Fantastique
Miss Lindsey Leigh - Vid and Pic

Management Console Administrator Guide - Malwarebytes

Loading...
Management Console Administrator Guide Version 1.8 21 March 2017

Notices Malwarebytes products and related documentation are provided under a license agreement containing restrictions on use and disclosure and are protected by intellectual property laws. Except as expressly permitted in your license agreement or allowed by law, you may not use, copy, reproduce, translate, broadcast, modify, license, transmit, distribute, exhibit, perform, publish, or display any part, in any form, or by any means. You may copy and use this document for your internal reference purposes only. This document is provided “as-is.” The information contained in this document is subject to change without notice and is not warranted to be error-free. If you find any errors, we would appreciate your comments; please report them to us in writing. The Malwarebytes logo is a trademark of Malwarebytes. Windows is a registered trademark of Microsoft Corporation. All other trademarks or registered trademarks listed belong to their respective owners. Copyright © 2017 Malwarebytes. All rights reserved.

Third Party Project Usage Malwarebytes software is made possible thanks in part to many open source and third party projects. A requirement of many of these projects is that credit is given where credit is due. Information about each third party/open source project used in Malwarebytes software – as well as licenses for each – are available for viewing here: http://www.malwarebytes.com/support/thirdpartynotices/

Sample Code in Documentation The sample code described herein is provided on an "as is" basis, without warranty of any kind, to the fullest extent permitted by law. Malwarebytes does not warrant or guarantee the individual success developers may have in implementing the sample code on their development platforms. You are solely responsible for testing and maintaining all scripts. Malwarebytes does not warrant, guarantee or make any representations regarding the use, results of use, accuracy, timeliness or completeness of any data or information relating to the sample code. Malwarebytes disclaims all warranties, express or implied, and in particular, disclaims all warranties of merchantability, fitness for a particular purpose, and warranties related to the code, or any service or software related there to.

CWB08-1080a

Table of Contents Introduction .......................................................................................................................1 What is Malware? ..................................................................................................................................... 1 Why Does Malware Exist? ...................................................................................................................... 1

Access to Government/Corporate Secrets (Espionage) ........................................................................................... 1 Identity Theft ........................................................................................................................................................................... 1 Distribution of Contraband Information ........................................................................................................................ 1 Unauthorized Control........................................................................................................................................................... 1

The Malwarebytes Solution ................................................................................................................... 2

Malwarebytes Management Console ............................................................................................................................ 2 Malwarebytes Anti-Malware ............................................................................................................................................. 3 Malwarebytes Anti-Exploit ................................................................................................................................................. 3

What’s New in Malwarebytes Management Console ...................................................................4

System Requirements ..................................................................................................... 5

Management Server/Primary Console ............................................................................................. 5

Equipment Specifications ................................................................................................................................................... 5

Secondary Console .................................................................................................................................. 5

Equipment Specifications ................................................................................................................................................... 5

Managed Clients ....................................................................................................................................... 6

Equipment Specifications ................................................................................................................................................... 6 Pre-Requisites for Installation of Managed Clients ................................................................................................... 6

External Access Requirements.............................................................................................................. 7

System Checks .................................................................................................................. 8

System Requirement Checks for Servers .......................................................................................... 8 Address/Port Validity Checks for Servers ......................................................................................... 8

Program Installation ........................................................................................................ 9

New Installations of Malwarebytes Management Console ......................................................... 9 Upgrading Malwarebytes Management Console ........................................................................ 13

Introduction to Malwarebytes Management Console........................................... 14

Home.......................................................................................................................................................... 14 Client module .......................................................................................................................................... 14 Policy module .......................................................................................................................................... 14 Report module ........................................................................................................................................ 14 Admin module ........................................................................................................................................ 14

Home Page Reports ...................................................................................................... 15

Overall System Status ........................................................................................................................... 15 Online Clients in Last 24 Hours .......................................................................................................... 16 Daily Threat Detections (last 7/30 days).......................................................................................... 16 Daily Exploit Detections (last 7/30 days) ......................................................................................... 16

Table of Contents (continued) Top 10 Clients with Most Threats (last 30 days) ............................................................................ 17 Top 10 Clients with Most Exploits (last 30 days) ........................................................................... 17

Client Module ................................................................................................................. 18

Control buttons ....................................................................................................................................... 18 Threat View ........................................................................................................................................................................... 18 Filter/All .................................................................................................................................................................................. 18 Refresh .................................................................................................................................................................................... 19 Scan ......................................................................................................................................................................................... 19 Update DB ............................................................................................................................................................................. 19

Status indicators ..................................................................................................................................... 19 Client Group Organization panel ...................................................................................................... 19 Right-Click Context Menu................................................................................................................................................20

Clients panel ............................................................................................................................................ 21 Customizing Columns on the Client Tab ........................................................................................ 21 Client Information panel ..................................................................................................................... 22 Client Info ..............................................................................................................................................................................22 System Logs ..........................................................................................................................................................................22 Security Logs ........................................................................................................................................................................22

Exporting Data ....................................................................................................................................... 23

Policy module .................................................................................................................24

Add New Policy ...................................................................................................................................... 25 General Settings ..................................................................................................................................................................25 Protection Settings .............................................................................................................................................................26 Scanner Settings..................................................................................................................................................................27 Scheduler Settings ..............................................................................................................................................................28 Ignore List ..............................................................................................................................................................................28 Updater Settings .................................................................................................................................................................29 Communication ...................................................................................................................................................................29 Anti-Exploit ...........................................................................................................................................................................30 Anti-Exploit Exclusion List ................................................................................................................................................34

Edit ............................................................................................................................................................. 34 Copy .......................................................................................................................................................... 34 Remove..................................................................................................................................................... 34 Disable ...................................................................................................................................................... 34 Refresh ...................................................................................................................................................... 34 Installation Package .............................................................................................................................. 34 Deployment............................................................................................................................................. 35 Policies panel .......................................................................................................................................... 36 Scanner Settings panel ........................................................................................................................ 36 Policy Deployment panel .................................................................................................................... 36

Table of Contents (continued) Report Module ............................................................................................................... 37 Report Selector ...................................................................................................................................... 37 Reports ..................................................................................................................................................... 37 Summary Report .................................................................................................................................................................37 Top Risk Report ...................................................................................................................................................................38 Threat Trend Report .......................................................................................................................................................... 41 Client Scan Report ..............................................................................................................................................................43 Client Signature Report ....................................................................................................................................................43 Policy Deployment Report.............................................................................................................................................. 44 Server System Report ........................................................................................................................................................46

Admin Module................................................................................................................48

Overview tab ........................................................................................................................................... 48

License Information............................................................................................................................................................48 Server Address Settings ....................................................................................................................................................49

Database Settings ................................................................................................................................. 49

Cleanup Settings .................................................................................................................................................................49

Signature tab .......................................................................................................................................... 50 Administrators tab ................................................................................................................................ 50 Add New User ...................................................................................................................................................................... 51 Remove User ........................................................................................................................................................................53 Import Domain User ..........................................................................................................................................................54 Synchronize User ................................................................................................................................................................54

Admin Logs tab...................................................................................................................................... 55 Client Push Install tab ........................................................................................................................... 55 Pre-Requisites – Creation of Policies (optional) .......................................................................................................55 Pre-Requisites – Creation of Client Groups (optional)...........................................................................................55 Scanning the Network – Scan Selection Options ....................................................................................................55 Scanning the Network – Scan Execution Options ...................................................................................................56 Simulate Client Install ........................................................................................................................................................59 Client Push Install................................................................................................................................................................59 Client Uninstall .....................................................................................................................................................................59 Ignore Device(s) ..................................................................................................................................................................60 Copy to Clipboard ..............................................................................................................................................................60

Email Notifications tab ......................................................................................................................... 60 General tab ...........................................................................................................................................................................60 Notifications tab .................................................................................................................................................................. 61 Throttling tab .......................................................................................................................................................................62 Additional Notification Settings .....................................................................................................................................62

Syslog Server .......................................................................................................................................... 63 CEF Raw Log Entry..............................................................................................................................................................64 CEF Log Entry (simplified for understanding) ...........................................................................................................64 JSON Raw Log Entry ..........................................................................................................................................................65 JSON Log Entry (simplified for understanding)........................................................................................................65

Table of Contents (continued) Other Settings tab ................................................................................................................................. 66 Proxy Settings ......................................................................................................................................................................66 Domain Settings ..................................................................................................................................................................66 Active Directory Synchronization Setting ...................................................................................................................66 Console Session Settings .................................................................................................................................................67

Windows Start Menu Options..................................................................................... 68

Collect System Information ................................................................................................................ 68 Data Backup and Restoration ............................................................................................................ 68 Malwarebytes Management Console Link .................................................................................... 69 Malwarebytes Management Console ............................................................................................. 69 Server Configuration ............................................................................................................................ 69 SSL Certificate Configuration ............................................................................................................. 70 Verifying Presence of a Certificate ................................................................................................................................70 Exporting an Existing Certificate ....................................................................................................................................70 Installing a Certificate ........................................................................................................................................................ 71

Glossary ............................................................................................................................ 72

Introduction This guide was produced to assist system administrators with installation, maintenance and operation of Malwarebytes Management Console, and to provide a comprehensive reference to the product and to the protection clients which are integrated into Malwarebytes Management Console. Before doing that, a brief introduction of the problems which we strive to solve is in order.

What is Malware? The best place to begin is with a general definition of the term malware. (http://en.wikipedia.org/wiki/Malware).

This definition is taken from Wikipedia

Malware, short for malicious software, is software used to disrupt computer operation, gather sensitive information, or gain access to private computer systems. It can appear in the form of code, scripts, active content, and other software. 'Malware' is a general term used to refer to a variety of forms of hostile or intrusive software. Taking this one step further, malware is never something we want to have on our computers. It is placed there against our wishes, using methods designed to prevent our knowledge of its installation, and in most cases, also designed to prevent our knowledge of its operation. It is often bundled with other software which we do want. Sometimes its presence in this software is known, but sometimes the software vendor is victimized as well.

Why Does Malware Exist? Over the course of time, the primary purposes of malware have evolved. Originally, malware’s primary purpose was to demonstrate a hacker’s prowess and ability to control computers beyond his own sphere of control. In today’s world, malware is used for much more structured purposes, most of which involve financial gain for the authors and/or distributors of the malware. Some examples of why malware exist are:

Access to Government/Corporate Secrets (Espionage) In early 2013, Kaspersky Labs announced that a cyber-espionage campaign named Red October had been operating for more than five years, targeting several international governmental and scientific research organizations. The primary purpose was theft of corporate and/or government secrets to be used by perpetrators for their own purposes. Whether the goal is military/diplomatic strategy or financial gain, malware is the perfect spy.

Identity Theft It is becoming an everyday occurrence to hear about large-scale identity theft, and malware is the method of choice. Even if a merchant is compliant with all industry data security standards, there is no guarantee that those standards can adequately protect against a well-crafted zero-day threat. Not all detected threats are made public. Some threats escape detection completely. Identity theft is big business, and malware is behind it.

Distribution of Contraband Information Contraband information comes in many forms. It may be black market forums used for sale, distribution and discussion about malware. It may be child pornography. It may be distribution of information gleaned from identity theft operations. Those responsible are aware that the internet does not offer anonymity, so the answer is to build clandestine distribution networks using unprotected computers controlled by malware. The network may be detected at some point in time, but those responsible often remain anonymous.

Unauthorized Control Another high-value target of malware is associated with unauthorized control of facilities belonging to those who are considered enemies of the attacker. In a situation such as this, the motivation behind the attack is often based upon political ideology. In an attack of this type, the goal is not financial gain. Instead, it is to create financial turmoil within the society affected by the attack. Though it is based in the use of malware, the act itself is terrorism.

Management Console Administrator Guide

1

The Malwarebytes Solution In 2008, Malwarebytes was founded on the belief that you and everyone have a fundamental right to a malware-free existence. Every product we make is built on that premise. Malwarebytes products are designed and coded by folks like you. Folks who have stayed up all night trying to rescue an infected machine. Folks who have dealt with the after effects of a hacked email account or a compromised network. We work around the world – Europe, Asia, and America – and around the clock. Tweaking our unique blend of heuristic, signature, and behavior-based technologies to protect people like you and businesses like yours…because malware never sleeps. Malwarebytes Anti-Malware began as a consumer-oriented product, and has evolved over time to incorporate several new features and enhancements which contribute to its recognition as the malware solution of choice by an overwhelming number of computer users. Malwarebytes Anti-Malware is available in free, premium and OEM versions for the consumer market. Over time, the consumer product has evolved into a business version (Malwarebytes Anti-Malware Corporate), enabling IT administrators to control installation and management of Malwarebytes software on endpoints using both GUI-based and command line methods. At the same time, Malwarebytes released Malwarebytes Techbench, which offered the features of Malwarebytes Anti-Malware free version on a USB stick, optimized for use by computer repair facilities. These facilities had already been using Malwarebytes products as part of their daily regimen, but Malwarebytes Techbench allowed them to also keep segregated log information of repairs which were performed, assisting them with accountability towards their customers. Our newest offering – Malwarebytes Breach Remediation – is designed to allow admins to detect and remediate threats on networked clients without leaving a lasting footprint. These products – combines with a deeper understanding of the business marketplace – have contributed to the creation of Malwarebytes Management Console.

Malwarebytes Management Console Consumers are not alone in their desire to use Malwarebytes products to keep their computers safe. Business users also want that same level of protection, but they have special requirements based on: • • • • •

Corporate security policies Number of computers which require protection Maintaining security while not disrupting work flow Need to automate tasks whenever feasible Need to incorporate Malwarebytes integration with existing IT processes

Beyond these general needs, many businesses have needs specific to their own business. Malwarebytes responded by producing a version for business users (Malwarebytes Anti-Malware Corporate Edition, since retitled to Malwarebytes Anti-Malware for Business) and Malwarebytes Management Console, which provides Malwarebytes security via a centralized console.

Management Console Administrator Guide

2

Malwarebytes Management Console enables IT administrators to deploy, control and manage Malwarebytes clients on every Windows-based endpoint in their organization. The Malwarebytes clients are full-featured versions, not stripped down versions. A sampling of features available in Malwarebytes Management Console is as follows: • • • • • • • • • •

Full integration with Malwarebytes Anti-Malware managed client Full integration with Malwarebytes Anti-Exploit managed client Integration with Microsoft Active Directory management of users, groups, organizational units and endpoints, as well as adherence to security policies governed by Active Directory Ability to deploy managed clients to endpoints within Malwarebytes Management Console, or by creation of installation packages to be deployed using third-party utilities Ability to create endpoint groups for simplification of installation and management Ability to manage endpoints based on policies which define behavior for managed clients associated with those policies Scheduling of all scans and updates on endpoints, based on policies Ability to alert administrators of events via email notifications and syslog alerts Retention of data pertaining to endpoints, policies and threats in centralized SQL database Ability to distribute signature updates to endpoints from Malwarebytes Management Console or from alternate sources

All of these features – and more – are fully integrated into the product, so that every feature you have come to expect from Malwarebytes in a unmanaged version is available also in Malwarebytes Management Console, without sacrifice!

