a while, but eventually their support told me to execute a MBAM.exe /logtofile command all by itself. Then execute MBAM.exe /fullauto (or whatever scanning switch you want). You'll then find it creates the log file at the location (and filename) you specified. I have never seen such stupid programming of command line switches. Then again, MB is a very odd company. They can take forever (weeks) to reply to emails - even when you are inquiring about purchasing. While the product is good for scanning, I'm fearful they'll go out of business because of their slow responses to sales and support issues...

    fisofo
    I'm pulling my hair out on this... we also have the tech version, but for whatever reason, I have tremendous problems getting the logging to work consistently. using /logtofile, the log often is never created. Has anyone else had this issue? I've literally gone back and forth with mbam tech support for months on it, with the result being that they eventually just gave up on it with me.


    Legacy Forum Name: Scripts Forum,
    Legacy Posted By Username: ReedMikel
  • ReedMikel
    MBAM's programmers must have been drunk the night they wrote the code for the /LogToFile command line switch Smile It took me a while, but eventually their support told me to execute a MBAM.exe /logtofile command all by itself. Then execute MBAM.exe /fullauto (or whatever scanning switch you want). You'll then find it creates the log file at the location (and filename) you specified. I have never seen such stupid programming of command line switches. Then again, MB is a very odd company. They can take forever (weeks) to reply to emails - even when you are inquiring about purchasing. While the product is good for scanning, I'm fearful they'll go out of business because of their slow responses to sales and support issues...


    I know, I thought they were joking when they told me that! Seriously?!? You can't run it in a single line? Never seen THAT one before Roll Eyes

    Legacy Forum Name: Scripts Forum,
    Legacy Posted By Username: fisofo
  • New version up: http://www.malwarebytes.org/

    Legacy Forum Name: Scripts Forum,
    Legacy Posted By Username: SMason
  • My strange logging issues continue in v1.42 it seems... I'm contacting them again to see what we can figure out...

    Legacy Forum Name: Scripts Forum,
    Legacy Posted By Username: fisofo
  • What command line(s) are you using in your script? Maybe you could post your script - or at least the Steps that run MBAM.exe?

    fisofo
    My strange logging issues continue in v1.42 it seems... I'm contacting them again to see what we can figure out...


    Legacy Forum Name: Scripts Forum,
    Legacy Posted By Username: ReedMikel
  • Edit free adult dating grenora north dakota - Scripts & Agent Procedures - Forums - Kaseya Community michigan dating web sites sex dating sites for free find love dating site online dating site in nigeria best free dating sites in europes


    [edited by: Anonymous at 11:09 AM (GMT -8) on 2-17-2011] Edit free adult dating grenora north dakota - Scripts & Agent Procedures - Forums - Kaseya Community michigan dating web sites sex dating sites for free find love dating site online dating site in nigeria best free dating sites in europes
  • for those interested, I was mistaken in my last assertion... it appears the logging issue I had is related to either the application blocker or the network access driver! I'm pretty sure the application blocker is at fault as I believe that was the last thing I disabled before it started working on the machine I was testing, but I need to do a bit more testing... I've also contacted Kaseya to see what their thoughts are.

    Anyway, that's the latest so far!

    Legacy Forum Name: Scripts Forum,
    Legacy Posted By Username: fisofo
  • Interesting, as I too did not get a log file from a MBAM scan last week on my Virtual PC test machine using a script that has worked for months. I had just enabled Application Blocker on this machine using the list of files in this thread. I also had updated MBAM to their latest v1.42. But I am almost 100% sure that it will turn out to be Application Blocker that's the culprit. Another symptom was that my script never sent an email (containing the log) - and MBAM.exe was still showing in Task Mgr's Process list long after it should have completed. My intuition is that Appl Blocker is the culprit and needs to be looked at by Kaseya. I am going to try to reproduce this issue and create a ticket with them...

    fisofo
    for those interested, I was mistaken in my last assertion... it appears the logging issue I had is related to either the application blocker or the network access driver! I'm pretty sure the application blocker is at fault as I believe that was the last thing I disabled before it started working on the machine I was testing, but I need to do a bit more testing... I've also contacted Kaseya to see what their thoughts are.

    Anyway, that's the latest so far!


    Legacy Forum Name: Scripts Forum,
    Legacy Posted By Username: ReedMikel
  • ReedMikel
    Interesting, as I too did not get a log file from a MBAM scan last week on my Virtual PC test machine using a script that has worked for months. I had just enabled Application Blocker on this machine using the list of files in this thread. I also had updated MBAM to their latest v1.42. But I am almost 100% sure that it will turn out to be Application Blocker that's the culprit. Another symptom was that my script never sent an email (containing the log) - and MBAM.exe was still showing in Task Mgr's Process list long after it should have completed. My intuition is that Appl Blocker is the culprit and needs to be looked at by Kaseya. I am going to try to reproduce this issue and create a ticket with them...


