Skip to main content

Collect diagnostic logs in Malwarebytes Remediation Connector Solution

NOTICE - On October 18, 2022, this product was renamed to Malwarebytes Remediation Connector Solution.

TIP - This is an example of Malwarebytes Remediation Connector Solution configured with CrowdStrike FalconĀ®. 

CrowdStrike and CrowdStrike Falcon are registered trademarks of CrowdStrike, Inc.
Malwarebytes Remediation Connector Solution is not associated with, or endorsed by, CrowdStrike Holdings, Inc. or its affiliates.

If you encounter issues with Malwarebytes Remediation Connector Solution, you may need to collect diagnostic logs for investigation or to submit them to our Support team for troubleshooting. This article explains how to manually collect logs, provides information on progress logs, and troubleshooting steps.

Included are the following sections:

Collect logs from the CrowdStrike Solution applet

Malwarebytes Remediation Connector Solution logs are located in:

  • Application logs: %LOCALAPPDATA%\Local\Malwarebytes\MRfCS\
  • Current logs: - .\mrfcs.log
  • Previous logs: - .\mrfcx_nnn.log
  • Scan reports: .\ScanReports\yy-mm-dd_hh-mm-_guid1_computername_guid2.json

Collect logs from the host machines

To collect logs from a host machine with the Falcon Sensor: 

  1. Open the CrowdStrike Falcon app.
  2. Navigate to Settings, then select General
  3. Uncheck Auto remove MBBR files in the menu.
  4. Run a scan in the CrowdStrike console.
  5. The log directory for Malwarebytes on each host is in:
    • C:\mbbr\
  6. Retrieve the following Malwarebytes logs:
    • ScanResults\ScanResults.json  
    • Logs\ScanProgress.json
    • Logs\MBBR-ERROUT.TXT

Enable trace logging

If instructed to by Malwarebytes support, you can configure Malwarebytes Breach Remediation to produce verbose diagnostic logs for troubleshooting. Once enabled, use the CrowdStrike Solution applet to scan host machines and provide trace logs.

Trace logging is enabled on the target host machine using Windows Environment variables. A restart is required for the environment variable to become available. To enable trace logging, use one of the following methods:  

Enable trace logging on the target host machine

  1. On the target host machine, open the Windows System Properties.
  2. Click the Advanced tab. Then click Environment Variables.
    mceclip1.png
  3. Click New and add the following system variable to enable:
    1. Variable: MBBR_TRACE
    2. Value: 1
  4. To disable, verbose trace logging, edit the variable to the following: 
    1. Variable: MBBR_TRACE
    2. Value: 0

Enable trace logging using Falcon RTR command-line

To enable trace logging, create and run the following CrowdStrike RTR script and restart the endpoint:

  • MalwarebytesMBBRTraceON
# Malwarebytes.  Turn MBBR debug trace on
[Environment]::SetEnvironmentVariable("MBBR_TRACE","1","Machine")
$output = "INFO: Restart endpoint for MBBR trace. System environment var MBBR_TRACE=1"
return "$output"

To turn off trace logging create and run the following CrowdStrike RTR script and restart the endpoint:

  • MalwarebytesMBBRTraceOFF
# Malwarebytes Turn MBBR debug trace off
[Environment]::SetEnvironmentVariable("MBBR_TRACE","0","Machine")
$output = "INFO: Restart endpoint to disable MBBR trace. System environment var MBBR_TRACE=0
return "$output"

