Discovery and Deployment Tool and installation troubleshooting

Document created by aprobert Employee on Aug 15, 2017Last modified by aprobert Employee on Apr 18, 2019
Version 41Show Document
  • View in full screen mode

Learn techniques for troubleshooting the Malwarebytes' Discovery and Deployment Tool.

This article covers the sequencing and processes of installation, then provides diagnostic tips using commonly available commands built into Windows.

 

Choosing a deployment tool

If using a pre-existing generic deployment tool for MSI packages, then it is simpler to use that same tool for Malwarebytes packages, which avoids the need to establish new procedures, open firewall ports, and arrange connectivity.

 

There are many commonly available tools such as Microsoft's ActiveDirectory GPO or SCCM, and other tools like LanSweeper. PDQDeploy is a generic tool which has a free 1 user licence to deploy multiple vendor's MSIs -  Deploy Software with PDQ Deploy - PDQ.com

 

Key Constraints for MSP/Multi-Account Usage (as at April 2019)

The tool is hardcoded to retrieve installer packages for the specific account, from which it was downloaded.

It is best to download the tool to a workstation unique to each account e.g. remote-ing into the customer, then deploy from that workstation.

The MSP requirements are under review.

 

Deployment using the tool

Refer to the Administration guide for instructions to run this too and for screenshots.

 

For deeper diagnosis, the tool internally logs into:

  • %programdata%\Malwarebytes Discovery and Deployment Tool\logs\ea-pushdeploy-log.txt
  • and creates a logfile per endpoint.  Example log file is at end of this support article 

 

Common messages and errors

There are a number of commonly occurring messages which may be seen through the screen or in the log files, so these are listed at the beginning of this article for easy reference.  If further investigation or understanding is required, read on!

 

Waiting for Deployment Resources Try Again - The deployment tool retrieves installers from Cloud Management into: 

x:\ProgramData\Malwarebytes Discovery and Deployment\RemotePush\

The request will show as queued until the resources are downloaded.

  • Setup.Full.MBEndointAgent.EXE
  • Setup.Full.MBEndointAgentXP2003.EXE

 

ErrorMessage:System.IO.IOException: An attempt was made to logon, but the network logon service was not started

The Microsoft service Netlogon maintains a secure channel between this target computer and the domain controller for authenticating users and services.

If this service is stopped, the computer may not authenticate users and services and the domain controller cannot register DNS records.

If this service is disabled, any services that explicitly depend on it will fail to start.

Resolution: Check and start the service on the target endpoint 

 

ErrorMessage:System.UnauthorizedAccessException: Access to the path '\\xxx.xxx.xxx.xxx\ADMIN$\MBRemoteExec-ppppp-hostname.exe' is denied

Credentials supplied have a wrong password or username.

Try domain\domainadmin credential for your site.

For non-domain sites, the credential 127.0.0.1\ADMINISTRATOR needs to be used.  See the notes as there are setup pre-reqquisites. 

See diagnostic notes about using the Windows NET USE commands to diagnoses faults independently from D&D Tool.

 

ErrorMessage:WMI Technique: Error in Wmi Deploy technique for target: Host name: host.domain; Domain name: domain; . Error: System.Runtime.InteropServices.COMException (0x800706BA): The RPC server is unavailable. (Exception from HRESULT: 0x800706BA)

WMI is used to initiate the installation service. But the service is not available/responding.  Further details are avaliable in this support article - Allow WMI through Windows Firewall for Endpoint Security  WMI connects to an endpoint but then random ports are used for responses, so a customer's firewalls do need to allow for this.

 

ErrorMessage:Error copying files out to the admin share of: Host name: xxx.xxx.xxx.au; Domain name: xxx.xxx.au; IP Address(es): IP Address: 10.0.0.115, ; : Error: Unknown, 53

This most typically relates to Windows System Error 53 Has Occurred. The network path was not found. Diagnosis should proceed to determine as to why network share ADMIN$ cannot be mounted.

 

Deployment is Returning 'Successful' to D&D Tool, but not proceeding

  • Check if section following  ***** MSI LOGS **** is empty, indicating MSI has failed to be started.
    • Manually run Add Remove Programs on endpoint, to check if there is a prior incomplete un/installation. Remove if found.
  • Check x:\Windows does not have orphan files from a prior run and delete:
    • Setup.Full.MBEndointAgent.EXE
    • Setup.Full.MBEndointAgentXP2003.EXE

 

Windows Server 2008 D&D Tool cannot connect to cloud.malwarebytes.com

By default Internet access is locked down in this server. To change lock down, refer to Microsoft note Disable Internet Explorer Enhanced Security Configuration (IE ESC) in Windows Server 2008 R2 – 4sysopsAlternatively, run the Discovery and Deployment Tool from a different endpoint.