Malwarebytes Anti-Malware This is the flagship Malwarebytes client. It has long been the favorite protection among technical computer users, and the company’s growth has been built primarily on the recommendations of its users. Malwarebytes Anti-Malware is driven by a signature database which is updated 8-15 times daily, and supplemented by heuristic analysis to detect patterns that do not yet exist in the signature database. The focus is on recent, current and emerging threats. Only a small number of threats affecting computer users today are based on older threat vectors, as most (if not all) anti-virus and anti-malware software products are well equipped to deal with the older threats. Policies developed by IT administrators and administered by Malwarebytes Management Console govern a majority of program functionality. Malware scans and signature updates are controlled by policies. Startup methods and sequences are controlled by policies. Real-time protection and quarantining of detected threats and exploits are also controlled by policies. The endpoint user may have additional capabilities determined by the IT administrator, and allowed through policies. While the Malwarebytes AntiMalware managed client is designed for networked endpoints accessible to Malwarebytes Managed Console, it may also be used on endpoints which use Virtual Private Network (VPN) connectivity – with certain restrictions.

Malwarebytes Anti-Exploit Malwarebytes Anti-Exploit takes a different approach to computer security. It does not use signatures of any known threats. Instead, it inspects incoming data streams, analyzes behavior, and determines whether it needs to respond to a suspected exploit attempt. Malware often attempts to bypass operating system protection mechanisms so that it can execute in an unrestricted fashion. Malware often uses memory manipulation methods so that it can function undetected. Malware often uses vulnerabilities in commonly-used applications to implant a threat, or uses the application as a means of transferring the threat from one location to another. In all cases, there is a common thread – the method being used signals the danger. Malwarebytes Anti-Exploit shields applications and processes from attack, while neutralizing and isolating the attacker. Even a zero-day threat is ineffective when protected by this technology.

Management Console Administrator Guide

3

What’s New in Malwarebytes Management Console With this version, Malwarebytes Management Console has been updated to provide the following new features.



 

Management Server/Console

           

Added support for Windows Server 2016 Allows IP/hostname of management server to be updated without requiring re-deployment of managed endpoints Anti-Exploit email alerts now contain all security log data to provide additional forensic data Added ability to configure email throttling via the console Added the ability to customize the console inactivity timer Auto-scaling endpoint check-in intervals optimized to better scale in large networks Added policy setting to allow updates from an alternate source without requiring failover to occur first Fixed Active Directory Integration issue where duplicate clients were marked as “Unregistered” Fixed Active Directory Integration issue where synchronization did not function as expected Fixed Active Directory Integration issue where child OUs failed to sync Fixed Active Directory Integration issue where imported user accounts were unable to authenticate Fixed Active Directory Integration issue where domain query account could not be added

Malwarebytes Anti-Malware Client



Added support for Windows Server 2016

Malwarebytes Anti-Exploit Client

                 

Updated Malwarebytes Anti-Exploit client to version 1.09 Added support for Windows Server 2016 Hardened and more secure API hooking framework Added self-protection mechanisms Added sandbox technique for Silverlight Added Layer3 techniques against Macro exploits Added Layer3 techniques against social engineering exploits Added Java advanced configuration options for companies Added dynamic configuration feature to manage conflicts Added support for MS Play Ready Changed balloon notification to off by default Remove Run entry during uninstallation Fixed conflict with Symantec DLP Fixed conflict with Chinese banking software Fixed conflict with Office TabLoader Fixed conflict with Kobil mIdentity software Fixed false positive with Adobe and .NET modules Fixed issue when adding invalid custom shield

Management Console Administrator Guide

4

System Requirements Following are system requirements for components which make up Malwarebytes Endpoint Security. These do not include any other functionality that the endpoint is responsible for. The Endpoint Security Best Practices Guide should be consulted prior to equipment procurement as well as prior to Malwarebytes Management Console installation.

Management Server / Primary Console Malwarebytes Management Console provides all system functionality via its Management Server. It provides all necessary Windows services, and communicates directly with the Primary Console and the managed endpoint. It runs strictly in the background.

Equipment Specifications The following specifications are provided as minimum requirements which must be met to provide Management Server functionality.







Hardware

   

Software

 

Windows Installer 4.5 .NET Framework 4.0

Supported Operating Systems

   



CPU: 1 GHz minimal, dual core 1.6 GHz recommended RAM: 1 GB minimal, 2 GB recommended Disk space: 2 GB minimal, 10 GB recommended 1024x768 screen resolution

Windows Server 2016 (excludes Server Core installation option) Windows Server 2012/2012 R2 (excludes Server Core installation option) Windows Server 2008/2008 R2 (excludes Server Core installation option) Windows Small Business Server 2011

Supported Microsoft SQL Servers

 

Database embedded: Microsoft SQL Server 2008, 2012, 2014, 2016 Express (10 GB maximum size limitation) Database supported: Microsoft SQL Server 2008/2008 R2, Microsoft SQL Server 2012/2012 R2, Microsoft SQL Server 2014/2014 R2

Secondary Console All interaction with the Management Server is effected through the Primary and/or Secondary Console. The Management Server then interacts with the endpoints (managed clients). Specifications listed below are for a Secondary Console. The Primary Console is typically installed on the same computer as the Management Server.

Equipment Specifications The following specifications must be met in order to provide Console functionality.



Hardware

  



CPU: Core Duo 1.6 GHz RAM: 1 GB 1024x768 screen resolution

Software

  •

.NET Framework 3.5 .NET Framework 4.0 Windows Installer 4.5

Management Console Administrator Guide

5



Supported Operating Systems

•         

Windows Server 2016 (excludes Server Core installation option) Windows Server 2012/2012 R2 (excludes Server Core installation option) Windows Server 2008/2008 R2 (excludes Server Core installation option) Windows Small Business Server 2011 Windows 10 Windows 8.1 Windows 8 Windows 7 Windows Vista Windows XP Pro with SP3

Managed Clients The managed client provides security functionality on the endpoint. Commands are received from the Management Server after being issued by the user, and after processing which may be required. Status is returned to the Management Server, which processes results and provides visible notification to the user.

Equipment Specifications The following specifications are provided as minimum requirements which must be met to provide Managed Client functionality.





Hardware

   

Software

 



CPU: 1 GHz RAM: 1 GB Disk space: 100 MB (program + logs) 800x600 screen resolution .NET Framework 3.5 Windows Installer 4.0

Supported Operating Systems

• • • • •      

Windows Server 2016 (excludes Server Core installation option) Windows Server 2012/2012 R2 (excludes Server Core installation option) Windows Server 2008/2008 R2 (excludes Server Core installation option) Windows Server 2003 (32-bit only) Windows Small Business Server 2011 Windows 10 Windows 8.1 Windows 8 Windows 7 Windows Vista Windows XP Pro with SP3 (32-bit only)

Pre-Requisites for Installation of Managed Clients Endpoint configuration changes must be implemented to facilitate installation of a Malwarebytes managed client to those endpoints. Similar methods are required for the various operating systems, and they are grouped accordingly.



Windows Server endpoint preparation (all supported versions)     

From the Windows Start Menu, launch Control Panel Launch Network and Sharing Center by double-clicking on its icon Select Change advanced sharing settings from the menu on the left side of the screen Click the arrow to the right of All Networks or Domain. (dependent on network environment) Turn on Network discovery, File sharing and Printer sharing.

Management Console Administrator Guide

6

      

Click the Save changes button Close the Control Panel screen. Launch Server Manager by clicking its Icon Select Administrative Tools Select Add Feature Select .Net 3.5 – Continue through the installation WORKGROUP ONLY: Enable the built-in administrator account by opening a command prompt as administrator, and typing the following command: net user administrator /active:yes



Windows 7/8/8.1/10 endpoint preparation        

From the Windows Start Menu, launch Control Panel Launch Network and Sharing Center by double-clicking on its icon Select Change advanced sharing settings from the menu on the left side of the screen Click the arrow to the right of All Networks or Domain. (dependent on network environment) Turn on Network discovery, File sharing and Printer sharing. Click the Save changes button Close the Control Panel screen. WORKGROUP ONLY: Enable the built-in administrator account by opening a command prompt as administrator, and typing the following command: net user administrator /active:yes



Windows Vista endpoint preparation     

From the Windows Start Menu, launch Control Panel Launch Network and Sharing Center by double-clicking on its icon In the section titled Sharing and Discovery, turn on Network discovery, File sharing and Printer sharing. Close the Control Panel screen. WORKGROUP ONLY: Enable the built-in administrator account by opening a command prompt as administrator, and typing the following command: net user administrator /active:yes



Windows XP endpoint preparation              

From the Windows Start Menu, launch Control Panel. Launch Windows Firewall by double-clicking on its icon. Click the Exceptions tab. Check the checkboxes for File and Printer Sharing. Click OK to close the Windows Firewall screen. Launch Administrative Tools by double-clicking on its icon. Launch Local Security Policy by double-clicking on its icon. The Local Security Settings screen will open. Click on Local Policies in the left panel. The main panel will refresh to show relevant settings. Scroll down to Network access: Sharing and security model for local accounts. Double click on this setting. Change the value to Classic – local users authenticate as themselves. Click OK to make the change effective. Close the Local Security Settings window. Close the Administrative Tools window. Close the Control Panel screen.

External Access Requirements If your company’s Internet access is controlled by a firewall or other access-limiting device, you must grant access for Malwarebytes Management Console to reach Malwarebytes services. These are: http://data.service.malwarebytes.org http://data-cdn.mbamupdates.com http://keystone.mwbsys.com

Management Console Administrator Guide

Port 443 Port 443 Port 443

outbound outbound outbound

7

System Checks The following sections describe system checks that Malwarebytes Management Console makes during installation.

System Requirement Checks for Servers If any of the following software has not already been installed, it will be automatically downloaded and installed:    

Internet Information Services (IIS) 7.5 Web Server .NET framework 4.0 (x86 and x64) Windows Installer 4.5 SQL Server 2008 R2 Express

If system memory is less than 2 GB, the system administrator receives a warning and must explicitly choose to continue installation. If free disk space is less than 10 GB but above 2 GB, the system administrator receives a warning, and must explicitly choose to continue installation. If free disk space is less than 2 GB, the system administrator receives an error and installation aborts.

Address/Port Validity Checks for Servers If the user-specified server address does not match the current server address (IP, server name, DNS name, FQDN), the system administrator receives the warning, “The server address is invalid.” If the input port is invalid or is occupied by other application, the system administrator receives the warning, “The server port is invalid or occupied by other application.” The server address is the most significant communication setting. Once the server address has been specified, subsequent changes may cause communication errors until configuration changes have been made . To prevent these errors, select an unchangeable property as the server address, such as a fully-qualified domain name (FQDN).

Management Console Administrator Guide

8

Program Installation If you are a new user, you will only be concerned with the following section. This covers installation of Malwarebytes Management Console. Customers who are upgrading to this version will also want to read the section titled Upgrading Malwarebytes Management Console beginning on page 13. Information in that section is pertinent only for users when upgrading.

New Installation of Malwarebytes Management Console Malwarebytes Management Console is provided to customers in the Malwarebytes Endpoint Security ZIP archive. Please refer to page 2 of the Endpoint Security Quick Start Guide for an introduction to the layout of the ZIP file. After extracting the Malwarebytes Management Console installer from the ZIP file, please use the following instructions to install the product. 1.

Click the setup icon to start program installation.

2.

The Setup Wizard opens. Click Next.

3.

Read the License Agreement and select the “I Agree” radio button. Click Next.

Management Console Administrator Guide

9

4.

Enter the Management Server address, Client Communication Port and Server Administration Port if they are not auto-populated for you. Your server address will be different from the one shown here. Port addresses may be changed if they conflict with existing needs. Click Next. WARNING: These settings control client/server communication. Changes made after client deployment may result in communication issues with that client.

5.

Choose whether to use the embedded SQL Server Express database or an existing database (SQL Server or SQL Express). If you use an existing database, you must specify the server and instance as well as the SQL Administrator username and password. Click Next.

6.

Accept the default destination folder or browse and select another folder. Click Next.

Management Console Administrator Guide

10

7.

Click Next to confirm installation.

8.

The installation progress window displays the installation as it takes place.

9.

This window opens following installation. Leave the mark in the check box to Launch the Management Server Console installer. Click Close.

Management Console Administrator Guide

11

10. Click Next to begin installation of the Management Server Console.

11. Accept the default installation folder or browse and select another folder. Click Next. .

12. Click Next to confirm installation.

Management Console Administrator Guide

12

13. The installation progress window displays the installation as it takes place.

14. The Installation Complete window opens when the installation finishes. Leave the mark in the check box to accept the default to Launch Management Console. Click Close.

15. If you elected to launch the Management Console, the login window opens. The server address is displayed, along with the default Admin user name. The initial password is blank. You must create a new password before you can continue. Enter your new password and click Login.

Upgrading Malwarebytes Management Console When Malwarebytes Management Console is updated to a new version, existing clients are not updated as part of that process. If the new version contains new (or changed) client features which you consider to be important for those endpoints, you must install a new client over the top of the existing client. Please refer to page 22 to find out how to determine where new clients must be installed, and page 55 for information on the client installation process. PLEASE NOTE: When a managed Malwarebytes Anti-Malware client is upgraded to a new version, the endpoint must be rebooted to complete installation of the new program version.

Management Console Administrator Guide

13

Introduction to Management Console Malwarebytes Management Console is divided into four program modules, each accessible by buttons on the left edge of the user interface. Each module provides specific program functionality, and in many cases, functionality provided by one module serves as a foundation for the functionality of one or more other modules. Detailed functionality of each module will be described after the program layout has been outlined below. These modules are presented in the order which they appear in the user interface.

Home Upon entry to the user interface, the Home page is displayed. While not a program module, the Home screen provides basic system status information pertaining to managed clients and threats detected by each client.

