Malwarebytes Antimalware Enterprise (MBAM)

Introduction

Malwarebytes Antimalware Enterprise (MBAM or MBAMEE) is a malware and antivirus scanner. Our licensed installation is on all campus Windows 7 and Windows 10 machines as a post-configuration step of the imaging process. It is set to update automatically, scan weekly, and to be hidden from the “All Programs” portion of the Start Menu. It can be managed from the user’s computer, or from the Malwarebytes Managed Console (MMC).

Installing Malwarebytes

  1. Navigate to \\wnap22\MBAMEE and authenticate using your Puget Sound credentials.
  2. Open the newest “Client Package” folder.
  3. Right click on “ClientSetup.exe” and run as administrator.
  4. Advance through the installation wizard, using all of the default settings.

How To’s

How to check that it is running and has run a scan recently.

How to review and clear out quarantined items.

If you launch mbam.exe, there’s a “Quarantine” tab.

How to run a scan.

  1. Click on the start menu
  2. Type “mbam.exe” in the search bar
  3. Select “Perform full scan”
  4. Use the default settings and hit “Scan”
  5. Wait…for a few hours…
  6. If items are detected, save a .txt file of the log (to add to the ticket) and clear out the detected items

How to use the Malwarebytes Management Console (for FTE)

Once in the console

  1. Right click on the computer
  2. Update client(s) database now
  3. Run full scan now

Antivirus

Introduction

We use three main antivirus programs on our campus: Malwarebytes Antimalware Enterprise (MBAM) , System Center Endpoint Protection (SCEP) or Windows Defender, and Sophos Antivirus (SAV). The first two are installed on all Windows computers, and the third on Mac computers.

Malware Definitions

Malware

A general term combining the words “malicious” and “software” to refer to any kind program designed to cause damage to a computer. Below are a few of the more commonly named types.

Adware

A program designed to display ads in various forms on a computer. It can present itself as a popup when hovering over text in a web browser, randomly pop up a window on the computer screen while working in another program, display in the system tray, change the default search engine in a web browser, or display as a toolbar. Adware can automatically download while browsing any website.

Ransomware

A program that prevents or limits users from accessing their system. It forces the user to pay the ransom in order to grant access to their systems, or to get their data back. Some ransomware encrypts files (called Cryptolocker), sometimes even files on network shares that the user has mapped to.

Scareware

Programs designed to trick a user into buying and downloading unnecessary and potentially dangerous software, such as fake antivirus protection.

Spyware

A program designed to collect information about users and their computer or browsing habits, including keystrokes (like usernames, passwords, credit card information, etc.) and send it to a remote user. It also can download other malicious programs install it on the computer. Spyware works like adware but is usually a separate program that is installed unknowingly when installing another freeware type program or application.

Tracking cookies

A cookie is a plain text file that is stored on your computer containing data about your browsing session. Cookies are used by many websites to track visitor information or maintain a logged in session. A tracking cookie is a cookie which gathers all browsing information (like bank account details, credit card information, user accounts, etc.), and often used or sold by a remote user.

Trojan

A program that looks like a genuine application. It does not replicate itself. It can open a backdoor entry to a computer which gives malicious users or programs access to the system and any confidential or personal information.

Virus

A program written to damage or alter files or data. The program can replicate itself. Viruses can enter a computer as an email attachment of images, greeting, or audio / video files; through internet downloads; or hidden in a free or trial software.

Worm

A malicious program that makes copies of itself again and again on the local drive, network shares, etc. It does not need to attach itself to an existing program. Worms spread by exploiting vulnerabilities in operating systems.