 

D&D Tool Reported Successful Installation, but endpoint not showing in Cloud Management

Review the MBEndpointAgent logfile for errors and connectivity issues, as the MBEndpointAgent service continues to run after the installation is finished, to complete installation. Log entries are found in:

  • For Windows XP/2003: %programdata%\Malwarebytes Endpoint Agent\Logs\EndpointAgent.txt
  • For Windows Vista and above: %systemroot%\documents and settings\administrator\malwarebytes endpoint agent\logs

 

Common Return Codes from MSI Exec

The Microsoft Installer codes are listed here: MsiExec.exe and InstMsi.exe Error Messages (Windows) 

Error codeValueDescription
ERROR_SUCCESS0The action completed successfully.
ERROR_INSTALL_USEREXIT1602The user cancels installation.
ERROR_INSTALL_FAILURE1603A fatal error occurred during installation.
ERROR_UNKNOWN_PROPERTY1608This is an unknown property.
ERROR_INSTALL_SOURCE_ABSENT1612The installation source for this product is not available. Verify that the source exists and that you can access it.
ERROR_INSTALL_ALREADY_RUNNING1618Another installation is already in progress. Complete that installation before proceeding with this install.

For information about the mutex, see _MSIExecute Mutex.

ERROR_INSTALL_PACKAGE_OPEN_FAILED1619This installation package could not be opened. Verify that the package exists and is accessible, or contact the application vendor to verify that this is a valid Windows Installer package.
ERROR_INSTALL_LOG_FAILURE1622There was an error opening installation log file. Verify that the specified log file location exists and is writable.
ERROR_PRODUCT_VERSION1638Another version of this product is already installed. Installation of this version cannot continue. To configure or remove the existing version of this product, use Add/Remove Programs in Control Panel.
ERROR_INVALID_COMMAND_LINE1639Invalid command line argument. Consult the Windows Installer SDK for detailed command-line help.
ERROR_SUCCESS_REBOOT_INITIATED1641The installer has initiated a restart. This message is indicative of a success.
.NET FRAMEWORK ERRORSHow to check .Net Versions - How to: Determine which .NET Framework versions are installed | Microsoft Docs 
.Net Repair Tool - https://support.microsoft.com/en-au/help/2698555/microsoft-net-framework-repair-tool-is-available 
4 Ways to fix repair or remove .Net - 4 Ways to Repair or Remove Microsoft .NET Framework • Raymond.CC 
A better way, is to preinstall .Net separately.   Tool should detect and ignore.
.Net list of 'offline' installer redistributables - .NET Framework deployment guide for developers | Microsoft Docs  
0x800713ec

Seen on Win2008 R2 SP1 server

Download .Net 4.7 from Microsoft and separately install
Install Endpoint agent using MSI instead of full installation with .Net prerequisites
https://support.microsoft.com/en-au/help/3186500/the-net-framework-4-7-web-installer-for-windows 

x80070643: Failed to install MSI package

Seen with the EXE installer.

 

Two approaches

Step 1 Run this Microsoft utility to fixup potentially damaged components
SFC /scannow
If that does not return successfully, then use this command
DISM /Online /Cleanup-Image /RestoreHealth

 

Workaround
Download an offline .Net Framework installer and separately deploy to get .Net up and running, independently to Malwarebytes

.Net 472
https://support.microsoft.com/en-au/help/4054530/microsoft-net-framework-4-7-2-offline-installer-for-windows  

 

.Net 452
https://www.microsoft.com/en-au/download/details.aspx?id=42642  

 

Resolve .Net Framework errors
Install Malwarebytes using an MSI installer (not the EXE)

Alternatively use D&D Tool and it will report .Net as already installed.

Windows Server 2003 ProblemsNo Longer Supported
End-of-lifed
Must be Windows 2003 R2 SP2
Version 5.2 R2 (Build 3790.srv03_sp2_qfe.150316-2035 : Service Pack 2)
Must have KB 968730 SHA2 and Windows

If not present, needs DigiCert CA Certs - https://www.digicert.com/digicert-root-certificates.htm

DigiCert High Assurance EV Root CA

Valid until: 10/Nov/2031
Serial #: 02:AC:5C:26:6A:0B:40:9B:8F:0B:79:F2:AE:46:25:77
Thumbprint: 5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25


DigiCert EV Code Signing CA (SHA2)

Issuer: DigiCert High Assurance EV Root CA
Valid until: 18/Apr/2027
Serial #: 03:F1:B4:E1:5F:3A:82:F1:14:96:78:B3:D7:D8:47:5C
Thumbprint: 60EE3FC53D4BDFD1697AE5BEAE1CAB1C0F3AD4E3

MBAMService – Error in log

“**** Error 0x7e importing crypto functions”
Could not install MBAMProtection service (1243)
Failed to install Rtp SDK; status=3
Failed to install RTP SDK!
Could not start protection.