Client module The Client module allows the Malwarebytes Management Console Administrator a dashboard view of all managed clients which have been installed on the corporate network, as well as detected endpoints which do not have managed clients installed. Limited information is available for endpoints without managed clients installed. Detailed status information is available for all managed clients, as well as access to system logs. Many operational functions are available from this screen. Clients may also be organized into a group, which allows functionality to be administered and controlled more easily.

Policy module The Policy module enables the Malwarebytes Management Console Administrator to define rules and operational parameters that can be assigned to clients and client groups. In addition, this module allows installation packages to be built and deployed for endpoints that cannot be installed by standard means.

Report module The Report module provides a comprehensive set of reports that provide detailed status on all aspects of Malwarebytes Management Console operation.

Admin module The Admin module allows the Malwarebytes Management Console Administrator to control overall system functionality and how this functionality is interwoven with endpoint-specific and policy-specific functionality. In addition, this module provides the capability to define and oversee Malwarebytes Management Console users/administrators, and the specific types of program access granted to them.

Management Console Administrator Guide

14

Home Page Reports When you launch Malwarebytes Management Console, the initial screen presented is the Home Page, which contains six high-level reports that provide basic status of your protected endpoints.

Clicking on any of the graphical reports allows them to be superimposed over the Home Page in a larger format. Most reports are also available as individual reports (in the Reports module), accompanied by supporting data. Following is a list of the reports shown on this page, as well as a basic description of each.

Overall System Status This report shows the condition of your server (good, normal, under stress), number of online endpoints, endpoints with latest update, number of commands completed, and the status of both Anti-Malware protection and Anti-Exploit protection.

Management Console Administrator Guide

15

Online Clients in Last 24 Hours This graph which shows the number of total endpoints registered within the last 24-hour period, as well as the number detected as being on-line.

Daily Threat Detections (last 7/30 days) This report shows how many threats were detected by the Anti-Malware managed client on each day. It can show up to seven days. Values along the vertical axis are the number of threats. Values along the horizontal axis are the dates when the threats occurred. Clicking on this report increases the days covered from 7 to 30.

Daily Exploit Detections (last 7/30 days) This report shows how many exploits were detected by the Anti-Exploit managed client on each day. It can show up to seven days. Values along the vertical axis are the number of exploits. Values along the horizontal axis are the dates when the exploits occurred. Clicking on this report increases the days covered from 7 to 30.

Management Console Administrator Guide

16

Top 10 Clients with Most Threats (last 30 days) This report shows the top 10 endpoints with the most malware threats in the last 30 calendar days, as determined by the AntiMalware managed client.

Top 10 Clients with Most Exploits (last 30 days) This report shows the top 10 endpoints with the most exploit attempts in the last 30 calendar days, as determined by the AntiExploit managed client.

Management Console Administrator Guide

17

Client Module The Client module enables you to monitor the status of all endpoints managed by Malwarebytes Management Console. The screenshot below shows the Client module, in Client View mode. The various main sections of the page are shown highlighted in red. A detailed description of all features follows.

Control buttons Functionality of the Control buttons is divided between Client module display characteristics and endpoint operations.

Threat View Threat View specifically relates to detected threats, where found, and when. Threat view is very straightforward and easily understood on first glance. As a result, discussion of this module will focus on the Client View.

Filter/All The Filter button allows you to filter information relating to endpoints (client view) or threats (threat view) so only that which is relevant is being displayed. Screenshots of the view-specific filter selection panels are shown below.

Management Console Administrator Guide

18

Most options need no explanation. The options listed below are explained so that you may utilize them more effectively. •

Policy (client view) – Policy created by Malwarebytes Management Console Administrator and deployed to endpoints



Status (client view) – Status of the endpoint (offline, online and idle, scanning, unregistered)



Policy Compliance (client view) – Whether the policy being used by the endpoint is current or out-of-date



Operation (threat view) – End result of operations upon a detected threat (success, none, , quarantine, delete on reboot, or detail pertaining to blocked websites)



Object Scanned (threat view) – Specific object (file, memory, registry key) where a threat was detected

To cancel the filtered view, click the All control button.

Refresh Refresh simply keeps the screen updated. The Auto Refresh button (to the right of the Control buttons) will continuously update information, although it may prove to be disruptive when information of interest is not on the first page of the display.

Scan Scan allows a scan to be performed on a selected endpoint (in the Clients panel). There are three types of scans which may be performed. These are: •

Quick Scan – A scan of all system locations where malware is known to install itself. We recommend this method.



Full Scan – Checks all files on selected drives as well as all areas scanned during a Quick Scan.



Flash Scan – Scans system memory and startup locations for active infections.

Update DB This option forces an immediate signature database update on the endpoint, using current signatures residing on the Malwarebytes Management Console server. If the selected endpoint is offline, a notification message is displayed to inform you that a database update will occur once the endpoint returns to online status.

Status indicators Status of all endpoints is shown in the upper right corner of the Client module. Defined status settings are:

Client Group Organization panel This panel allows addition of Client Groups, as well as certain operations based on specified Client Groups. The concept of Client Groups is a simple one. This allows endpoints to be organized into groups that either represent the way they are used, or the people/departments which use them. Groups allow the Malwarebytes Management Console Administrator to execute scans and updates in a coordinated manner. Combined with use of policies (to be discussed in the Policy Module section of this manual, beginning on page 24), server load and throughput can be maintained at high levels throughout the network while communication between Malwarebytes Management Console and endpoints takes place. The presentation of this panel is similar in nature to Windows Explorer. Initially, the only group that exists is called Ungrouped Clients. You may add groups to suit your specific needs, and you may nest groups as deeply as you wish to create a granular structure, mimicking a Windows file system (as an example).

Management Console Administrator Guide

19

Right-Click Context Menu All operations available in the Client Group Organization panel are performed using the right-click context menu, as shown below.

Following is a description of the operations which are available on this menu: •

Add – Add a new Client Group. The Group name must be unique as it pertains to the hierarchy in the group structure. To clarify, you could create a Sales group under North America as well as a Sales group under Europe, but you could not create two groups named Sales under North America.



Add AD OU as Group – Add an Active Directory Organizational Unit as a Client Group. If your company utilizes Active Directory, you are already familiar with this concept as it is the basis of Group Policy Updates. This provides an extension to your existing methodology.



Rename – Rename a Client Group. Names must maintain uniqueness within the same hierarchical level of the tree. Groups which have been added as Active Directory OUs may not be renamed.



Remove – Remove a Client Group. If a Client Group is removed and there are endpoints which are members of that group, they will be moved to Ungrouped Clients.



Run Quick|Full|Flash Scan Now – Run a scan of the type selected on all members of a selected Client Group. The various scan types are described in the Control discussion earlier in this section.



Update Client(s) Database Now – Update signature databases on all members of a selected Client Group. Please note that while you could perform this operation on All Clients (the highest level of the tree), you may experience network performance issues due to the number of endpoints receiving updates concurrently.



Switch to Other Policy… – Change all members of a selected Client Group to a new protection policy.



Move to Group… – Move a selected Client Group to a new location in the tree, as a child directory of another group selected from a pulldown menu.



Expand All – Expands the tree structure, using the selected Client Group as the top level of the tree.



Collapse All – Collapses the tree structure, using the selected Client Group as the top level of the tree.

Management Console Administrator Guide

20

Clients panel This panel provides high-level information for all endpoints in the network. For the most part, this panel is self-explanatory. Three items do merit additional comments. •

The status of Malwarebytes managed clients is shown just to the left of each endpoint. The following table indicates the possible states of the status icons.



New Policy only contains information on an interim basis. When the policy associated with an endpoint is changed, Policy is the “before” state and New Policy is the “after” state until the next time that the endpoint communicates with the server (defined on the Communication tab for the policy in the Policy module). Once the endpoint communicates with the server, Policy will show the “after” state and New Policy will be cleared.



The status line containing endpoint information may at times be highlighted in alternate colors. If this line is highlighted in red, this indicates that a threat was detected. Even if the threat is removed, the red highlight remains until the next scheduled scan, or until a manual scan is performed on the endpoint. This is done specifically to draw attention to the event. Yellow highlighting indicates the endpoint is using an outdated policy or outdated signatures. If the situation clears, the yellow highlight will return to normal. If highlighting remains yellow, that likely indicates a communication problem between the endpoint and server which prevents the endpoint from getting current information.

Customizing Columns on the Client Tab Information shown here is easily customized. By right-clicking on any column name, you can customize the columns which appear. Following are the various information fields which may be displayed. Fields shown in bold print are displayed by default. ● Domain/Workgroup ● Logon User ● Last Scan Time ● Database Date ● Database Version ● Policy ● New Policy ● Status ● Last Logon User ● Last Scan Result ● Last Offline Time ● OS Service Pack

● IP Address ● Physical Address ● Subnet Mask ● Default Gateway ● Preferred DNS ● Alternate DNS ● Managed Client Version ● Anti-Exploit Version ● Anti-Malware Version ● Anti-Malware Protection Module ● Anti-Exploit Protection Module

Checked fields may be hidden by clicking Hide. Unchecked fields may be displayed by clicking Show. Clicking the checkmark to change the state of the checkbox also has the same effect. You may also clear all client logs from the right-click menu.

Management Console Administrator Guide

21

Client Information panel This panel provides detailed information pertaining to an endpoint which has been selected in the Clients panel. This panel is present only when an endpoint has been selected. Information displayed is broken down into three categories. Each is shown below, with supplemental screenshots to illustrate their purpose.

Client Info Although detailed, this can be considered as summary information for the endpoint, its network connection, basic usage information, and certain Malwarebytes installation parameters. All information shown is read-only.

Please note the entry for Managed Client Version on the left side. This indicates the version of Malwarebytes Enterprise Edition or Malwarebytes Management Console in use when the current client was installed. For users upgrading from a previous version, this also indicates functional limitations that are present in clients until a new push install is performed to upgrade the client. As an example, clients with a Managed Client Version 1.8.x.xxxx have a newer version of Malwarebytes Anti-Exploit than clients with a version of 1.7.x.xxxx. This is insignificant for customers who are not using Malwarebytes Anti-Exploit on their clients, but important to those who are.

System Logs This panel provides status for the endpoint. Scans and abbreviated scan results are available here, as are dates, times and results of signature database updates. If an endpoint is highlighted in yellow (in the Clients panel) – indicating an update issue – you can gain further information regarding that issue here.

You may use the scrollbar on the right side of this panel to scroll through all available status information. Initially, status information is available going back to installation of the managed client. If logs have been subsequently purged, information occurring before that date will no longer be available.

Security Logs This panel provides information about specific threats and exploits which have been detected on the selected endpoint, as well as the resolution of those threats and exploits. As mentioned previously, threats are processed by the Anti-Malware managed client, and exploits are processed by the Anti-Exploit managed client.

Management Console Administrator Guide

22

You may use the scrollbar on the right side of this panel to scroll through all threats/exploits. Initially, status information is available going back to installation of the managed client. If logs have been subsequently purged, information occurring before that date will no longer be available.

Exporting Data Information contained throughout various areas of the Client module can be exported to a CSV file. This is helpful in scenarios where custom reporting is necessary, or when information needs to be provided to personnel who do not access the console. Data can be exported from the following areas via a right-click context menu, and selecting the appropriate action: • • • •

Client View grid (Export Client View…) Threat View grid (Export Threat View…) System Logs tab (Export System Logs…) Security Logs tab (Export Security Logs…)

Data is exported based on the current view and visible columns. For example, if 100 rows are visible per page, but you want to export data for all pages, you will need to change the Pagesize to all before exporting.

Management Console Administrator Guide

23

Policy Module The Policy Module allows the Malwarebytes Management Console Administrator to define one or more policies which describe specifically how Anti-Malware and Anti-Exploit managed clients protects endpoints. Once defined, installation packages may be created which allow pre-configured managed clients to be packaged for deployment using alternative means. In this section, we will discuss each of the features and components which provide this functionality. The following is a screenshot of the Policy Module screen, marked (in red) to show the major sections of the screen.

The Controls section operates primarily on selected policies, but also provides some generic functionality. The Policies section displays all policies which have been defined. Protection Status shows settings for the selected policy – in this case, the Default Policy. Policy Deployment Settings show which endpoints that the selected policy is defined for. We will begin discussion of policies by adding a new policy.

Management Console Administrator Guide

24

Add New Policy Clicking the Add button in the Controls section launches the New Policy dialog box. This dialog box contains several tabs which allow a policy to be created which is very specific to your needs. Please note that the same configuration panels are used when adding a new policy or when editing an existing policy. The title bar is updated to display New Policy or Edit Policy depending on the mode selected.

General Settings The General Settings tab is used to name the policy, and to define basic policy behavior. Most of the settings here are selfexplanatory, but a few are worth mentioning. •

The name specified for the policy must be unique.



It may be necessary to terminate Internet Explorer during removal of certain threats. If this is the case, this checkbox may be checked and a scan executed after the policy has propagated out to the endpoint. Terminating Internet Explorer is obviously disruptive to the user, so this should only be done when necessary.



The client is programmed to communicate information about threats detected to Malwarebytes corporate servers, to assist us in providing effective anti-malware solutions. At no time is information pertaining to your machines, your networks or your environment transmitted. You may uncheck the Anonymously report usage statistics checkbox if you wish, with no loss of functionality.



You may check the Create Right Click Context Menu checkbox so that the endpoint user protected by the client can scan an individual file from within Windows Explorer by right-clicking the mouse. The context menu is available to the user whether or not this checkbox is checked, only the presence/absence of Malwarebytes protection as a menu choice is affected.



Most settings here are related to behavior of the Anti-Malware managed client. The language setting is also associated with the Anti-Exploit managed client.

Management Console Administrator Guide

25

Protection Settings The Protection Settings tab pertains to the Anti-Malware managed client. It is used to enable/disable real-time protection on the endpoint, and to define behavior of the Protection module. By default, the Protection module is enabled. If it is disabled, the green box with the embedded checkmark is replaced by a red box with an embedded ‘X’. Settings are as shown in the above screenshot. Information about each of the Protection settings is as follows: •

While a majority of users choose to use file execution blocking, situations may arise which require that file execution blocking be disabled. These situations are rare, and are usually determined as a result of troubleshooting with or without support of Malwarebytes Business Support. A majority of these cases can be handled through usage of the Ignore List, which will be discussed later in this section.



As with file execution blocking, most users prefer to use malicious website blocking. In rare cases, a user may want or need to visit websites of this type. In this case, malicious website blocking may be disabled or blocking of specific websites may be disabled through use of the Ignore List, to be discussed later.