    Misery loves company, and it's nice to know I'm not going crazy Big Smile The mbam tech support guys couldn't make heads or tails of the issue and said no one else had the problem... makes sense now!

    Legacy Forum Name: Scripts Forum,
    Legacy Posted By Username: fisofo
  • As another note and confirmation.... I just tested and yes, the problem I was having with the /logtofile switch seems to be resolved by removing Blocked applications from application blocker.

    The other thing I noticed is it seemed ALL my users were infected with xpa.exe, antiviirus.exe and sysguard.exe these were all "applications" I had blocked on my machines. I scanned a machine, saw it was infected by those 3, then UNBLOCKED them and rescanned and it didn't show as infected.

    I was beginning to think the Application blocker did NOTHING AT ALL, but now I think it is MBAM for some reason thinks they are there when they are blocked. Not sure, but that is what I was seeing, can anyone else confirm?

    Legacy Forum Name: Scripts Forum,
    Legacy Posted By Username: viper222
  • Hey Viper222,
    I have a ticket open with K for some time now concerning the false alerts from Appl Blocker. Here is a copy of that ticket:

    [Ticket Notes ~ticId='205363']
    Ticket ID: 205363
    ---------------------------------------------------------
    Author: KASEYA
    Date: 14:57:30 12-Mar-10
    It is correct. Sorry about the inconvenience.
    ---------------------------------------------------------
    Author: ReedMikel
    Date: 14:30:24 12-Mar-10
    So there will not be anything for K5? I'm waiting for less users to report problems before upgrading to K2...
    Thanks for the quick replies!

    ---------------------------------------------------------
    Author: KASEYA
    Date: 14:27:33 12-Mar-10
    The fix will be in K2 v6.1. I don't have the release date.
    ---------------------------------------------------------
    Author: ReedMikel
    Date: 14:24:24 12-Mar-10
    What is the approximate time frame for the "next major release"? Will it be for both K5 and K2?

    ---------------------------------------------------------
    Author: KASEYA
    Date: 14:20:36 12-Mar-10
    Hi Mike,

    We have fixed the driver and been working on the compatiblity testing across the different OS platfroms. But unfortunatley the driver update cannot be delivered as hotfix as I stated before. It requires agent reinstallation. The fix and some other driver changes will be included in the next major release. Sorry about the inconvenience.

    Regards,
    Eric
    ---------------------------------------------------------
    Author: Mike Reed
    Date: 06:34:40 12-Mar-10
    Hi Eric,
    What is the status of this fix? We still cannot use Application Blocker because of the high number of false alerts it generates. If you were to fix this, Application Blocker could be a powerful tool to help prevent malware infections...

    Thanks,
    -Mike
    ---------------------------------------------------------
    Author: KASEYA
    Date: 10:13:16 19-Jan-10
    Hi Mike,
    Thanks for the information. I did find out that application blocker responds the too earlier by examining the codes. But to fix that problem in the driver, it requires some extra works and time to verify that it is workng properly. We will have a dedicate person working on this problem, and it should be available via hotfix once it is ready.

    Thanks!
    Eric
    ---------------------------------------------------------
    Author: Mike Reed
    Date: 11:42:48 18-Jan-10
    Did the programming info I sent you on 1/14 help Eric?
    ---------------------------------------------------------
    Author: ReedMikel
    Date: 13:05:12 14-Jan-10
    Hi Eric,
    Being a programmer, I just tried using MS FoxPro for Windows (database language) to see if I could trigger an alert from Application Builder:

    It was very easy to get an alert: all I did was execute a FOPEN('c:\seres.exe') function in Foxpro (seres.exe is in Appl Blocker's list of blocked files). FOPEN() is used to do a low level open of a file. The particular FOPEN() syntax I used attempts to open the file seres.exe in a READ-ONLY mode. This attempt to open the file in a read-only mode caused the following alert on my virtual machine vpc-xpsp3.compusolve:

    "File access to C:\SERES.EXE has been denied to ntvdm"

    In my opinion your Application Blocker is hooked into the operating system a little too soon, as simply *testing* for the presence of a blocked file will trigger an Appl Blocker alert. Many programmers will use code like the FOPEN() function to quickly test for the presence of a file - even though they have no intention of actually using the file. e.g. if FOPEN('c:\seres.exe') succeeded (returning a numeric file handle), I would then immediately do a FCLOSE() on it to close the file. If I were writing AntiVirus software, I would then flag the fact that a known malicious file (seres.exe) exists and prepare to disinfect it.

    Bottom line: I do not think an alert should occur for *read-only* attempts to open a *non-existent* file.

    I hope this helps you better understand why some AVAS software triggers false positives


    Legacy Forum Name: Scripts Forum,
    Legacy Posted By Username: ReedMikel