WARNING - Check this visually, as MBAMService keeps running!
KB 968730 -https://support.microsoft.com/en-us/help/968730/windows-server-2003-and-windows-xp-clients-cannot-obtain-certificates  
Background information: 
https://support.microsoft.com/en-us/help/938397/applications-that-use-the-cryptography-api-cannot-validate-an-x-509-ce

 

Windows Script to Show Status from an Endpoint

In addition to viewing the deployment status by the console, there are two methods to check endpoint status:

 

Discovery phase insights

Scan Modes

 

Security

Your administrator credentials are only ever used locally by you, in your network.  They are never provided to Malwarebytes or stored by us

 

Active Directory

The Discovery and Deploy tool looks up ActiveDirectory to find Group structures, which can be optionally copied to cloud management.  If this is done, then endpoints added will appear in designated Groups.  Valid credentials should be used.

ActiveDirectory connectivity can be independently checked using PowerShell and optional credentials

PS C:\> Get-ADOrganizationalUnit -Filter ‘Name -like “*”’ | Format-Table Name, DistinguishedName -Autosize

Network Scan

Individual IP addresses, IP ranges and IP CIDR ranged can be specified. Note it is better to do scans in chunks/sizes of 128 or 256 endpoints or you may be waiting a long time for initial discovery to complete.

File

List of IP addresses or hostnames

 

The underlying network discovery engine is 'NMAP'. Deployment techniques are PAEXEC and/or WMI.

  • A command switch can be input to the tool to force -wmionly, recommended for segmented networks
  • If there are network reachability issues to other subnets, then download the D&D Tool into any endpoint in that subnet, then it is running locally

 

Mac Deploy- The Discovery and Deploy tool looks up ActiveDirectory to find computer names of MACs.

Here is an article on procedure to bind (join) a MAC to an ActiveDirectory. Step 7 in the above link is required to allow a domain administrator to configure the Mac - http://www.techrepublic.com/blog/apple-in-the-enterprise/integrate-macs-into-a-windows-active-directory-domain/

Many customers use other methods e.g. JAMF as a standardised method of deployment.

 

Deployment phase insights

There are two deployment modes: WMI or MBRemote (containing PAEXEC engine a redistributable clone of PSEXEC). The following diagram shows key steps:

Deployment Sequence Diagram

 

Key points

  • SMB share Admin$ (x:\Windows) is mounted on remote endpoint and contents of x:\ProgramData\Malwarebytes\Discovery and Deployment\RemotePush\ folder are copied to the endpoint. 
    • For MBRemote, a unique file/process MB-RemoteExec-ppppp-hostname.EXE is created in x:\Windows, then started as a service to receive commands.
    • Underlying technology is PAEXEC (clone of PSEXEC).

  • EAInstall.BAT starts.

  • STDOUT is used to capture contents of various logfiles by "TYPE .....log" command, for return to Discovery and Deployment Tool. 
    • Setup.Full.MBEndointAgent.EXE (or AgentXP2003) is runMSIs are extracted and ran.

    • Service=MBEndpointAgent installs, starts, and continues to run.
      • EndpointAgent.txt - is the activity log, which is not returned to Discovery and Deployment Tool.
      • Failures subsequent to installation, lack of connectivity to management server are viewable in this log.
        • This log is retrieved in ZIP file by diagnostic utility MBCloudEA.exe -diag

  • Service=MalwarebytesService executables are subsequently retrieved and installed.
    • The Service has its own directories and logs.

 

Diagnostic and technical verification tests

Read log files for common errors relating to:

  • Discovery and Deployment Tool Unable to copy files e.g. 'Admin share'.
  • Discovery and Deployment Tool Unable to start remote processes e.g. authentication errors, WMI errors, ServiceController (SC) errors.
  • Returned client errors.

 

The following structured set of technical verification tests are to check your environment using basic commands, to focus only on infrastructure and connectivity, independently from the Discovery and Deployment Tool. When using explicit commands an endpoint does not need to be 'pingable' and some may be silent. CMD.EXE needs to be 'run-as-admin'.