Advanced Settings allow the Malwarebytes Management Console Administrator to configure the managed client to run with less of a user interface than normal, by selecting Silent mode or Limited user mode. In Silent mode, the only indication that the managed client is present on their machine is the right-click context menu, if that has been enabled on the General Settings tab. In Limited user mode, the managed client is visible as an icon in the system tray, but only with options to start a scan or to check for updates. The right-click context menu is available there as well, if enabled via General Settings.



Auto Quarantine allows files detected as threats to be automatically moved to Quarantine, assuring they cannot be executed or modified. If this option is unchecked, detection of files classified as threats result in notifications being presented to the user while the file remains unaffected. WARNING: If legitimate files are detected as threats and Auto Quarantine is turned on, functionality related to these files would be adversely affected. Legitimate files detected in this manner should be added to the Ignore List.

Management Console Administrator Guide

26



Startup Delay allows the Protection Module to delay activation by the number of seconds specified. In certain circumstances, endpoints using the Protection Module experience performance issues, usually related to slow startup. This is most common with Windows XP-based endpoints, though it may occur with other OS versions as well, depending on specific programs that are executed or initiated at startup. If this occurs in your environment, contact Malwarebytes Business Support for troubleshooting assistance.

Scanner Settings This tab specifies behavior of the Anti-Malware managed client during scanning (as compared to real-time protection offered by the Protection Module). Objects that may be selected are straight forward. The remaining settings are addressed as follows: •

There is no provision for scanning files or objects which are encrypted or password-protected.



A Potentially Unwanted Program (PUP) is defined based on the following criteria: 

Does a user intentionally install the program?



If the user notices the program and sees that it can be removed, do they intentionally remove it?



Do users typically refer to the program as malware, virus, or other non-benign label?



A Potentially Unwanted Modification (PUM) typically takes the form of a registry edit or Active Directory Group Policy edit. By default, Malwarebytes will remove the PUM. You may override the default action via settings, or place a specific legitimate edit into the Ignore List.



Peer-to-Peer (P2P) software is not shown in scan results by default. It is becoming more accepted as a means of updating commercial software, and is sometimes being used by corporate customers for software distribution within the enterprise. You may override the default setting based on your own requirements.

Management Console Administrator Guide

27

Scheduler Settings The Scheduler Settings tab allows addition, modifications and deletions of scans executed by the Anti-Malware managed client, under control of the policy. Added information to further describe Scheduler options are as follows: •

Wake computer from sleep to perform task allows an endpoint to be awakened from sleep mode if it is equipped with Wake-on-LAN hardware capability. Without this capability, the scan is based on the recovery setting specified here.



Perform scheduled scan silently from system account when checked means that scans occur in the background, with no user interaction required. When unchecked, the scan is executed in the foreground by the logged-in user account.



Terminate program when scan completes successfully checkbox determines whether the managed client user interface remains present on the user’s screen if no threats were detected during a scan. This checkbox is relevant only if scans are executed by the logged-in user rather than the system account.



Restart the computer if required for threat removal is not set by default. Checking this box would compromise the integrity of work being performed on that endpoint if a restart occurs. A log entry is created if a restart is required.

Once a new scan has been defined, you may highlight the scan in the New Policy window to edit or delete the scan. You may also add additional scans to be governed by the policy.

Ignore List The Ignore List provides capability for the Malwarebytes Management Console Administrator to specify IP addresses, files, directories, and registry keys to be excluded from scanning by the Anti-Malware managed client. The primary purpose of this feature is to assure that legitimate files, directories and registry keys are not misinterpreted as threats during scans, and that IP addresses which may house files of this type do not trigger web blocking in the Protection Module. While threat signatures are highly accurate, it is impossible to guarantee that a string of data in a legitimate file will never be misinterpreted as a false positive. The following information will assist you with certain types of Ignore List entries: •

The specification C:\Users\RNixon refers to a file named RNixon in the C:\Users directory.



The specification C:\Users\RNixon\ refers to the C:\Users\RNixon directory and all files within that directory.



The specification C:\Users\RNixon\* refers to the C:\Users\RNixon directory, all files within that directory, and any embedded subdirectories.

Management Console Administrator Guide

28



HKEY_USERS \*\Software\Policies\Microsoft\Internet Explorer\Control Panel|HomePage ignores the value “Home Page” for this specific registry key for all users. Both private and public IP addresses may be specified.



There is currently no provision for specification of hostnames or fully-qualified domain names. IP addresses that are dynamically-assigned will present issues with regard to the Ignore List.

Updater Settings The Updater Settings tab controls how and when the Anti-Malware managed client receives signature updates which protect against the most current threats. The managed client normally receives incremental updates (roughly 3 kilobytes, 1/3000th the size of a full database update) directly from the Malwarebytes Internet update server. By assuring that only new definitions are downloaded, network bandwidth is significantly reduced. If more than fifty (50) incremental updates are required to make databases current, a full update will instead be used. If a proxy is required, settings may be specified on this tab. The second method is to receive updates from an alternate distribution source. If you choose an alternate source, you must specify an internet URL, IP address or a Windows UNC file specification where the signature update can be found. The third method is to receive updates directly from the Management Server. When this method is used, incremental updates are not available – only full database updates (approximately 9-12 megabytes). The size of the full update is magnified by the number of endpoints covered by this policy which must receive the update in this manner. Network utilization may be affected during this update. If you choose to get signature updates from the Management Server and the server is not available or inaccessible, you may specify either a custom path or a direct Internet update be used as a failover. If the failover is employed, incremental updates are available.

Communication The Communication tab allows the interval between policy/signature updates to be specified, as well as login information for a proxy server (if required for Internet access). The default setting is continuously variable, from 5 seconds (50 or fewer online endpoints) to 100 hours (200,000 or more online endpoints). You may override the default settings with a user-specified value, though the default interval is designed to strike a good balance between network performance and your protection needs. If you wish to see the table which defines the intervals, please refer to the Managing Malwarebytes in Large Networks Best Practices Guide for further information.

Management Console Administrator Guide

29

Anti-Exploit As shown in the above screenshot, this tab allows basic configuration of the Anti-Exploit managed client. Configuration capabilities of this client are limited, as its purpose dictates its operating characteristics. Settings which may be modified are: •

• •

• • • •

Enable Anti-Exploit protection determines whether Anti-Exploit protection is enabled. When enabled, the graphic immediately below this checkbox is green, with a text message indicating that it is enabled, and a checkmark provided as a quick visual indicator. When disabled, the graphic switches to red, with an accompanying text message, and a large “x” as a visual indicator. This setting also determines whether Anti-Exploit shielded applications can be modified. Do not show alert popup upon exploit detection determines whether user notifications are displayed when attempted exploits are detected. Notifications will be displayed only when this box is unchecked. Do not show Anti-Exploit traybar icon and program interface determines whether the Anti-Exploit managed client is working invisibly as a background task. The endpoint user may launch the Anti-Exploit managed client and/or see its icon in the system tray when this box is unchecked. Otherwise, the client is under complete control of the Malwarebytes Management Console administrator. Automatically upgrade Anti-Exploit on clients provides the capability to automatically upgrade the Anti-Exploit program on the client when an update becomes available. While this setting is specific to a policy, a system administrator would generally choose whether to enable or disable this setting for all policies in use. Show protection events in Anti-Exploit clients determines whether a shielded application will generate an entry in program logs when the application is started. Show Anti-Exploit balloon notifications on clients determines whether a shielded application will generate a visual taskbar notification to the user when the application is started. Anti-Exploit shielded applications is a list of software applications – grouped by type – which may be selected or deselected for shielding. For each application, you may choose whether to shield it or not. It is also important to note that the applications and the grouping of the applications has been chosen because all group members share common attack vectors. This provides optimum shielding capability.

Using the pulldown directly above the grid, you can choose to show all shields, custom shields, or only built-in shields. A checkmark immediately preceding an application indicates that the application is being shielded by Malwarebytes Anti-Exploit. The list of applications shielded by default is limited. You have the ability to add custom shields for other programs. To add a new custom shield, click the Add Shield button at the bottom left of the window.

Management Console Administrator Guide

30

The window shown here launches when the Add Shield button is clicked. It allows you to create a new custom shield, by supplying the following information: • • •

Application name – The application name (as you would like it to appear). Application file name – The name and extension of the application (as it is stored on your endpoint). If an incorrect file name is specified, a shield will be created that accomplishes nothing. Profile – One of several application classes (browser, mediaplayer, office, other, pdfreader) that will be applied. Each of these has different behavior, so be as accurate as possible in order to provide the best protection.

For more information on addition of custom shields via the command line , please refer to the Malwarebytes Anti-Exploit Unmanaged Client Administrators Guide. Advanced Settings allows configuration or fine-tuning of some exploit mitigations included in Malwarebytes Anti-Exploit. Please note that not all exploit mitigations included in Malwarebytes Anti-Exploit can be modified here. Malwarebytes Anti-Exploit has pre-defined defaults which strike the best possible balance between performance and protection. Those exploit mitigations that are available for configuration have been deemed to be relevant to be tuned by users in scenarios where certain non-standard or heavily customized computing environments result in unexpected behavior by Malwarebytes Anti-Exploit (e.g. false positives). WARNING: Improper changes to these settings may result in improper performance and protection offered by Malwarebytes AntiExploit. Make changes only when required to do so by a Malwarebytes Customer Success specialist. Settings on the Application Hardening tab refer to exploit mitigation techniques whose objective is to make protected applications more resilient against vulnerability exploit attacks, even if those applications have not been patched to the latest available fixes by their respective vendors. A screenshot shows the organization of the tab.

• • • • • •

DEP Enforcement is tasked with activation of permanent Data Execution Prevention (DEP) in those applications that do not do this by default. Anti-HeapSpraying Enforcement is designed to reserve certain memory ranges, to prevent them from being abused by Heap-Spraying attack techniques. Dynamic Anti-HeapSpraying Enforcement analyzes the memory heap of a protected process in order to find evidence of malicious shellcode on the heap using heap spraying techniques. Bottom-Up ASLR Enforcement is tasked with addition of randomization to the memory heap when the process starts. Disable Internet Explorer VB Scripting is tasked with preventing the deprecated Visual Basic scripting engine from loading. The scripting engine is frequently abused by exploits. This setting applies only to the browser family. Detection of Anti-Exploit fingerprinting attempts is a technique which detects attempts by popular exploit kits (e.g. Angler) of fingerprinting the victim machine to determine if it should be attacked by its exploit arsenal.

Management Console Administrator Guide

31

Advanced Memory Protection refers to exploit mitigation techniques whose objective is to prevent exploit shellcode from executing its payload code in memory.

• • • • •

Malicious Return Address detection – also called “Caller” mitigation – detects if the code is executed outside of any loaded module. DEP Bypass Protection is tasked with detecting attempts to turn off Data Execution Prevention (DEP). Memory Patch Hijacking Protection is designed to detect and prevent against attempts to use WriteProcessMemory to bypass Data Execution Prevention (DEP). Stack Pivoting Protection is used to detect and prevent exploit code from creating and utilizing a fake memory stack. ROP Gadget detection is tasked with detection and prevention of Return Oriented Programming (ROP) gadgets when a Windows API is called. Provisions are made for individualized protection of CALL and RETurn instructions.

Application Behavior Protection settings provide mitigation techniques designed to prevent the exploit payload from executing and infecting the system. This represents the last line of defense if memory corruption exploit mitigations from previous layers are bypassed. This layer is also tasked with detecting exploits that do not rely on memory corruption (e.g. Java sandbox escapes, application design abuse exploits, etc.) and blocking their malicious actions.

• •

Malicious LoadLibrary protection prevents delivery of a payload library from a UNC network path. Protection for Internet Explorer VB scripting is designed to detect and prevent exploits related to an application design vulnerability known as CVE-2014-6332. For further information on this exploit, please refer to http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6332.

Management Console Administrator Guide

32

• • •

Protection for MessageBox payload prevents exploits from delivering a messagebox as its payload. It is turned off by default as these payloads are normally only used in proof of concepts and do not cause any harm. Protection for Office WMI abuse protects against macro exploits in Microsoft Office using Windows Management Instrumentation (WMI). Protection for Office VBA7 abuse protects against macro exploits in Microsoft Office using Visual Basic for Applications.

Java Protection refers to mitigation techniques which are unique to exploits commonly used in Java programs.

• • • • • •

Prevent Web-Based Java Command Line protects against web-based Java programs issuing system commands. Java malicious inbound shell protection guards against remote shell exploits whose payloads rely on inbound sockets. Java malicious outbound shell protection guards against remote shell exploits whose payloads rely on outbound sockets. Java Metasploit/Meterpreter generic protection is designed to generically detect and prevent attempts to use the Metasploit Java/Meterpreter payload. Java Metasploit/Meterpreter command execution protection is tasked with detecting and blocking commands in an established Java/Meterpreter session. Allow Insecure Java Operations in Internal IP Ranges is primarily used to allow insecure internal tools and applications used within a corporate network without compromising on protection from external Java threats.

The Other Settings tab contains settings which allow you to provide meaningful data to us about exploits you encounter. This is strictly voluntary, and provides information about exploits only…no confidential data will be sent to Malwarebytes. Discovering more about threats discovered in the wild gives us an opportunity to serve you better.

Management Console Administrator Guide

33

Anti-Exploit Exclusion List This tab allows files to be excluded from anti-exploit testing. Actual filenames are optional, because they offer no measure of uniqueness. Many malware attacks have occurred because malware was hidden inside a file whose name was trusted. The AntiExploit managed client uses an MD5 signature to identify a file, because any change to the file results in a change of its MD5 signature. There are a number of MD5 programs available as free internet downloads, and all should generate identical MD5 signatures if hashing algorithms are properly encoded. You may exclude as many files as you wish by entering their MD5 signatures here, one entry per line. If you wish to include the name of the file, enter it after the file’s signature, separating the MD5 and file name with a semi-colon.

Edit The Edit control allows modification of a policy selected in the Policies panel. All screens described previously for Add New Policy are also used here. Upon completion of the policy edit, the policy’s version number will increment. There is no provision for deleting interim policies. If the Malwarebytes Management Console Server maintains a communication path with endpoints affected by the modified policy, the policy will be pushed out to the endpoints. The Clients module should be monitored following a policy change to assure that the policy change has been effected on all endpoints. If a policy change does not occur on the endpoint, it will be highlighted in yellow. A second Edit button at the bottom of the Policies panel has identical functionality.

Copy Malwarebytes administrators often create policies that provide uniform protection across all endpoints, then adjust these basic policies for small subsets of users. For this purpose, the Copy control allows for a new policy to be created from an existing policy. All settings from the selected policy will be applied to the new policy. When using this control, you will be prompted to name your new policy. The new policy will be appended with the word “Copy” as a reminder, and can be edited as necessary.