Initial Troubleshooting

  1. Have the person leave the suspicious message or window open. Take a screenshot.
  2. Determine whether it is a browser popup or an actual infection.
    • Sometimes a legitimate website is hacked, and their web server is used to house malicious popups.
    • Is there a URL? Does it look like the warning message was open in a web browser (but missing an address bar)?
    • If the user has already closed the popup and you suspect it was a popup, you can review the recent browser history.
  3. Is the browser “hijacked”?
    • Change the homepage back to “www.pugetsound.edu”.
    • Change the default search engine back to Google.
    • Uninstall/reinstall the browser. When uninstalling, select the option, if available, to delete all profile settings. (Be sure to export bookmarks, too!)
    • Delete the browser profile (see TICK:44136 for how to do this in Chrome).
  4. Check to make sure that the antivirus software is running and has run a scan recently.
  5. Review quarantined items to determine how long the computer has been infected, then clear out the quarantined items.
  6. Review installed programs.
    • If there are several suspicious programs that were installed on the same date, this is likely when the infection occurred.
    • Uninstall all of the suspicious software.
  7. Run a scan and remove the detected items.
  8. If you can determine an infection date, do a System Restore to a date previous to it.
    • Be sure to run antivirus scans again after restoring to a previous restore point.
  9. Check all installed browsers to see if the default search engine and/or home page have been altered.
  10. Check Startup to see if any suspicious software is listed there.
    • Sometimes a program is not installed, but instead set to launch at system startup. They are not always caught by antivirus scans. Often times the “Command” column will indicate the location of that executable file and other related files that should be permanently deleted. Reviewing the value of the registry item listed can also point to the file’s location or any additional files that should be removed.

On Site Troubleshooting

Malicious Phishing Attempt – University of Puget Sound Important Alert

Some campus members have received malicious e-mail messages asking for username, password, and other pieces of personal information. This is a scam message and should be deleted immediately. Technology Services will NEVER ask you for your password, or ask you to “revalidate” or “update” your profile by e-mail.

Remember to be cautious of e-mail links and attachments from unknown sources. If you have questions about an unexpected e-mail message, please contact the Service Desk immediately at 253.879.8585 or servicedesk@pugetsound.edu.

–Sample Message–

From: University of Puget Sound
Subject: University of Puget Sound Important Alert

We have upgraded our email servers to enhance our security. All users are required to enroll their
email accounts with our new upgraded server. Follow the link below

L​o​g​i​n (link removed)

If you do not enroll your email, you might be unable to send and receive emails.

IT Department

Malicious Phishing Attempt – Scheduled Maintenance

Some campus members have received malicious e-mail messages asking for username, password, and other pieces of personal information. This is a scam message and should be deleted immediately. Technology Services will NEVER ask you for your password, or ask you to “revalidate” or “update” your profile by e-mail.

Remember to be cautious of e-mail links and attachments from unknown sources. If you have questions about an unexpected e-mail message, please contact the Service Desk immediately at 253.879.8585 or servicedesk@pugetsound.edu.

–Sample Message–

From: , Jose
<Jose.Alvarado2@jacobs.com>
Date: Monday, September 8, 2014 4:11 PM
Subject: Scheduled Maintenance

Help-desk will undergo unscheduled system Maintenance today in order to improve your account. The new Microsoft Outlook Web access 2014 which will be installed on your email account. Your present account will be deactivated to create space for the new web access 2014. Please “CLICK
HERE: (link removed) ” to Update Your Mailbox. Your account will be inactive if this survey is not completed.

Thank you.
IT Service Center(@)2014.
=====================================

________________________________
NOTICE – This communication may contain confidential and privileged information that is for the sole use of the intended recipient. Any viewing, copying or distribution of, or reliance on this message by unintended recipients is strictly prohibited. If you have received this message in error, please notify us immediately by replying to the message and deleting it from your computer.

Malicious Phishing Attempt – New Message From University of Puget Sound

Some campus members have received malicious e-mail messages asking for username, password, and other pieces of personal information. This is a scam message and should be deleted immediately. Technology Services will NEVER ask you for your password, or ask you to “revalidate” or “update” your profile by e-mail.