 

Domain-joined endpoints

 

Step 1 - Check if endpoint has file and print sharing enabled

Ensure file and print sharing is enabled via Windows GUI. Alternatively, view using Windows command NET SHARE.

 

  1. Enable File and Print Sharing  – The instruction varies with Windows version. File and Print Sharing will default to Off if endpoints are on ‘Public’ networks. They need to be set to 'Domain' or 'Private'. Without this setting, MSRPC (135) IPC$ and SMB (445) protocols and access to ADMIN$ are disabled/fire-walled off.

  2. Re-instate/re-enable Admin$  If SMB sharing has been deleted, then re-instate it. The process, security implications, and registry key to reinstate are in the following Microsoft article: https://support.microsoft.com/en-us/help/842715/overview-of-problems-that-may-occur-when-administrative-shares-are-mis
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\Parameters 0x00000001
  • Restart. If you do not wish to use these shares, then a different software deployment process/tool should be selected.

 

Step 2 - Check if credentials work on endpoint

Try variants of credentials on the endpoint to mount the ADMIN$ folder on the target workstation until you have a working set/understood credentials and authentication, locally, without any intervening firewalls/connectivity concerns. Run the Windows Command prompt, AS-ADMIN.

 

  1. Check Domain Credential - Delete after each try.

  2. Authenticate without using Network Adaptor.

    > NET USE * \\127.0.0.1\ADMIN$ /USER:domain\userid * /PERSISTENT:NO
    Type the password for \\127.0.0.1\admin$:

    Drive Y: is now connected to \\127.0.0.1\admin$
    The command completed successfully
    >NET USE Y: /DELETE

  3. Authenticate using IP Address
    NET USE * \\10.x.x.x\ADMIN$ /USER:domain\userid * /PERSISTENT:NO

  4. Authenticate using DNS Address or NETBIOS Name
    NET USE * \\hostname\ADMIN$ /USER:domain\userid * /PERSISTENT:NO

 

Step 3 - Check connectivity from deployment endpoint

Now you have a set of working credentials.

 

From the endpoint you want to host the Discovery and Deployment Tool, on the same subnet/LAN segment, check Domain Credential:

NET USE * \\10.x.x.x\ADMIN$ /USER:domain\userid * /PERSISTENT:NO

NET USE x: /DELETE

NET USE * \\hostname\ADMIN$ /USER:domain\userid * /PERSISTENT:NO

NET USE x: /DELETE

 

 

Step 4 - Check service controller connectivity from deployment endpoint

This checks the ability to access remote services using the Service Control Manager, by checking that the Remote Procedure Call Endpoint Mapper is running, to listen on port MSRPC (135), via the port itself.

 

Check Remote Procedure Call while logged in as a Domain Admin:

> SC \\10.x.x.x QUERY RpcEptMapper

SERVICE_NAME: RpcEptMapper
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0

 

Step 5 - Check WMI connectivity from deployment endpoint

This checks the ability to access Windows Management Instrumentation, by checking that the Windows Management Service is running, to listen on port MSRPC (135), via the port itself. WMI dynamically negotiates additional ports for subsequent communication. For more information, see: Setting up a Remote WMI Connection - Windows applications | Microsoft Docs 

 

Check WMI Service listener is running while logged in as a Domain Admin:

> WMIC /node:10.0.0.10 /user:domain\administrator service WHERE "Name = 'winmgmt'" get Name^,StartMode^,State^,Status
Enter the password :*********

Name StartMode State Status
winmgmt Auto Running OK

 

> WMIC /node:hostname /user:domain\administrator service WHERE "Name = 'winmgmt'" get Name^,StartMode^,State^,Status
Enter the password :*********

Name StartMode State Status
winmgmt Auto Running OK

 

If the above commands fails, ensure the service is started. Check firewall settings, to ensure WMI is enabled.

 

Non-domain separate or workgroup endpoints

 

Step 1 - Check endpoint has file and print sharing enabled

Ensure File and Print Sharing is enabled via Windows GUI. Alternatively, view using Windows command NET SHARE.

 

  1. Enable File and Print Sharing – Instructions vary with Windows version. File and Print Sharing will default to Off if endpoints are on ‘Public’ networks. They need to be set to 'Domain' or 'Private'. Without this setting, MSRPC (135) IPC$ and SMB (445) protocols and access to ADMIN$ are disabled/fire-walled off. For more information, see: https://www.wintips.org/how-to-enable-admin-shares-windows-7/ 

  2. Re-instate/re-enable Admin$ - If SMB sharing has been deleted, then re-instate it. The process, security implications and registry key to reinstate are in this Microsoft article: https://support.microsoft.com/en-us/help/842715/overview-of-problems-that-may-occur-when-administrative-shares-are-mis
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\Parameters 0x00000001
  • Restart. If you do not wish to use these shares, then a different software deployment process/tool should be selected.