Remove This control allows a policy to be removed. Any endpoints governed by the policy being removed will automatically be switched to the highest-priority policy with matching deployment include/exclude specifications. Subsequent policy assignment changes to affected endpoints must be performed manually by the Malwarebytes Management Console Administrator. WARNING: If a large number of clients are reassigned as a result of a policy being removed, higher network traffic may result if a large number of clients are getting database updates simultaneously.

Disable This control allows a policy to be disabled. By disabling a policy, you may not assign it to clients. A policy currently assigned to one or more clients may be disabled, following acknowledgement of a warning that the policy is in use. Any clients associated with the policy being disabled will be reassigned to the highest priority policy which is enabled. WARNING: If a large number of clients are reassigned as a result of a policy being removed, higher network traffic may result if a large number of clients are getting database updates simultaneously.

Refresh This control simply redisplays the Policies panel using current policy information.

Installation Package This option provides the capability of creating an client installer that can be used exclusive of Malwarebytes Management Console‘s Client Push Install process. This is advantageous if your organization uses third-party installation software, Active Directory Group Policy updates, or has external employees which connect to your network via VPN. Clicking the Installation Package button launches the Export Client Package window, as shown below.

Management Console Administrator Guide

34

Choose a directory in which the client package will be installed. You can use the standard Windows Explorer dialog to browse to the location of your choice. You must select a client group which the client will be part of once installed. You may choose whether the managed client will be visible to the user by checking or unchecking the setting regarding start menu and desktop icons. You can elect to install the Malwarebytes Anti-Malware managed client, the Malwarebytes Anti-Exploit managed client, either client or neither. If neither client is installed, communication capability between the server and the endpoint is defined and initialized. You may also create a single managed client setup file, as either a stand-alone executable (EXE) file or a Windows Installer (MSI) file. An EXE file is ideal if sending the client via email, placing it on a shared network drive, or by transport on a USB stick. The MSI file is ideal when using third-party installers or AD Group Policy updates. The single file method is recommended. Once all settings have been specified, click Export and the file will be created in the specified directory.

Deployment The Deployment Wizard is a series of four screens invoked by clicking the Deployment control at the top of the screen. The purpose of this is to make a new or modified policy effective on one or more endpoints. The second screen of the wizard allows the policy to be deployed to all endpoints, or to a customized subset using a combination of inclusion and exclusion. A screenshot of this screen is shown below.

Management Console Administrator Guide

35

Clicking the Add button in either the Include or Exclude areas of this screen will allow selection of five different parameters which can be used. Parameters available are: ● IP Range ● Client Group

● Domain ● Host Name

● Subnet

Once deployment parameters have been selected, you must confirm your settings, and finally click Deploy Now to deploy the policy to selected endpoints. The screenshot shown above merits a brief discussion to explain why include and exclude specifications are used in the manner employed here. Specifications for domain and IP Range have both been used here, and they have been used for both include and exclude categories. When deploying Malwarebytes Management Console to your endpoints, you may wish to use policies which provide drastically different behavior for different endpoint groups. In this example, the 10.10.10.x subnet is shared by endpoints on at least two different domains. Because the subnet parameter was not chosen, it is possible that more endpoints in this subnet (10.10.10.100 and above) are managed by different policies. This specific policy will be deployed to endpoints who satisfy the Include specs and also satisfy the Exclude specs. Other new endpoints will be subjected to criteria testing as well. Also, if a policy is deleted for any reason, endpoints will be reassigned to other policies based on (1) Include/Exclude specs, and (2) Highest policy priority. That implies that an endpoint could be reassigned to a policy with low priority if it is the first one which meets Include/Exclude specs that the endpoint satisfies.

Policies panel The Policies panel shows basic information about all policies which have been defined. All information fields displayed here have already been discussed in this section with one exception – policy priorities. This determines which policies are assigned to new clients as well as clients whose assigned policy has been removed or disabled. Policy priorities are determined by using the Move Up or Move Down buttons on the right-click context menu. When performing a client push install via the Admin module, a policy is specifically assigned to the client. When changing a policy for a client via the Client module, a policy is specifically assigned there as well. If a policy is removed or disabled, clients who were associated with the now-absent policy are reassigned, and that is where policy priorities come into play. Based on the include/exclude specifications for enabled policies, those clients will be reassigned to the highest priority policy that applies to them. If multiple policies exist which satisfy include and exclude specifications, care should be taken to choose the correct policy for your needs.

Protection Status panel This panel shows scanner settings that have been configured for the policy selected in the Policies panel. All information shown here is read-only.

Policy Deployment panel This panel shows deployment settings that have been configured for the policy selected in the Policies panel. All information shown here is read-only.

Management Console Administrator Guide

36

Report Module The Report Module provides a series of reports designed to show how Malwarebytes Management Console is protecting endpoints in your environment, breaking down information in a number of formats. All reports can be viewed using the graphical interface. Additionally, they can be printed using the standard Windows print dialog.

Report Selector At the top of the Report Module interface is the report selector. This allows the user to select a specific report to be viewed, the time frame which the report represents, and also provides print capability. The selector is shown here.

Reports that are available here via a pulldown menu are: ● ● ●

Summary Report Top Risk Report Threat Trend Report

● ●

Client Scan Report Client Signature Report

● ●

Policy Deployment Report Server System Report

After selecting a report, you may specify a time frame for the report. Start and end dates may be entered directly, or you may use the pulldown feature to display a small calendar from which dates can be selected. An Auto Refresh button allows report data to be refreshed in real-time. If you are analyzing information which you can see only by scrolling down, you may wish to uncheck the Auto Refresh feature, as each refresh will return you to the top of the data display. You may also refresh on-demand, and use the Tools pulldown to print.

Reports The remainder of this section will describe each of these reports, their purpose, and how they may also be used for troubleshooting of certain issues which may not be easily detected.

Summary Report The Summary Report is a high-level dashboard view of Malwarebytes Management Console system operation. It contains six brief summaries, all based on specified time frames. The summaries provided are: •

Overall System Status – A brief table which sums all of the information shown in the other five summaries, as well as the relative load on the Malwarebytes Management Console server.



Online Clients in Last 24 Hours – A graphical representation of the number of clients monitored in the most recent 24hour period, as well as the number of clients known to Malwarebytes Management Console. The two quantities may easily differ from one another for a variety of legitimate reasons.



Daily Threat Detections – A bar graph showing the daily number of threats detected over the specified time frame by the Anti-Malware managed client.



Daily Exploit Detections – A bar graph showing the daily number of exploits detected over the specified time frame by the Anti-Exploit managed client.



Top 10 Clients with most Threats – A pie chart showing a maximum of ten (10) clients with the highest number of threats detected by the Anti-Malware managed client during the requested time frame. Each is shown with a unique color for ease of reading.



Top 10 Clients with most Exploits – A pie chart showing a maximum of ten (10) clients with the highest number of exploits detected by the Anti-Exploit managed client during the requested time frame. Each is shown with a unique color for ease of reading.

All summaries which appear here are supplemented by more detailed reports that provide additional detail. The primary purpose here is simply to provide the high-level view of several topics, all at the same time.

Management Console Administrator Guide

37

Top Risk Report This report provides several “top ten” pie charts with corresponding tables that provide further information. These are: Top 10 Threats – Pie chart focused on specific threats detected by the Anti-Malware managed client, with information provided about users, endpoints and number of detections.

Top 10 Exploits – Pie chart focused on specific threats detected by the Anti-Exploit managed client, with information provided about users, endpoints and number of detections.

Management Console Administrator Guide

38

Top 10 Clients with most Threats – Pie chart focused on the number of threats (as determined by the Anti-Malware managed client) encountered by each endpoint. There is no reference to specific threats involved.

Top 10 Clients with most Exploits – Pie chart focused on the number of exploits (as determined by the Anti-Exploit managed client) encountered by each endpoint. There is no reference to specific exploits involved.

Management Console Administrator Guide

39

Top 10 Users with most Threats – Pie chart focused on the number of threats encountered by each user, as determined by the AntiMalware managed client. There is no reference to the specific threats involved.

Top 10 Users with most Exploits – Pie chart focused on the number of exploits encountered by each user, as determined by the Anti-Exploit managed client. There is no reference to specific exploits involved.

Management Console Administrator Guide

40

Top 10 Applications targeted by Exploits – Pie chart focused on the number of exploits encountered by each user, as determined by the Anti-Exploit managed client. There is no reference to specific exploits involved.

Threat Trend Report This report provides vertical bar graphs to show both threat detections and exploit detections for each week and each day of the specified time frame. There is no detail provided as to the number of threats/exploits, or to endpoints or usernames involved. Statistics pertaining to threats are based on detections by the Anti-Malware managed client. Statistics pertaining to exploits are based on detections by the Anti-Exploit managed client.

Management Console Administrator Guide

41

Management Console Administrator Guide

42

Client Scan Report This report shows the ratio between completed scans and in-process scans over a specified time frame for all Anti-Malware managed clients. The number of in-process scans should be at or near zero, as these should reflect only those initiated but not yet completed. In-process scans that do not fit these criteria indicate problems on an endpoint which prevent scan completion.

Client Signature Report This report shows two pie charts, the first representing the count of Anti-Malware managed clients sorted by Signature Database version, and the second sorted by the number of clients (in descending order) based on the Signature Database version used. Information presented on the two is essentially the same. Only the sort order is different. Information shown is current as of the time that the report is generated. There is no relation to selected start and end dates.

Management Console Administrator Guide

43

Policy Deployment Report This report is a group of five subreports which focus specifically on policies used by managed clients. Please note that information shown is current…there is no relation to selected time frames. These subreports are: Policy Distribution – This report shows a graphical representation of endpoints utilizing different policies/policy versions. Malwarebytes Management Console initially assigns a default policy which can be customized by the administrator, and also allows creation of new policies tailored more closely to specific needs of individual endpoints, departments, or users. If the Up-to-date versus Out-of-date report indicates endpoints using obsolete policies, this report will tell you which policies are affected, allowing the situation to be corrected.

Up-to-date versus Out-of-date – This report shows the ratio between endpoints with up-to-date policies compared to out-ofdate policies. This implies endpoints which have not updated to policies which have been updated. This indicates a communication issue between these endpoints and Server, and is clarified further by the Policy Distribution report.

Management Console Administrator Guide

44

Anti-Malware Protection Module Status Statistics – This report shows the ratio between Anti-Malware managed clients taking advantage of real-time protection (Protection Module enabled) compared to remediation mode (scheduled scans only).

Anti-Exploit Protection Module Status Statistics – This report shows the ratio between Anti-Exploit managed clients taking advantage of real-time protection (Protection Module enabled) compared to endpoints with no Anti-Exploit client installed.

Management Console Administrator Guide

45

Top 10 Client Groups with most Clients – This report shows the distribution of endpoints by client groups in a pie chart format, with specific number of clients in each group shown in a corresponding table. This report is limited to the ten most populous client groups. Endpoints listed as Ungrouped Clients are also shown. Because network throughput can be negatively impacted by signature updates, scans and reporting of scan results, it is ideal to utilize Client Groups to equally distribute this load as widely as possible to minimize traffic spikes. This report is extremely valuable in that regard.

Server System Report This report shows various statistics pertaining to the Malwarebytes Management Console Server in a table form. While a majority of the information presented here is static in nature, the administrator should pay attention to the amount of system disk free space and database disk free space. Both of these values are critical to system operation.



System Disk Space is a finite number, and on this report is limited to drive C (the primary disk drive).



System Disk Free Space also refers specifically to drive C. Malwarebytes Management Console will have an effect on this value by creation of server logs, client logs being processed and logs which are created as a result of infrastructure operations. Additionally, if SQL Server is used in place of SQL Server Express, increases in Database Disk allocation will cut into System Disk Free Space as well. While no large changes are expected here, this should be monitored on a periodic basis.

Management Console Administrator Guide

46



Database Disk Space represents the amount of disk space that has been allocated for database usage. If SQL Server Express is used, this number should not exceed 10000 MB (megabytes). If SQL Server is used, this value will often exceed 10000 MB, and may increase over time if the SQL Database Administrator determines that higher disk allocation is required.



Database Disk Free Space is a critical parameter, and represents the difference between Database Disk Space and the amount of disk that is currently being used. If this value drops to near zero or begins to decrease at a more rapid pace than has been noted during monitoring, increased disk allocation (SQL Server), database maintenance (both SQL Server and SQL Server Express) or database migration (SQL Server Express) may be required. This parameter should be monitored on a regular basis.

Please note that all of these values are determined to be accurate only when the Malwarebytes Management Console Server is installed on a physical server. If installed on a VMware virtual machine, known accuracy issues exist.

Management Console Administrator Guide

47

Admin Module The Admin (Administration) module is used to perform server administration tasks. The Admin page features the following tabs: • • • • • • • • •

Overview – Server license/identity settings Database Settings – SQL database and cleanup settings Signature – Update settings Administrators – Defines administrators/users and their permissions Admin Logs – Access to server operation logs Client Push Install – Endpoint discovery, install simulation and client installation Email Notifications – Settings pertaining to email notifications Syslog Settings – Defining specifications for logging of client security events Other Settings – General server settings, including proxy and Active Directory connectivity

Overview tab The Overview tab displays information pertaining to your Malwarebytes Management Console client license(s) and server communication settings. All settings are modifiable by the Malwarebytes Management Console Administrator. A screenshot is shown below.

Information for each setting is presented below.

License Information This panel provides information pertaining to your client license(s), as well as the capability to contact Malwarebytes Sales regarding licensing and licensing questions, and to enter new product license(s) which you have obtained for your Malwarebytes Management Console installation. Referring to the above screenshot, you will notice that Malwarebytes Anti-Malware has been installed. In this instance, Malwarebytes Anti-Exploit has also been installed. Both client license status are shown as Licensed. In addition, each has a Get License button. Clicking this button connects you to the Malwarebytes website so that you may purchase additional seats. If your status is Unlicensed, clicking the Get License link allows you to purchase licenses.

Management Console Administrator Guide

48

In addition to indicating the number of seats purchased for a given license, Seats Used Locally and Seats Used Globally are also displayed. These represent the number of seats used from the local management server as well as the number of seats used on all management servers which are associated with the same license key (if applicable). Please note that license information is automatically updated every twenty-four (24) hours.