Remember to be cautious of e-mail links and attachments from unknown sources. If you have questions about an unexpected e-mail message, please contact the Service Desk immediately at 253.879.8585 or servicedesk@pugetsound.edu.

–Sample Message–

Dear User,

You have 1 new Security Message Alert!

Log In into your account to update your profile.

Click here to Log
In (Link Removed)

©2014 University of Puget Sound •

Malicious Phishing Attempt – ITS-Department Authenticated Notification

Some campus members have received malicious e-mail messages asking for username, password, and other pieces of personal information. This is a scam message and should be deleted immediately. Technology Services will NEVER ask you for your password, or ask you to “revalidate” or “update” your profile by e-mail.

Remember to be cautious of e-mail links and attachments from unknown sources. If you have questions about an unexpected e-mail message, please contact the Service Desk immediately at 253.879.8585 or servicedesk@pugetsound.edu.

–Sample Message–

Dear user,
The following evaluations have been assigned to you. Please login to complete these evaluations.
CLICK HERE (Link Removed) TO EVALUATE USING
SECURE ENCRYPTION

NOTE: Your login will time out after 60 minutes. Your responses will be lost if you do not click on the “secure” button before 60 minutes lapses.
There is no prompt when your 60 minute session has expired. Please save extensive comments periodically and check your time.

Malicious Phishing Attempt – Webmail Alert

Some campus members have received malicious e-mail messages asking for username, password, and other pieces of personal information. This is a scam message and should be deleted immediately. Technology Services will NEVER ask you for your password, or ask you to “revalidate” or “update” your profile by e-mail.

Remember to be cautious of e-mail links and attachments from unknown sources. If you have questions about an unexpected e-mail message, please contact the Service Desk immediately at 253.879.8585 or servicedesk@pugetsound.edu.

–Sample Message–

Dear User,
We regret to inform you that you have exceeded your webmail monthly quota.

Kindly increase your quota by verifying your login details.

Click on the website to verify (link removed)

Thank you.

University of Puget Sound

‘Zero-day Flash Bug’ Affecting Browsers

Technology Services is monitoring the worldwide situation regarding Adobe Flash concerns in Internet Explorer and other browsers that use Adobe Flash. As soon as patches are made available for this issue, we will work to install them as quickly as possible. In the meantime, the best course of action is to avoid visiting websites that are unfamiliar to you.

Malicious Phishing Attempt – General web-mail maintenance

Some campus members have received malicious e-mail messages asking for username, password, and other pieces of personal information. This is a scam message and should be deleted immediately. Technology Services will NEVER ask you for your password, or ask you to “revalidate” or “update” your profile by e-mail.

Remember to be cautious of e-mail links and attachments from unknown sources. If you have questions about an unexpected e-mail message, please contact the Service Desk immediately at 253.879.8585 or servicedesk@pugetsound.edu.

–Sample Message–
General web-mail maintenance
Dear Account Owner,
We want to upgrade all Microsoft Exchange email account scheduled for today as part of our duty to strengthen security of your mailbox. CLICK HERE(link removed) to upgrade your account to Outlook Web Apps 2014. If your settings is not updated today, your account will be inactive and cannot send or receive message any longer.
Sincerely,
-IT Department
Microsoft Corporation. All rights reserved

Most Puget Sound Systems Not Impacted by ‘Heartbleed’

Most Puget Sound technology systems including, but not limited to, Cascade, PeopleSoft, Moodle, Mahara, Webmail, and the university’s blog server were not affected by Heartbleed, the serious vulnerability in OpenSSL that has been in the news over recent days.

Technology Services has applied updates to wireless controllers and the university’s web server to address the few areas possibly affected by Heartbleed. We are only recommending a change of Puget Sound password for those users of the university’s content management system (CMS) who have logged into the web server from an Internet connection outside the university’s network. All other users do not need to change their passwords unless they feel inclined to do so as an added precaution.

For questions or assistance, please contact the Technology Service Desk at 253.879.8585 or servicedesk@pugetsound.edu.