Sample log entry the solution applet

MRfCS v.1.0.17.142 starting up.
[INF] POST: https://api.crowdstrike.com/oauth2/token
[INF] ClientID 84d6476a3b53461296d3fe7d4213a8f3 logged in on api.crowdstrike.com
[INF] POST: https://api.crowdstrike.com/oauth2/token
[INF] ClientID 84d6476a3b53461296d3fe7d4213a8f3 logged in on api.crowdstrike.com
[INF] Loading 100 most recent hosts by Last Seen.
[INF] GET: https://api.crowdstrike.com/devices/queries/devices/v1?filter=platform_name:'Windows'&sort=last_seen%7Cdesc&offset=0&limit=100
...
Loading 100 most recent hosts by Last Seen.
...
[INF] Initiating a '-scan threat' scan with parameters: ''
[INF] Checking server for existing scripts...
[INF] GET: https://api.crowdstrike.com/real-time-response/queries/scripts/v1
[INF] Checking for outdated scripts...
[INF] GET: https://api.crowdstrike.com/real-time-response/entities/scripts/v1?ids=ee6d247455bf11ec85e8ba31bc821ee4_84d6476a3b53461296d3fe7d4213a8f3
[INF] GET: https://api.crowdstrike.com/real-time-response/entities/scripts/v1?ids=edb2274055bf11ec85e8ba31bc821ee4_84d6476a3b53461296d3fe7d4213a8f3
[INF] Deleting outdated script from server...
[INF] DELETE: https://api.crowdstrike.com/real-time-response/entities/scripts/v1?ids=edb2274055bf11ec85e8ba31bc821ee4_84d6476a3b53461296d3fe7d4213a8f3
[INF] Deleting outdated script completed successfully.
[INF] Uploading remediation script...
[INF] POST: https://api.crowdstrike.com/real-time-response/entities/scripts/v1
[INF] Uploading remediation script completed successfully.
[INF] Initiating a scan for devices: 40dd361542214114a310a5a8de146fc8
[INF] POST: https://api.crowdstrike.com/real-time-response/entities/sessions/v1
[INF] POST: https://api.crowdstrike.com/real-time-response/entities/admin-command/v1
...
[WRN] Scan failed on device 40dd361542214114a310a5a8de146fc8 (RMM-APP-AU). MBBR license registration failed.
...
[INF] Initiating a scan for devices: 40dd361542214114a310a5a8de146fc8
[INF] POST: https://api.crowdstrike.com/real-time-response/entities/sessions/v1
[INF] POST: https://api.crowdstrike.com/real-time-response/entities/admin-command/v1
[INF] Scan successfully completed on device 40dd361542214114a310a5a8de146fc8 (RMM-APP-AU). No threats found!

Troubleshoot status messages

This table details the messages shown in the Falcon console for a scan occurring on an endpoint and the status meaning for the message.

If there is any underlying issues with a scan, this table can assist with troubleshooting.  

Message

 Status
Info: Stop scan option available after MBBRScan-hostname started. PowerShell script delivered to the endpoint and script has started. 
Scan initiated. PowerShell script started. 
Checking scan tasks for MBBRScan-Desktop-hostname Checking if a scheduled scan is already in progress.
Cannot access the file c:\mbbr\Logs because it is being used by another process. The directory is not empty. The PowerShell script has or is in the process of removing the Malwarebytes Breach Remediation working folder.
Error: Filename Exception calling "GetResponse" with "0" arguments(0) "Unable to connect to the remote server" Download Malwarebytes Breach Remediation from: https://downloads.malwarebytes.com/file/mbbr4
Errors reported relate to network connectivity problems or proxy misconfiguration.
MBBR version: x.x.x.xxx Malwarebytes Breach Remediation version x.x.x.xxx was downloaded successfully, unzipped, and run.
Registering MBBR product key. Validating MBBR License Key
Downloaded latest rule definitions. The heuristic rules are updated regularly. It is downloading the latest version available.
Registering scan task MBBRScan-hostname Creating a Windows Scheduled Task on the target host to run a scan. This task can be viewed by the Windows Scheduler function.
Parameters scan -nnnnn -pfi:5 Parameters input to MBBR.EXE by the script. For more information, see Malwarebytes Breach Remediation Windows Administrator Guide.
Pending scan task for 2 seconds. Waiting for the Windows Scheduled Task to start, then the ./Logs/ScanProgress.json file is monitored.
Scan task MBBRScan-hostname started. The scheduled task running MalwareBytes Breach Remediation has started, and the Logs/ScanProgress.json file updates every pfi:x seconds.
Current scan phase Memory Objects. Scan phases: Memory Objects, Startup Objects, Filesystem Objects, and Complete.
Objects scanned: xxxx

Cumulative count of Processes, Memory Regions, Registry Keys, and Files scanned.
Scan task MBBRScan-hostname ended. The scan was completed on the shown target Falcon Host.
Scan ended: hh:mm:ss Duration of scan in hours, minutes, and seconds
  • No threats found!
  • Threats found!
 No threats or threats were found on the endpoint.
Error numbers. For details on errors in Malwarebytes Remediation Connector Solution relating to registration, licensing, and update failures, see Errors in Malwarebytes Remediation Connector Solution.

Troubleshoot endpoint

  1. Confirm the MBBRScan scheduled task is running in Windows Task Scheduler using the following command:
    • tasksch.mscmceclip0.png
  2. Check if the scan engine process is running on the endpoint using the following Windows command:
    • tasklist /V /FO LIST /FI "IMAGENAME eq MBBR.EXE"
  3. Collect the Breach Remediation logs using the following commands:
cat c:\mbbr\Logs\ScanProgress.json
get c:\mbbr\Logs\ScanProgress.json
get c:\mbbr\ScanResults\ScanResults.json
get c:\mbbr\Logs\MBBR-ERROUT.TXT

 

 

Return to the Malwarebytes Remediation Connector Solution integration guide.

Related articles