Server Address Settings The Server Address Settings panel shows current settings for the Malwarebytes Management Console Server Address, Client Communication Port number, and Server Communication Port Number. Initially, the Server Address is based on the endpoint’s IP address. You may also use a fully-qualified domain name (FQDN) instead of an IP address. WARNING: The Server Address is used for all communications between the Malwarebytes Management Console and managed clients deployed on endpoints. Use of a static IP address is highly recommended. If this is not possible, a fully-qualified domain name should be used instead. If the IP address is changed after any client software has been deployed, communication failures between client and server will occur. You may use the Force Managed Clients to use new address checkbox to push the server address out to clients, however offline clients may require further attention. If this is the case, please refer to the Malwarebytes Endpoint Security Best Practices Guide. Port numbers shown are default ports used by Malwarebytes Management Console. The Server Administration Port uses the standard port number assigned for SSL communications. If the server used for Malwarebytes Management Console is also home to other web-based services/applications, you should change this port number to prevent conflicts.

Database Settings The SQL Database Setting panel specifies the data storage mechanism used by Malwarebytes Management Console. It also allows a new external database/instance to be specified in place of the existing database, regardless of whether the existing database is SQL Server Express or an external SQL Server. If an external SQL Server database is specified, the following information must be supplied. •

Database Address – IP address/FQDN of the server on which SQL Server is installed (if different than the server on which Malwarebytes Management Console is installed), and the pre-existing instance name, in the format: IP-or-FQDN\instance



SA User Name – Pre-existing username of the SQL Administrator (or another database user with permissions set to the same level as the SQL Administrator).



SA Password – Password assigned to the database user.

The new database/instance must already exist prior to this change, and security permissions must be set appropriately for the SQL Administrator username that is also specified as part of this change. WARNING: If a change is to be made to the SQL Database setting after Malwarebytes Management Console has been put into operation, the customer must take responsibility to migrate all data from the old instance to the new instance prior to implementation of the database change. Depending on the volume of data to be migrated, the amount of time required to perform this task should be considered.

Cleanup Settings This option allows the Management Console Administrator to define how long threat information is retained, and as a result, the valid lifespan of reporting data. You may choose to retain data indefinitely, or you may choose one of several different cutoff dates. It is strongly recommended that the Malwarebytes Management Console Administrator be extremely familiar with disk usage as a function of available space in the SQL environment. This is typically more of an issue if SQL Server Express is used as the Malwarebytes Management Console system database, but should not be taken for granted.

Management Console Administrator Guide

49

Signature tab This tab displays current database update settings, with provision to modify the time interval between updates. The version number of the threat database increments with each update. The version number shown uses a specific naming convention. Using an example will help to illustrate that. If the version shown is v2017.02.24.09, that indicates the ninth update issued on February 24, 2017. The calendar used is referenced to Greenwich Mean Time (GMT), so North American users may see version numbers which appear to be one day in the future if they look at this tab in the evening. If you wish to load available signature updates prior to the next scheduled update time, you may do so by clicking the Update Now button. Clicking the Change… button associated with Update Frequency will display the Update Settings dialog as shown below. Threat signatures are updated on a regular basis. One of several time intervals may be selected using the pulldown menu shown. If a direct connection to the internet is not available and a proxy server is used, you will need to configure proxy server settings, located in the Other Settings tab.

Administrators Tab The Administrators tab contains a list of system users/administrators authorized to use Malwarebytes Management Console. Within this discussion, the term user applies to both Malwarebytes Management Console users and administrators. For each user, the list contains name and contact information, their role, the IP address from which the user last logged on, and the date and time of that logon. The Administrators tab is shown here.

At the bottom left of the screen are four options which allow addition, deletion and modification of user information.

Management Console Administrator Guide

50

Add New User Clicking the Add new user… button allows the addition of one or more new Malwarebytes Management Console users via the Add New User window, which pops up at the center of the screen. That window is shown here. Panel behavior is dependent on whether users are input directly via this panel, or imported from Active Directory. This determination is made by checking construction of the User Name as it is being typed. If User Name contains a backslash (\) or at sign (@), data entry access to most other fields is immediately disabled, the assumption being that data will instead originate from Active Directory.

When Malwarebytes Management Console is integrated with Active Directory, you also have the ability to import AD groups. If the user name fits the criteria for an Active Directory domain, the is user group in AD checkbox becomes available for selection. There is no password associated with it. For that reason, a group cannot logon to Malwarebytes Management Console as a user. The value in adding an AD group here is that every member of the AD group becomes a valid user because of their AD group membership. You may also assign a Role to the new user. If Role is defined as Administrator, the new user has full control of Malwarebytes Management Console. If Role is set to User, the Permissions button allows granular authority to be specified with the User Permission panel. A screenshot of a portion of that panel is shown below.

Management Console Administrator Guide

51

Five primary roles have been defined, which may be selected using the Template pulldown at the upper left corner. Once selected, you may choose specific permissions that you wish to be assigned to that role. In the screenshot above, only Client-based roles are shown to illustrate capabilities. A full list of default permissions assigned to each role is shown in the following table.

In addition to the permissions which you have granted to the user, you may specify where the user may exert this authority. This is done on the Groups Setting tab. A group is a collection of endpoints that have been organized based on something which they have in common. This may be where they are located, who uses them, or the type of roles which they are used for. That is up to the administrator. Please see page 19 of this guide for more information pertaining to groups and how they may be used. You may grant a user authority over all groups, or only over specified groups. A screenshot of the Groups Setting tab is shown here.

Management Console Administrator Guide

52

When you select Customize client group access, you may select the checkbox for each defined group to grant authority over the group. There are a few rules which apply here: •

If Customize client group access has been specified and all groups have been selected, that does not equate to Allow access to all client groups. If a new group is added later, the user will not have any authority over that group unless authority has been specifically granted for the newly-added group.



Inheritance applies to group selection. Using the example shown above, selecting the Test group also selects the Office subgroup, because it is a child of Test. Selecting the Office group does not grant authority over the Test group.

Remove User This option removes the highlighted (selected) Malwarebytes Management Console user account, regardless of whether it was created locally or through Active Directory. All login credentials and permissions will be removed, and the account will no longer be active in the Administrators list. If the specified Malwarebytes Management Console user was created through Active Directory, the account will remain there until removed through Active Directory, but will no longer have login access to Malwarebytes Management Console.

Management Console Administrator Guide

53

Import Domain User You may also create Malwarebytes Management Console users through the Import Domain User option. Clicking this button launches the Import Domain User panel, as shown below. PLEASE NOTE: If you have not specified a Domain Query Account prior to execution of this command, you will be prompted for a user name and password associated with that account.

The left side of the screen shows the Organizational Unit (OU) structure of the Active Directory installation. When the domain is selected (as shown here), the only AD users that can be imported are ones who are not members of an organizational unit. Selecting an individual OU permits only those users who are a member of that OU to be imported. Permission settings for the selected users may be defined in the same manner as described in the Add New User option which was outlined earlier. In the above screenshot, one AD user is grayed out, and his name is preceded by a checkmark in the checkbox. This indicates that he has already been added to the list of Malwarebytes Management Console Administrators. You may also import Active Directory groups in a similar manner. As the above screenshot shows, both users and groups are available for import into Malwarebytes Management Console. Creation, organization, and membership of groups are performed in Active Directory, and all group settings are inherited by Malwarebytes Management Console when the group is imported. It is also possible for an Administrator to add a group of users with pre-set permissions, as well as import individuals that belong to that group as individual Administrators with different permissions than the group was assigned. This allows Active Directory administrators to update or change permissions for particular users through the Malwarebytes Management Console alone for Malwarebytes-specific permissions.

Synchronize User This option issues queries to the domain’s Active Directory Server for all Administrator users and groups, and updates Malwarebytes Management Console with data returned from the query. Domain User/Admin changes made in Active Directory must be reflected in Malwarebytes Management Console to remain synchronized with Active Directory. Please note that this option and the Sync Now button on the Other Settings tab of the Admin module perform different tasks. Here, synchronization is specific to AD users and groups. The Sync Now button is specific to endpoints and networked devices which are governed by Active Directory.

Management Console Administrator Guide

54

Admin Logs Tab The Admin Logs tab contains a running log of user logins, logouts, actions taken by users, and the results of those actions. All information shown here is read-only. The following information is presented in the log: ● ● ● ●

Event Date and Time User Name Console IP address Category (event type)

● ● ●

Event ID Event Description Malwarebytes Management Console Server Name

You may sort on any of these items by clicking on the item. Clicking the item a second time reverses the sort order. Right-clicking anywhere in the active area of the log displays a context menu which enables the user to refresh the display, save the log as a text file, filter based on any of the categories shown, reset the filter, or clear all logs. Please note that this context menu does not act on individual log entries, but on the log as a whole.

Client Push Install Tab This tab enables the Malwarebytes Management Console Administrator to remotely install managed client software on endpoints. There are pre-requisites that must be met before this is possible, to assure that the managed client can communicate with the Malwarebytes Management Console. These are listed in System Requirements: Managed Clients, on page 6.

Pre-Requisites – Creation of Policies (optional) Another item which must be considered before client software can be pushed out to endpoints is the definition of policies. In a nutshell, a policy determines client behavior. Depending on an endpoint’s function, location, and vulnerability level, many operational parameters may be tuned to afford the best protection. In lieu of a set of pre-defined policies, a single default policy may be used. This subject is described in detail in the Policy Module section of this guide, beginning on page 24.

Pre-Requisites – Creation of Client Groups (optional) The final item which must be considered is creation of client groups. Assigning managed clients to client groups helps to maintain higher network throughput by coordinating use of network resources during heavier communication between Malwarebytes Management Console and its clients. This subject is described in detail in the Client Module section of this guide, beginning on page 18.

Scanning the Network – Scan Selection Options The first step in deployment of client software is to identify endpoints. This is done by scanning the network. A preliminary required step is to choose what to scan. This is shown in the screenshot below.



Scan IP range allows you to select a contiguous block of IP addresses. All networked devices within that address range are selected, without regard to device type. Computers, servers, printers, and all other networked devices whose address is within the specified range will be scanned. PLEASE NOTE that a maximum of 65536 IP addresses can be scanned. Using the address shown above as an example, the maximum range is from 10.10.0.1 to 10.10.255.255. When using contiguous address ranges, the first two octets must remain fixed, while the full range of addresses in the last two octets is available.



Scan IP addresses from file provides the capability to use a text file which contains a list of IP addresses, host names, and fully-qualified domain names (FQDNs) – one entry per line. This method is valuable if your LAN contains a small isolated subnet or if you utilize VPN connections for remote users/facilities.

Management Console Administrator Guide

55



Scan computers under OU provides the capability to build your list of endpoints directly from the Organizational Unit structure contained in Active Directory, as shown in the screenshot below.

This screenshot shows two examples of how Organizational Units may be selected for scanning. Either of these models may represent your AD structure, but most Active Directory administrators agree that no single model is ideal for every company. The example on the left shows a hierarchy where each OU is individually selected. Each department has two OUs associated with it – Devices and People. Only the Devices OU is relevant for the purpose of scanning. The example on the right shows a hierarchy where each departmental OU is part of a higher-level Devices OU. Here, selecting Devices will automatically select every departmental OU below it in the hierarchy. If any of those OUs were to be omitted, it by itself could be unchecked. Again, your AD layout will determine how you select OUs for scanning.

Scanning the Network – Scan Execution Options Once endpoints/IP addresses have been selected for scanning, the actual scanning may take place. Malwarebytes Management Console provides a number of ways to scan your network. Clicking the Scan… button launches the Scan Network window in the center of the screen, as shown below.

This window allows selection of the specific type of scan to be used. There are two primary scan options, the second option allowing for further specification of methods. Detailed descriptions of these methods are detailed here, to increase understanding of the process, as well as to assist with troubleshooting should any problems arise.

Management Console Administrator Guide

56

Option 1A: Scan IP range/Scan Network – Malwarebytes Management Console uses Address Resolution Protocol (ARP) to query each IP address in the specified address range. Detected endpoints respond with their IP address and MAC address. Malwarebytes Management Console then uses UDP to request identity information from these endpoints’ NetBIOS Name Service. Detected endpoints respond with their hostname (in reverse-text order). Option 1B: Scan IP range/Scan network and Detect Client Software – This method begins with the steps outlined in Option 1A. When complete, Malwarebytes Management Console uses SMB over TCP to transfer files to the remote endpoint. A remote service is then created and executed, which detects existing managed client software on the endpoint (if present). Detection status is returned to Malwarebytes Management Console, followed by termination of the remote service, deletion of the test files, and termination of the connection between server and endpoint. Authentication on the endpoint is required. If the user name specified does not have sufficient permissions, Windows Management Instrumentation (WMI) must be employed. Option 2A: Scan IP addresses from file/Scan Network – This method behaves in the same manner as Option 1A, the only difference being that host names and/or fully-qualified domain names are converted to IP addresses via usage of NetBIOS Name Service before detection attempts take place. Option 2B: Scan IP addresses from file/Scan network and Detect Client Software – This method is similar to Option 1B, the exception being that host names and/or fully-qualified domain names are converted to IP addresses via usage of NetBIOS Name Service before detection attempts take place. Option 3A: Scan endpoints under OU/Scan Network - Malwarebytes Management Console issues a LDAP query to Active Directory, requesting a list of all endpoints based in the selected Organizational Unit (OU). Using that list, Malwarebytes Management Console populates an internal database table with identifying information for each endpoint, then using the endpoint name returned from Active Directory, query the domain name server for the IP address. Finally, the MAC address will be obtained utilizing steps outlined in Option 1A (above) WARNING: Active Directory enforces a policy which specifies a maximum of five thousand (5000) results can be returned via an LDAP query. This policy may be changed by the AD administrator, but LDAP queries issued by Malwarebytes Management Console are subject to this policy. If the maximum number of results is returned as a result of this query, Malwarebytes Management Console cannot issue successive queries to access the remainder of the endpoints. In this case, lower level OUs should be utilized (when possible) to return all results. WARNING: The list of endpoints returned as a result of an LDAP query may contain both client and server-class computers if they are members of the same OU. A Malwarebytes Anti-Malware managed client should not be installed on a server, while it is acceptable to install a Malwarebytes Anti-Exploit client on a server. If you are not using Malwarebytes Anti-Exploit, you may ignore servers as part of any subsequent client installation and/or monitoring. Option 3B: Scan computers under OU/Scan network and Detect Client Software - This method begins with the steps outlined in Option 3A. When complete, Malwarebytes Management Console uses SMB over TCP to transfer files to the endpoint. A remote service is then created and executed which detects managed client software on the endpoint (if present). Detection status is returned to Malwarebytes Management Console, followed by termination of the remote service, deletion of the test files, and termination of the server-client connection. Authentication on the remote endpoint is required. If the user name specified does not have sufficient permissions, Windows Management Instrumentation (WMI) must be employed. Please note that the warnings specified for Option 3A also apply here. The following screenshot shows the results of a scan using the Scan IP Range method. In this case, there are four endpoints within the IP address range specified (10.10.10.2-10.10.10.254, Malwarebytes Management Console being 10.10.10.1).