   

   3.  Disable LocalAccountTokenFilter - Microsoft article describes that a UAC popup will occur for remotely initiated programs needing privilege: https://support.microsoft.com/en-au/help/942817/how-to-change-the-remote-uac-localaccounttokenfilterpolicy-registry-se. This can be disabled by GPO or by local command:

REG ADD HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f

 

Step 2 - Check if credentials work on endpoint itself

Try variants of credentials on the endpoint to mount the ADMIN$ folder on the target workstation until you have a working set/understood credentials and authentication, locally, without any intervening firewalls/connectivity concerns. 

 

  1. Run the Windows Command prompt, AS-ADMIN.

  2. Check Local Administrator/Non-Domain Credential This alternative uses a local machine administrator credential. If it is not set, the following commands can be use to setup.

    > NET USER ADMINISTRATOR

    .... shows current settings and status ...

     

    >NET USER ADMINISTRATOR *

    Type a password for the user:

    Retype the password to confirm:

    The command completed successfully

    >NET USER ADMINISTRATOR /ACTIVE:YES

    The command completed successfully

  3. Authenticate without using Network Adaptor

    > NET USE * \\127.0.0.1\ADMIN$ /USER:127.0.0.1\administrator * /PERSISTENT:NO
    Type the password for \\127.0.0.1\admin$:

    Drive Y: is now connected to \\127.0.0.1\admin$
    The command completed successfully

    >NET USE Y: /DELETE 

  4. Authenticate using IP Address
    NET USE * \\10.x.x.x\ADMIN$ /USER:domain\userid * /PERSISTENT:NO

  5. Authenticate using DNS Address or NETBIOS Name
    NET USE * \\hostname\ADMIN$ /USER:domain\userid * /PERSISTENT:NO
               

 

Step 3 - Check connectivity from deployment endpoint

Now you have a set of working credentials. From the endpoint you want to host the Discovery and Deployment Tool, on the same subnet/LAN segment, check non-domain credentials:

NET USE * \\10.x.x.x\ADMIN$ /USER:127.0.0.1\administrator * /PERSISTENT:NO

NET USE x: /DELETE

NET USE * \\hostname\ADMIN$ /USER:127.0.0.1\administrator * /PERSISTENT:NO

NET USE x: /DELETE

 

Step 4 - Check service controller connectivity from deployment endpoint

This checks the ability to access remote services using the Service Control Manager, by checking that the Remote Procedure Call Endpoint Mapper is running, to listen on port MSRPC (135), via the port itself.

 

Check Remote Procedure Call while logged in as a Non-Domain Admin. The RUNAS command is used to start a command shell using the Local Machine Administrator credential, on the management endpoint. Alternatively, login using the Administrator command via the GUI:

> RUNAS /user:127.0.0.1\administrator CMD

Enter the password for 127.0.0.1:

Attempting to start cmd as user "127.0.0.1\administrator" ...

> SC \\10.x.x.x QUERY RpcEptMapper

SERVICE_NAME: RpcEptMapper
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0

 

Step 5 - Check WMI connectivity from deployment endpoint

This checks the ability to access Windows Management Instrumentation, by checking that the Windows Management Service is running, to listen on port MSRPC (135), via the port itself. WMI dynamically negotiates additional ports for subsequent communication. For more information, see: Setting up a Remote WMI Connection - Windows applications | Microsoft Docs  

 

Check if WMI Service listener is running while logged in as a Non-Domain Admin. The RUNAS command is used to start a command shell using the Local Machine Administrator credential, on the management endpoint. Alternatively, login using the Administrator command via the GUI:

> RUNAS /user:127.0.0.1\administrator CMD

Enter the password for 127.0.0.1:

Attempting to start cmd as user "127.0.0.1\administrator" ... 

> WMIC /node:10.x.x.x /user:127.0.0.1\administrator service WHERE "Name = 'winmgmt'" get Name^,StartMode^,State^,Status
Enter the password :*********

Name StartMode State Status
winmgmt Auto Running OK

> WMIC /node:hostname/user:127.0.0.1\administrator service WHERE "Name = 'winmgmt'" get Name^,StartMode^,State^,Status
Enter the password :*********

Name StartMode State Status
winmgmt Auto Running OK

 

Deployment using the tool

Once technical verification steps above have been completed, then the pre-requisites for the Discovery and Deployment Tool have been met. Download the Discovery and Deployment Tool onto an endpoint in the target LAN segment/subnet. See notes in appendix about NETBIOS traversal limitations. In addition to a log created and named for each endpoint contacted, the tool internally logs into:

%programdata%\Malwarebytes Discovery and Deployment Tool\logs\ea-pushdeploy-log.txt

 

An example of a successful run of the Deployment tool is below.

