Malwarebytes Antimalware Enterprise (MBAM)

Introduction

Malwarebytes Antimalware Enterprise (MBAM or MBAMEE) is a malware and antivirus scanner. Our licensed installation is on all campus Windows 7 and Windows 10 machines as a post-configuration step of the imaging process. It is set to update automatically, scan weekly, and to be hidden from the “All Programs” portion of the Start Menu. It can be managed from the user’s computer, or from the Malwarebytes Managed Console (MMC).

Installing Malwarebytes

  1. Navigate to \\wnap22\MBAMEE and authenticate using your Puget Sound credentials.
  2. Open the newest “Client Package” folder.
  3. Right click on “ClientSetup.exe” and run as administrator.
  4. Advance through the installation wizard, using all of the default settings.

How To’s

How to check that it is running and has run a scan recently.

How to review and clear out quarantined items.

If you launch mbam.exe, there’s a “Quarantine” tab.

How to run a scan.

  1. Click on the start menu
  2. Type “mbam.exe” in the search bar
  3. Select “Perform full scan”
  4. Use the default settings and hit “Scan”
  5. Wait…for a few hours…
  6. If items are detected, save a .txt file of the log (to add to the ticket) and clear out the detected items

How to use the Malwarebytes Management Console (for FTE)

Once in the console

  1. Right click on the computer
  2. Update client(s) database now
  3. Run full scan now

Antivirus

Introduction

We use three main antivirus programs on our campus: Malwarebytes Antimalware Enterprise (MBAM) , System Center Endpoint Protection (SCEP) or Windows Defender, and Sophos Antivirus (SAV). The first two are installed on all Windows computers, and the third on Mac computers.

Malware Definitions

Malware

A general term combining the words “malicious” and “software” to refer to any kind program designed to cause damage to a computer. Below are a few of the more commonly named types.

Adware

A program designed to display ads in various forms on a computer. It can present itself as a popup when hovering over text in a web browser, randomly pop up a window on the computer screen while working in another program, display in the system tray, change the default search engine in a web browser, or display as a toolbar. Adware can automatically download while browsing any website.

Ransomware

A program that prevents or limits users from accessing their system. It forces the user to pay the ransom in order to grant access to their systems, or to get their data back. Some ransomware encrypts files (called Cryptolocker), sometimes even files on network shares that the user has mapped to.

Scareware

Programs designed to trick a user into buying and downloading unnecessary and potentially dangerous software, such as fake antivirus protection.

Spyware

A program designed to collect information about users and their computer or browsing habits, including keystrokes (like usernames, passwords, credit card information, etc.) and send it to a remote user. It also can download other malicious programs install it on the computer. Spyware works like adware but is usually a separate program that is installed unknowingly when installing another freeware type program or application.

Tracking cookies

A cookie is a plain text file that is stored on your computer containing data about your browsing session. Cookies are used by many websites to track visitor information or maintain a logged in session. A tracking cookie is a cookie which gathers all browsing information (like bank account details, credit card information, user accounts, etc.), and often used or sold by a remote user.

Trojan

A program that looks like a genuine application. It does not replicate itself. It can open a backdoor entry to a computer which gives malicious users or programs access to the system and any confidential or personal information.

Virus

A program written to damage or alter files or data. The program can replicate itself. Viruses can enter a computer as an email attachment of images, greeting, or audio / video files; through internet downloads; or hidden in a free or trial software.

Worm

A malicious program that makes copies of itself again and again on the local drive, network shares, etc. It does not need to attach itself to an existing program. Worms spread by exploiting vulnerabilities in operating systems.

Initial Troubleshooting

  1. Have the person leave the suspicious message or window open. Take a screenshot.
  2. Determine whether it is a browser popup or an actual infection.
    • Sometimes a legitimate website is hacked, and their web server is used to house malicious popups.
    • Is there a URL? Does it look like the warning message was open in a web browser (but missing an address bar)?
    • If the user has already closed the popup and you suspect it was a popup, you can review the recent browser history.
  3. Is the browser “hijacked”?
    • Change the homepage back to “www.pugetsound.edu”.
    • Change the default search engine back to Google.
    • Uninstall/reinstall the browser. When uninstalling, select the option, if available, to delete all profile settings. (Be sure to export bookmarks, too!)
    • Delete the browser profile (see TICK:44136 for how to do this in Chrome).
  4. Check to make sure that the antivirus software is running and has run a scan recently.
  5. Review quarantined items to determine how long the computer has been infected, then clear out the quarantined items.
  6. Review installed programs.
    • If there are several suspicious programs that were installed on the same date, this is likely when the infection occurred.
    • Uninstall all of the suspicious software.
  7. Run a scan and remove the detected items.
  8. If you can determine an infection date, do a System Restore to a date previous to it.
    • Be sure to run antivirus scans again after restoring to a previous restore point.
  9. Check all installed browsers to see if the default search engine and/or home page have been altered.
  10. Check Startup to see if any suspicious software is listed there.
    • Sometimes a program is not installed, but instead set to launch at system startup. They are not always caught by antivirus scans. Often times the “Command” column will indicate the location of that executable file and other related files that should be permanently deleted. Reviewing the value of the registry item listed can also point to the file’s location or any additional files that should be removed.

On Site Troubleshooting