Management Console Administrator Guide

57

If the scan showed results which contained endpoints where managed clients had previously been installed, you may hide those endpoints by checking the Hide installed client checkbox. The scan may also show devices which are not eligible for installation of managed clients (servers, printers, fax machines, etc.). These devices can be hidden by checking the Hide ignored device checkbox. The Admin Logs tab will show the full results of the scan, including all of the IP addresses specified regardless of whether a networked device is associated with that address. Text that appears for addresses of this type is: Scan failed. A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond Malwarebytes Management Console considers lack of response as a failure. Malwarebytes Management Console cannot determine whether a lack of response is due to no device present or due to a networking failure. Please note the icons shown to the left of each endpoint name. There are four unique icons used to indicate the status of each endpoint identified during the scan. This screenshot shows each status icon.

This is the first time that these endpoints have been scanned, specifically for the purpose of identifying targets for managed client installation. As a result, their status (as a client) is unknown. Referring to the Scan Results screenshot, one endpoint is highlighted for the purpose of showing the context menu. The menu is shown here Five different operations can be performed on selected clients using this context menu. Each of these operations is explained below.

Management Console Administrator Guide

58

Simulate Client Install This option tests the ability of Malwarebytes Management Console to open communication ports between itself and an endpoint on which a managed client is to be installed on. Once ports have been opened, the server will push several files to the endpoint, create a service on the endpoint, use that service to execute certain files, gather pass/fail status, return that status to the server, terminate the remote service, and finally delete files that were sent to the endpoint. If all of these tests pass, the simulation is considered to be a success. Please note that this is only a simulation, and does not actually perform a client push install. Because this process adds, deletes and executes files that are located on another endpoint, authentication is required. The domain user name and password for an administrative user on the endpoint is required. In addition, there may be times in which permissions for the administrative user do not provide the level of permissions required for an installation/simulation to occur. In this case, Windows Management Instrumentation (WMI) is utilized to perform the simulation. The WMI service must be running on the endpoint, and the simulation must be performed by an admin user whose permissions allow use of the WMI service.

Client Push Install This option allows managed client software to be installed on an endpoint in the corporate network. A screenshot of the Client Push Install panel is shown below.

A Domain\User Name and its associated Password are required for this process. These credentials must provide administrative access to the endpoint on which the managed client is to be installed. If there are any permissions issues where the admin user may not be able to accomplish installation tasks, the Enable WMI checkbox can be checked. You may elect to install managed client software on this endpoint as a member of Ungrouped Clients, or as a member of a specific Client Group. A complete discussion of this topic is in the Client Module section of this guide (page 18). In addition, a Policy must be selected before installation can occur. This determines behavior of the managed client during operation. A complete discussion of this topic is in the Policy Module section of this guide (page 24). You may also choose whether the managed client is visible to the endpoint user via entries on the Windows start menu and desktop icon. If this option is selected, both will be created during installation. If unselected, neither will be created. There is no provision for creating only one of the two visible indicators of Malwarebytes presence on the endpoint. Finally, you can elect to install the Malwarebytes Anti-Malware client, the Malwarebytes Anti-Exploit client, either client or neither. If neither client is installed, communication capability between the server and the endpoint is defined and initialized.

Client Uninstall This option uninstalls a managed client from a selected endpoint. This option should be used as a preferred method of uninstalling software because it removed the managed client and updates client status on the Malwarebytes Management Console Server.

Management Console Administrator Guide

59

Ignore Device(s) A network scan will detect every networked device on a network. While you may wish to see every networked device appear on scan results, it is of little value to see printers, servers, or other networked devices where a managed client cannot be installed. Selecting and ignoring these devices will change their status icon. You may also check the Hide ignored device checkbox at the upper right corner of the display to hide them.

Copy to Clipboard This option copies scan results (in text format) to your clipboard, so that you may paste it into Notepad. If you have changed the sort order of the displayed results, the copied results will reflect the information as displayed.

Email Notifications tab This tab allows the administrator to define the conditions which will cause Malwarebytes Management Console to send out email notifications. Click the Change… button to define settings specific to your environment. That results in launch of the Notification Settings window, as shown below.

General tab Here, you can specify detail about notifications to be sent, which includes: • • • • •

Email addresses of notification recipient(s). Multiple recipients must be separated by a semicolon (;), and the recipient list must be terminated with a semicolon (;). Email sender, sender’s email address and subject prefix of the notification. IP address (or Fully Qualified Domain Name) and port number of the mail server to be used. Whether authentication is to be used, and if so, a username and password that must be used for authentication. Whether SSL/TLS security is to be employed.

PLEASE NOTE: • If you are unsure about server name/IP or port numbers to be used, please consult with your system administrator. • All email addresses to be used may be subject to validation by your email server. Use the Send test email button to verify successful operation. We can now turn to the notification message itself, which is handled in this window as well – on the Notifications tab. The following screenshots illustrate how individual messages are created.

Management Console Administrator Guide

60

Notifications tab This screen allows the administrator to select any or all of the four classes of notifications which may be sent. In the order shown, these are: • • • •

Threat detected by Malwarebytes Anti-Malware Threat detected by Malwarebytes Anti-Exploit Issue preventing threat signature updates from being downloaded Management Server database size is nearing 70% of maximum allocation. Please note that this message class applies only when Microsoft SQL Express is used as the system database.

There are several subclasses available for anti-malware notifications, described in the following screenshot. Also, note the [msg] links shown to the right of each notification class. They are described below.

By clicking the Advanced… button, you can choose whether notifications will occur for all anti-malware threats, or only for certain criteria. Please note that the added trigger criteria is available only for notifications related to detection of malware threats.

On this screen, you can define the notification subject and the message content. The subject is tacked onto the end of the subject prefix (defined on the first notification screen). Each threat-based notification may reference multiple endpoints, and may be based on a single event, or on events which have occurred during a time interval. Please see Additional Notification Settings on the following page for more detail on this topic.

The following is a sample email notification sent as a result of product testing. While the specifics included on the message are unique to the testing environment, the overall structure of the message is consistent with what you can expect in your environment.

Management Console Administrator Guide

61

From: MBMC Test Sent: Monday, February 02, 2015 12:42 PM To: ALL Subject: MBMC: Anti-Malware threat detected Malwarebytes Management Server Notification -------------------------------------------Alert Time: 2/2/2015 12:42:25 PM Server Hostname: SERVER2012R2 Server Domain/Workgroup: mbmc.net Server IP: 10.60.2.39 Notification Catalog: Client Description: Anti-Malware threat is detected, see details below: 2/2/2015 12:41:27 PM WIN-STL98C5KFMR 10.60.1.59 2/2/2015 12:41:27 PM WIN-STL98C5KFMR 10.60.1.59

MBAM.Test.Trojan Quarantined C:\Users\windsor\Desktop\test-trojan.exe PUP.Optional.Dotpitch Quarantined C:\Users\windsor\Desktop\Test_PUP.exe

Total count: 2. -------------------------------------------Comment: This email was generated by Malwarebytes Management Server. Please do not reply to this message.

Throttling tab Keeping you informed with regard to threats is very important to us, but and we want to make sure that meaningful notifications are delivered to you in a timely manner. We have provided throttling settings on this tab, which help to stabilize communications on overloaded email systems, or in the case of a severe malware attack. Please refer to the screenshot below. Notifications may be sent for individual threat detections or by time interval. You may fine-tune these settings. Malware notification settings are identical to exploit settings, and each are handled separately. You can specify the number of notifications sent for all endpoints combined during a specific time period, the interval between notifications, and the maximum number of threats that will appear in each notification. The interval is to prevent your email system from being overloaded. If the number of threats exceeds the maximum number specified, the notification will include a cross-section of the oldest and newest threats that appear in the notification. Minimum, maximum and default values are shown in the screenshot.

Additional Notification Settings There are two additional notifications whose configuration is not exposed to the user in the console interface. These pertain to database notifications. The ability of Malwarebytes Management Console to manage and report on endpoints ceases if maximum database allocation is reached, so it is critical to maintain free space in the system database. This feature is provided primarily to assist users who do not have a database administrator (DBA) on staff, and is not meant to replace that staff role.

Management Console Administrator Guide

62

These settings can be found in file: C:\Program Files (x86)\Malwarebytes Management Server\SC.Server.WindowsService.exe.Config

In this XML configuration file, these settings are at the bottom of the section. They are shown here:

AlertMaxDatabaseLimit indicates the maximum storage allocation available in the SQL Express database instance (in bytes). You may choose a limit which is less than the maximum if you choose. AlertMaxDatabaseThreshold indicates the percentage of storage used as compared to maximum storage allocation. The default value is 70%. After changes have been made to this configuration file, save the file and close it. While changes have been made, you must perform two final steps to make these changes go into effect. This should only be done during a quiet period or a maintenance period. First, exit Malwarebytes Management Console. Finally, use the Windows Start Menu to run services.msc. The Windows Services screen will be displayed as shown below.

Displayable areas have been resized here to improve readability. Find the service named Malwarebytes Management Service, rightclick to access the context menu and Restart the service. Once this has been completed, close the Services screen and launch Malwarebytes Management Console. This causes the configuration changes to take effect. WARNING: This configuration file contains many system settings. It is not designed or intended for usage by customers. Endpoint protection may be impacted by direct modifications to this file. With the exception of the two settings shown in this section, please continue to make all system configuration changes through the Malwarebytes Management Console user interface.

Syslog Settings Malwarebytes Management Console includes the ability to send security events generated by Malwarebytes Anti-Malware and Malwarebytes Anti-Exploit managed clients to a syslog server. This allows your security administrator to view Malwarebytes protection activities as part of a site-wide security philosophy. By default, logging to an external Syslog server is disabled. Click the Change button to launch the dialog box shown here.

Management Console Administrator Guide

63

Enable logging by selecting the checkbox at the upper left corner. You must specify the IP (or FQDN) and port number of the Syslog server which you wish to connect to, as well as the preferred communication protocol. You may specify any Facility number (in the range 0-23) and any Severity (in the range 0-7) for events which originate from Malwarebytes managed clients. Please note that no validation of these specifications is performed. It is the responsibility of the customer to assure that a proper communication channel exists based on data provided.

Log data is sent to the Syslog server in CEF or JSON formats. Each entry contains the date, time, Facility, Severity, Host (hostname for the server on which Malwarebytes Management Console is installed, application (“Malwarebytes-Endpoint-Security”) and log data. Sample log entries are shown below, in both formats. For each, two versions are presented. The first version is the raw log entry as it would appear in system logs. The second version is presented solely to aid in the reader’s understanding of the format.

CEF Raw Log Entry 04-08-2016 08:11:01 User.Alert 127.0.0.1 1 2016-04-08T08:11:01.10-07:00 PC-WIN123 MalwarebytesEndpoint-Security 824 - - CEF:0|Malwarebytes|MBMC|1.7.0.3208 MBAM:1.80.2.1012 DB:913030101 MBAE:1.08.2.1189|DETECTION|Exploit ROP attack blocked|5|deviceExternalId=d6961b91-6098-48c4-a64eff75c9e5550e dvchost=PC-WIN123 deviceDnsDomain=WORKGROUP deviceMacAddress=00-0C-29-7C-15-AB dvc=192.168.10.50 rt=Apr 08 2016 08:10:57 -07:00 cn1=1 cn1Label=ObjectTypeScanned cs6= cs6Label=ObjectScanned cat=DETECTION cn2=1 cn2Label=Action act=BLOCK outcome=success suser=jdoe cs5=data cs5Label=Data msg=Attacked application: C:\\Users\\jdoe\\Desktop\\iexplore.exe; Parent process name: explorer.exe; Layer: Protection Against OS Security Bypass; API ID: 453; Address: 0x76F5FE07; Module: ; AddressType: ; StackTop: 0x002F0000; StackBottom: 0x002ED000; StackPointer: ; Extra: fname=Internet Explorer filePath=C:\\Users\\jdoe\\Desktop\\iexplore.exe sourceServiceName=MBAE cs1= cs1Label=Payload cs2= cs2Label=PayloadChecksum cs3= cs3Label=PayloadUrl cs4= cs4Label=PayloadProc

CEF Log Entry (simplified for understanding) Please note that liberties have been taken here to improve readability of the log entry. HEADER: Syslog Prefix

: 04-08-2016 08:11:01 User.Alert 127.0.0.1 1 2016-04-08T08:11:01.10-07:00 PC-WIN123 Malwarebytes-Endpoint-Security 824 - - CEF:0| Device Vendor : Malwarebytes| Device Product : MBMC| Device Version : 1.7.0.3208 MBAM:1.80.2.1012 DB:913030101 MBAE:1.08.2.1189| Device Event Class ID : DETECTION| Name : Exploit ROP attack blocked Severity : 5 EXTENSION: deviceExternalId dvchost deviceDnsDomain deviceMacAddress dvc rt cn1 cn1Label cs6 cs6Label cat

= = = = = = = = = = =

d6961b91-6098-48c4-a64e-ff75c9e5550e PC-WIN123 WORKGROUP 00-0C-29-7C-15-AB 192.168.10.50 Apr 08 2016 08:10:57 -07:00 1 ObjectTypeScanned ObjectScanned DETECTION

Management Console Administrator Guide

64

cn2 cn2Label act outcome suser cs5 cs5Label msg

fname filePath sourceServiceName cs1 cs1Label cs2 cs2Label cs3 cs3Label cs4 cs4Label

= = = = = = = =

1 Action BLOCK success jdoe data Data Attacked application: C:\\Users\\jdoe\\Desktop\\iexplore.exe; Parent process name: explorer.exe; Layer: Protection Against OS Security Bypass; API ID: 453; Address: 0x76F5FE07; Module: ; AddressType: ; StackTop: 0x002F0000; StackBottom: 0x002ED000; StackPointer: ; Extra: = Internet Explorer = C:\\Users\\jdoe\\Desktop\\iexplore.exe = MBAE = = Payload = = PayloadChecksum = = PayloadUrl = = PayloadProc