 

Log example

**** D&D Version: 1.1.0.349****
2019-01-02 17:46:58,410 pid:10884 [1] INFO App - Application Version:1.1.0.349
2019-01-02 17:46:59,937 pid:10884 [1] INFO LoginViewModel - Reading proxy settings from user configuration file
2019-01-02 17:47:33,627 pid:10884 [6] INFO DeployTechniqueManager - Verifying available drive space
2019-01-02 17:47:33,631 pid:10884 [6] INFO DeployTechniqueManager - Drive - C:\; Available Free Space: 15715741696 bytes
2019-01-02 17:47:33,894 pid:10884 [1] INFO SiriusClient - Sending request to https://sirius.mwbsys.com/api/v1/updates/manifest
2019-01-02 17:47:33,904 pid:10884 [1] INFO SiriusClient - Headers
Accept=application/json
Authorization=*****BK2V
ignore-metering=false
2019-01-02 17:47:33,906 pid:10884 [1] INFO SiriusClient - Request content {"product":"epa-win","build":"common","semver":"1.2.0","os_version":"Microsoft Windows NT 6.2.9200.0","installation_token":"dnd","installed_packages":[{"name":"epa.win.dnd","semver":"1.1.349","channel":"release"}]}
2019-01-02 17:47:33,910 pid:10884 [1] INFO LoginViewModel - NebulaUri=https://cloud.malwarebytes.com
2019-01-02 17:47:35,306 pid:10884 [1] INFO SiriusClient - Response status code OK
2019-01-02 17:47:35,308 pid:10884 [1] INFO SiriusClient - Response body {"manifest":{"product":"epa-win","build":"common","semver":"1.2.0","packages":[{"name":"epa.win.dnd","available_packages":[{"bad":false,"build_metadata":"349","build_version":null,"channel":"release","file_hash":{"content_type":"application/octet-stream","file_size":6863568,"original_filename":"EndpointAgentDeploymentTool.exe","url":"cdn.mwbsys.com/packages/epa.win.dnd/f/d/0/5/fd0562621310b7c61957b16b949c645a/e337a752-0005-4106-b53e-5e38c6144695.exe"},"md5":"fd0562621310b7c61957b16b949c645a","published_at":1543541254,"semver":"1.1.349","sha256":"6e743ee450dcf5679eebb6ba67e653fc13b449c749f495df053b66ab79acfc4e"}],"available_incrementals":[]}]},"status":"ok"}
2019-01-02 17:47:56,437 pid:10884 [1] INFO ViewModel - Emitted MBRemoteExec.dll files
2019-01-02 17:47:56,459 pid:10884 [1] INFO ViewModel - Path to file C:\Users\aprob\Desktop\MBDDBin
2019-01-02 17:47:56,727 pid:10884 [1] INFO ViewModel - Successfully loaded MBRemoteExec.dll.
2019-01-02 17:47:56,731 pid:10884 [1] INFO ProbingTechniqueManager - Clearing existing probes
2019-01-02 17:47:56,733 pid:10884 [1] INFO ProbingTechniqueManager - Begin canceling probe
2019-01-02 17:47:56,734 pid:10884 [1] INFO ProbingTechniqueManager - Closing tasks and clearing queue
2019-01-02 17:47:56,736 pid:10884 [1] INFO ProbingTechniqueManager - Probe cancel complete
2019-01-02 17:48:06,539 pid:10884 [13] INFO DeployTechniqueManager - Completed download of win_full
2019-01-02 17:48:11,079 pid:10884 [14] INFO ProbingTechniqueManager - Running probe: "EADiscovery.Business.Probing.PingBasedProbingTechnique" on IP Address(es): IP Address: 10.0.0.10, ;
2019-01-02 17:48:11,104 pid:10884 [14] INFO PingBasedProbingTechnique - SUCCESS, found a machine that's alive, zombie attack!: 10.0.0.10
2019-01-02 17:48:11,136 pid:10884 [14] INFO ProbingTechniqueManager - Running probe: "EADiscovery.Business.Probing.DnsProbingTechnique" on IP Address(es): IP Address: 10.0.0.10, ;
2019-01-02 17:48:23,991 pid:10884 [14] INFO ProbingTechniqueManager - Running probe: "EADiscovery.Business.Probing.UdpProbingTechnique" on Host name: Win10Physical; IP Address(es): IP Address: 10.0.0.10, ;
2019-01-02 17:48:24,009 pid:10884 [14] INFO ProbingTechniqueManager - Running probe: "EADiscovery.Business.Probing.TcpMachineProbingTechnique" on Host name: Win10Physical; IP Address(es): IP Address: 10.0.0.10, ;
2019-01-02 17:48:24,018 pid:10884 [14] INFO ProbingTechniqueManager - Running probe: "EADiscovery.Business.Probing.NebulaDataProbe" on Host name: Win10Physical; IP Address(es): IP Address: 10.0.0.10, ;
2019-01-02 17:48:26,894 pid:10884 [16] INFO DeployTechniqueManager - Completed download of win_xp_full
2019-01-02 17:48:33,343 pid:10884 [15] INFO DeployTechniqueManager - Completed download of mac_os
2019-01-02 17:50:12,797 pid:10884 [16] INFO MBRemoteTechnique - Attempting deploy to target with IP: 10.0.0.10
2019-01-02 17:50:12,881 pid:10884 [16] INFO MBPAExec - Execute Machine:10.0.0.10 FilesToCopy:3 App:EAInstall.bat Args:release ""
2019-01-02 17:50:13,303 pid:10884 [16] INFO MBPAExec - Not replacing existing MBRemoteExec. OldVersion:1.0.0.1 ExtractedVersion:1.0.0.1
2019-01-02 17:50:13,305 pid:10884 [16] INFO MBPAExec - Copying Service: Machine:10.0.0.10
2019-01-02 17:50:19,854 pid:10884 [16] INFO MBPAExec - Copying Service Finished: Machine:10.0.0.10
2019-01-02 17:50:41,003 pid:10884 [16] INFO MBPAExec - Service result Machine: 10.0.0.10 Err: 0
2019-01-02 17:50:41,635 pid:10884 [16] INFO MBPAExec - Opening Pipe Machine:10.0.0.10 Pipe:MBRemoteExec-10884-DESKTOP-TWO.exe
2019-01-02 17:50:41,682 pid:10884 [16] INFO MBPAExec - Sending ID:1 Machine:10.0.0.10
2019-01-02 17:50:41,786 pid:10884 [16] INFO MBPAExec - ReadRemMsg: ID:2 Machine:10.0.0.10
2019-01-02 17:50:41,787 pid:10884 [16] INFO MBPAExec - Copying File Machine:10.0.0.10 File:C:\ProgramData\Malwarebytes Discovery and Deployment\RemotePush\EAInstall.bat
2019-01-02 17:50:41,830 pid:10884 [16] INFO MBPAExec - Copying File Machine:10.0.0.10 File:C:\ProgramData\Malwarebytes Discovery and Deployment\RemotePush\Setup.Full.MBEndpointAgent.exe
2019-01-02 17:50:49,780 pid:10884 [16] INFO MBPAExec - Copying File Machine:10.0.0.10 File:C:\ProgramData\Malwarebytes Discovery and Deployment\RemotePush\Setup.Full.MBEndpointAgent.XP2003.exe
2019-01-02 17:50:59,590 pid:10884 [16] INFO MBPAExec - Sending ID:3 Machine:10.0.0.10
2019-01-02 17:51:06,570 pid:10884 [16] INFO MBPAExec - ReadRemMsg: ID:4 Machine:10.0.0.10
2019-01-02 17:51:06,574 pid:10884 [16] INFO MBPAExec - Sending ID:5 Machine:10.0.0.10
2019-01-02 17:51:11,569 pid:10884 [16] INFO MBPAExec - ReadRemMsg: ID:4 Machine:10.0.0.10
2019-01-02 17:51:11,571 pid:10884 [16] INFO MBPAExec - AppExitCode: 0
2019-01-02 17:51:11,833 pid:10884 [16] INFO MBPAExec - remote service stop request. Machine:10.0.0.10 Name:MBRemoteExec-10884-DESKTOP-TWO Err:1062
2019-01-02 17:51:11,882 pid:10884 [16] INFO MBPAExec - Finished: Machine:10.0.0.10

 

Tips for using ActiveDirectory

The ActiveDirectory lookup retrieves a list of endpoints to contact. 

  • Network credentials for that search are optional, otherwise the credentials of the logged in desktop are used.
  • It will lookup each endpoint by its directory name, then add it to the scanning list.

 

If you have deployment issues, it is best to ensure basic deployment works without ActiveDirectory, until you get things working.