JSON Raw Log Entry 04-08-2016 08:10:41 User.Alert 127.0.0.1 1 2016-04-08T08:10:41.16-07:00 PC-WIN123 MalwarebytesEndpoint-Security 824 - - {"security_log":{"client_id":"d6961b91-6098-48c4-a64e-ff75c9e5550e", "host_name":"PC-WIN123","domain":"WORKGROUP","mac_address":"00-0C-29-7C-15-AB","ip_address": "192.168.10.50","time":"2016-04-08T08:10:34-07:00","threat_level":"Moderate","object_type": "FileSystem","object":"C:\\Users\\jdoe\\Desktop\\test-trojan.exe","threat_name": "MBAM.Test.Trojan","action":"Quarantine","operation":"QUARANTINE","resolved":true,"logon_user":"j doe","data":"data","description":"No description","source":"MBAM","payload":null,"payload_url": null,"payload_process":null,"application_path":null,"application":null}}

JSON Log Entry (simplified for understanding) Please note that liberties have been taken here to improve readability of the log entry. JSON Log Header Log Data Header "client_id" "host_name" "domain" "mac_address" "ip_address" "time" "threat_level" "object_type" "object" "threat_name" "action" "operation" "resolved" "logon_user" "data" "description" "source" "payload" "payload_url" "payload_process" "application_path" "application" Log Data Footer

: 04-08-2016 08:10:41 User.Alert 127.0.0.1 1 2016-04-08T08:10:41.16-07:00 PC-WIN123 Malwarebytes-Endpoint-Security 824 - -  : {"security_log":{ : :"d6961b91-6098-48c4-a64e-ff75c9e5550e", : :"PC-WIN123", : :"WORKGROUP", : :"00-0C-29-7C-15-AB", : :"192.168.10.50", : :"2016-04-08T08:10:34-07:00", : :"Moderate", : :"FileSystem", : :"C:\\Users\\jdoe\\Desktop\\test-trojan.exe", : :"MBAM.Test.Trojan", : :"Quarantine", : :"QUARANTINE", : :true, : :"jdoe", : :"data", : :"No description", : :"MBAM", : :null, : :null, : :null, : :null, : :null : }}

Management Console Administrator Guide

65

The following information will assist you in understanding construction of a log entry. • threat_level values are 0 (minor), 1 (moderate) and (2) critical. • object_type values are (0) memory, (1) registry, (2) filesystem and (3) extraobject. • action values are (0) allow, (1) deny and (2) quarantine. • resolved values are (1) true and (0) false. • Log components “data” through “application” are reserved for Malwarebytes Anti-Exploit managed client events. They are left null for security events generated by the Malwarebytes Anti-Malware managed client. For further information on Syslog in the corporate environment, please refer to internet standard RFC5424, at the following URL: http://tools.ietf.org/html/rfc5424

Other Settings Tab This tab provides capability to modify system settings related to Active Directory configuration and proxy settings. Please refer to the screenshot, followed by descriptions of the settings on this tab.

Proxy Settings If your site security settings are restrictive, direct client connectivity to the Internet may require specification of either a proxy server or modified firewall settings. You can Change Proxy Settings to specify a proxy server and port number. If the proxy server requires authentication, a username and password may also be specified as part of this choice.

Domain Settings This option allows the account used to query Active Directory to be changed or removed. If the account is removed, the ability to maintain synchronization between Malwarebytes Management Console and Active Directory is eliminated.

Active Directory Synchronization Setting Malwarebytes Management Console attempts to synchronize with Active Directory on regular intervals, to assure that all endpoints controlled by Active Directory are visible to Malwarebytes Management Console. The default interval is ten minutes. This option allows adjustment of that interval. There is also a Sync Now button, so that outstanding changes may be immediately reflected in Malwarebytes Management Console rather than waiting for the next scheduled synchronization.

Management Console Administrator Guide

66

Console Session Settings After a period of console inactivity, the user will automatically be logged out. This setting allows the timeout to be adjusted in one-minute increments from 15-480 minutes.

Management Console Administrator Guide

67

Windows Start Menu Options A number of additional program options are available from the Windows Start Menu. By launching the menu and clicking All Programs, the Malwarebytes options are available as shown below.

None are considered essential for daily operation of Malwarebytes Management Console, though all will prove valuable for configuration, support, and troubleshooting. A description of each option is presented here.

Collect System Information When troubleshooting a problem with Malwarebytes Management Console, you may be directed by Malwarebytes Technical Support to gather logs and send them in for analysis. That is done through this link. When clicked, a small program creates a folder on the desktop of the server which is the home of Malwarebytes Management Console. Inside that folder is an archive (ZIP) file which you should send to Malwarebytes Customer Success. The archive contains: • • • • •

ServerSystemInfo.txt – Basic configuration information regarding your Malwarebytes Management Console installation. Console.txt – Most current log information pertaining to communications between server and user interface (console). Console.yyyymmddnnnnnn.txt – Older console logs, with the date contained in the file name. nnnnnn is a sequence number; higher values of n represent earlier same-day data. A maximum of ten 5120 KB are retained. management-service.txt – Most current log information pertaining to communications between server and endpoints. management-service.yyyy-mm-dd.nnnnnn.txt – Older server logs, with the date contained in the file name, followed by a 6-digit sequence number. Higher values of n represent earlier same-day data. A maximum of ten 5120 KB are retained.

Data Backup and Restoration This option allows a security backup of vital Malwarebytes Management Console data, as well as program and configuration files used to create endpoint installation packages. Once data has been backed up, it is available to restore system databases should the need arise. When executing this option, you must select a valid folder for either backup or restore operations. The folder must already exist. There is no provision to add a new folder at time of execution. Please note that this option may not be used if you are using a full Microsoft SQL Server database product. This is only available for Malwarebytes Management Console users who have chosen to store system data in a SQL Express database.

Management Console Administrator Guide

68

Malwarebytes Management Console Link Many users expressed interest in accessing the program from a remote location. A server is often located in a server room, while the administrator may prefer to manage the system from their desk. For this reason, we provide the capability to download a secondary (auxiliary) console which can be used from any location that has access to the Malwarebytes Management Console server. The screenshot below shows the screen that is displayed in your default browser once the option is selected.

The installer will be downloaded to your standard download location. The filename is mbmc-console-setup.exe.

Malwarebytes Management Console This is an alternate link to access Malwarebytes Management Console. It behaves in the same manner as the desktop icon to access the program.

Server Configuration This option is a wizard to assist you if configuration changes are required. This option launches the dialog box shown here:

You may enter information into any of the text boxes shown, but it is truly designed to provide that information for you. Clicking any of the first three links (Get local machine IP/name/FQDN), will load corresponding settings into the Server Address text box. Clicking either port number link will populate the corresponding text box with an unused port number, based on ports currently in use. Please note that this wizard cannot evaluate your system for applications which assign ports on demand. In almost all cases, this wizard will provide an acceptable port number, though there is a very slight chance that a conflict may exist.

Management Console Administrator Guide

69

SSL Certificate Configuration Malwarebytes Management Console installs with a valid certificate, though many corporate customers wish to utilize their own certificates. A certificate verifies authenticity of devices, and is a necessity when using SSL communications. The following information may provide some assistance if certificate-oriented steps are required.

Verifying Presence of a Certificate Launching the SSL Certificate Configuration option displays the certificate panel as shown below.

The Details section of this panel indicates that a certificate is present on this server. It is the generic certificate installed as part of a Malwarebytes Management Console installation.

Exporting an Existing Certificate You may find an occasion where your self-signed certificate is not recognized by Malwarebytes Management Console. In this situation, you must export the certificate so that it can then be installed. Do so by performing the following steps: •

Launch Microsoft Management Console (mmc.exe).



If Certificates is not an option within mmc, choose File ► Add/Remove Snap-Ins ► Certificates ► Add, and specify that certificates will be managed for the Computer account. Press Finish, select Local Computer on the next screen, and Finish again. Finally, press OK. The Certificates manager is now loaded into MMC.



Expand Certificates (Local Computer), then expand Personal. Available certificates will be displayed in the center panel.



Select All Tasks ► Export to launch the Certificate Export Wizard.



Click Next to access the Export Private Key screen.



Select the radio button next to Yes, export the private key.



Click Next to access the Export File Format screen.



Personal Information Exchange (PFX) is selected as the default file format. Click Next to progress to the Password screen.



Enter the password twice and click Next to progress to the File to Export screen.



Enter a filename for the certificate. You may also choose a folder where the certificate is to be stored. Click Next.



You will be presented with the certificate specifications. Click Done to complete the process.

When complete, your new certificate may be used for Malwarebytes Management Console.

Management Console Administrator Guide

70

Installing a Certificate It is a simple process to import a certificate (self-signed or commercial), as long as the certificate is in the form of a PFX (Personal Information Exchange) file. Steps are as follows: •

Launch SSL Certificate Configuration from the Malwarebytes Management Server entry on the Windows Start Menu. The SSL Certificate Configuration screen (as shown earlier in this section) will be displayed.



Click the Browse button to navigate to the directory where the new certificate is stored.



Select the certificate and click Open.



The certificate filename will be displayed at the top of the window. Click Import to import the new certificate.

Management Console Administrator Guide

71

Glossary It is expected that technical documentation will contain technical terms. It is not uncommon that documentation from different sources will attach different meanings to the same word, causing confusion on the reader’s part. We have developed this brief glossary so that the definition of terms used in this guide are clear to the reader.

client A software package which may be installed on an endpoint under direct or indirect control of a centralized software application, and managed by that same centralized application. As it pertains to this guide, Malwarebytes Management Console serves as the centralized software application. Anti-Malware and Anti-Exploit are managed clients under control of Malwarebytes Management Console.

device Initially, this is defined as a networked entity which responds to a network scan by Malwarebytes Management Console. Once a scan has been performed and the entity can be categorized, it is an entity which will be ignored because (a) it is not a computer, (b) It does not run on a Microsoft Windows operating system, or (c) It does not run on a supported version of Windows.

endpoint A computer running on a supported version of the Microsoft Windows operating system which is an installable destination of a Malwarebytes managed client. For an Anti-Exploit managed client, this term applies to all computers running a supported version of Windows. For an Anti-Malware managed client, this specifically excludes server-class computers.

exploit Use of a program or method to take advantage of a vulnerability in a legitimate software program. An exploit is typically designed to allow the attacker to gain access to resources, data or control of the computer on which the vulnerability was found. While many may not see a difference between an exploit and a threat, an exploit is focused on illicit manipulation of a vulnerability. Within the context of Malwarebytes Management Console, this term is associated with the Anti-Exploit managed client.

heuristics A method of inspecting data which is used in conjunction with, or in lieu of signatures. Many malware samples are represented by known signatures which identify them as threats, and also categorize them as specific types of threats. The same cannot be said for zero-day threats. These are too new for signatures to have been generated, added to signature databases, and subsequently distributed to users of the anti-malware program. Heuristics inspect data for embedded commands, specific characteristics and references to areas of potential vulnerability. In addition, data which has the ability to transform cannot be readily identified by signatures, though their characteristics will allow them to be more easily detected through heuristics.

malware Software used to disrupt computer operation, gather sensitive information, or gain access to private computer systems. It can appear in the form of code, scripts, active content, and other software. 'Malware' is a general term used to refer to a variety of forms of hostile or intrusive software. Source: Wikipedia (http://en.wikipedia.org/wiki/Malware)

policy A set of rules which defines behavior for one or more managed clients. These rules define characteristics of real-time protection, anti-malware scans, anti-exploit shields, communications, signature updates, scheduling, and treatment of detected threats/exploits. Multiple policies may be used at the same time, though only one policy may apply to any single client.

Management Console Administrator Guide

72

signature After a malware threat has been analyzed, characteristics of the threat can be condensed into data which can represent the threat itself. Signatures can only be created once a threat has been analyzed, and are of no value in prevention of zero-day attacks. Also, a signature cannot reliably be used in to detect a polymorphic virus, as the signature of this type of virus changes to allow it to avoid detection.

SQL Server Express This is a version of Microsoft SQL Server which provides a majority of the functions of SQL Server, but is limited in terms of maximum usable resources and maximum storage capability. SQL Server Express can only use a single physical CPU on the server, is limited to a maximum of one (1) gigabyte of memory, and can store a maximum of ten (10) gigabytes of data per database. Malwarebytes Management Console is shipped with SQL Server Express, and you may choose whether to use this software, or existing SQL Server software. Malwarebytes Management Console can utilize only one database, so installations using SQL Server Express are bound by this limitation.

threat Use of a program to gain access to resources, data or control of a computer which the program should not have access to. A threat may be delivered by an exploit, or it may be delivered by a web site or email. It is typically in the form of a file or registry modification, though it may also exist as a memory-resident code snippet. A threat may target a specific vulnerability, but in most cases takes advantages of user behavior to gain access to the target computer. Within the context of Malwarebytes Management Console, this term is associated with the Anti-Malware managed client.

vulnerability A weakness or flaw in a software program which allows programs or methods to take advantage of that weakness or flaw, thus allowing access to system resources or data which were not intended by the developer of the program.

Management Console Administrator Guide

73

Loading...

Management Console Administrator Guide - Malwarebytes

Management Console Administrator Guide Version 1.8 21 March 2017 Notices Malwarebytes products and related documentation are provided under a licens...

3MB Sizes 2 Downloads 21 Views

Recommend Documents

Administrators Guide: Dell® Management Console
their device and register into the management system). CAUTION: It is highly recommended that this password be changed a

Administrator Guide
Oct 28, 2013 - Disclaimer. Sagemcom reserves the right to make changes and alterations to its software and documentation

Malwarebytes | POLÍTICA DE PRIVACIDAD DE MALWAREBYTES
Aug 1, 2017 - Puede que ofrezcamos información de identificación personal a dichos proveedores solo para realizar serv

Endpoint Security Quick Start Guide - Malwarebytes
Mar 21, 2017 - The information contained in this document is subject to change without notice and is not warranted to be

Metasploit Pro Console User Guide
Apr 10, 2013 - Support for Metasploit Pro and Metasploit Express........................................................

Orion NPM Administrator Guide
Exporting Reports as Excel and PDF from the Orion Web Console. 603. Exporting Reports from the Orion Report ...... Note:

3320DNI System Administrator Guide
Xerox Phaser 3320DN/3320DNI. System Administrator Guide. 16. 2. Press the arrow buttons to highlight Network Setup and p

SpamTitan Administrator Guide
The graphical user interface (GUI) enables you to manage and monitor the system using a web-based interface. Each page i

Administrator Quick Start Guide - Cengage
Cengage Learning's MindLinks provide seamless, powerful integration with Blackboard Partner Cloud and your institution's

Web Time Administrator Guide - Paylocity
display of information. In order to maintain confidentiality, employees must contact their Company Administrator ......