 

Checking remote service startup

As the Malwarebytes Endpoint Management Agent (MBEndpointAgent) is started by the deployment tool, the status of the subsequent Malwarebytes Service (MBAMService) is not tracked.

  • The MBAMService status can be checked via the Cloud console:
    • By a status of 'scan not yet run'.
    • For existence of the plugin and version number.
    • Using the Excel Plugin.
    • Using Service Control Manager or WMI commands below.

 

WMI and Services check (newer style service) used to view and start remote tasks

Windows CLI command to check WMI functions are working to endpoints.

 

Domain Endpoints

> WMIC /node:xxx.xxx.xxx.xxx /user:domain\domainadmin service WHERE "Name LIKE 'MB%%' OR Name = 'SCCommService'" get Name^,StartMode^,State^,Status

 

> WMIC /node:hostname /user:domain\domainadmin service WHERE "Name LIKE 'MB%%' OR Name = 'SCCommService'" get Name^,StartMode^,State^,Status

 

> SC \\xxx.xxx.xxx.xxx QUERY MBAMService

> SC \\hostname QUERY MBAMService

 

Non-Domain Endpoints - Use RUNAS if non-domain workstations
> RUNAS /user:127.0.0.1\administrator CMD

      Enter the password for 127.0.0.1:

      Attempting to start cmd as user "127.0.0.1\administrator" ... 

 

> WMIC /node:xxx.xxx.xxx.xxx /user:127.0.0.1\administrator service WHERE "Name LIKE 'MB%%' OR Name = 'SCCommService'" get Name^,StartMode^,State^,Status

 

> WMIC /node:hostname /user:127.0.0.1\administrator service WHERE "Name LIKE 'MB%%' OR Name = 'SCCommService'" get Name^,StartMode^,State^,Status

 

> SC \\xxx.xxx.xxx.xxx QUERY MBAMService

> SC \\hostname QUERY MBAMService

 

^ is used to escape the comma.  Whilst not necessary on command line, it is necessary if this command is pasted into a script BAT or CMD script.

 

WMI errors

 

  • WMI In, blocked by Windows Firewall (may need GPO or local setting). View with this command:
    • netsh advfirewall firewall show rule name="Windows Management Instrumentation (WMI-In)"
    • Or by GUI:

 

Note: Each WMIC command should be on one line. ^ escapes the commas - Redundant from CLI, but mandatory is used in BAT/CMD files. "hostname" - Quotes are required if hostname contains dash '-' symbol. 'SCCommService' is for Malwarebytes Endpoint Security, but left here so the same command can be used for both types of endpoint

 

NetBIOS over TCP/IP

"Netbios over TCP" protocol has been deprecated/discouraged by Microsoft and disabled by default. Looking up network devices in different 'subnets' will not traverse outside of the current network, if this setting is in place.

 

The command to check the setting on an endpoint is:

wmic nicconfig get caption,index,TcpipNetbiosOptions

           Caption                                    Index TcpipNetbiosOptions
[00000000] Microsoft Kernel Debug Network Adapter      0
[00000001] Intel(R) 82574L Gigabit Network Connection  1    0
[00000002] Bluetooth Device (RFCOMM Protocol TDI)      2
[00000003] Bluetooth Device (Personal Area Network)    3
[00000004] Microsoft Teredo Tunneling Adapter          4
[00000005] WAN Miniport (SSTP)                         5
[00000006] WAN Miniport (IKEv2)                        6
[00000007] WAN Miniport (L2TP)                         7
[00000008] WAN Miniport (PPTP)                         8
[00000009] WAN Miniport (PPPOE)                        9
[00000010] WAN Miniport (IP)                          10
[00000011] WAN Miniport (IPv6)                        11
[00000012] WAN Miniport (Network Monitor)             12

 

The SetTcpipNetbios parameter can have this value:

0 – Use NetBIOS setting from the DHCP server
1 – Enable NetBIOS over TCP/IP
2 – Disable NetBIOS over TCP/IP

 

NETBIOS traversal can be enabled for testing by the following command:

wmic nicconfig where index=1 call SetTcpipNetbios 1

Where the index is the appropriate NIC controller card.

 

References

Direct Hosting of SMB over TCPIP

NetBIOS Over TCP/IP

Do I really need NETBIOS?

How NetBIOS name resolution really works - TechRepublic 

WINS and how to install it

» Securing Windows Workstations: Developing a Secure Baseline » Active Directory Security            

 

Changes

2019.04.19  Added constraints for MSPs

 

Attachments

    Outcomes