NOTICE - On October 18, 2022, this product was renamed to Remediation Connector Solution.
TIP - This is an example of the Remediation Connector Solution configured with CrowdStrike Falcon®.
CrowdStrike and CrowdStrike Falcon are registered trademarks of CrowdStrike, Inc.
Remediation Connector Solution is not associated with, or endorsed by, CrowdStrike Holdings, Inc. or its affiliates.
If you encounter issues with Remediation Connector Solution, you may need to collect diagnostic logs for investigation or submit them to our Support team for troubleshooting. This article explains how to collect logs manually, and provides information on progress logs and troubleshooting steps.
Collect logs from the CrowdStrike Solution applet
Remediation Connector Solution logs are located in:
- Application logs: %LOCALAPPDATA%\Local\Malwarebytes\MRfCS\
- Current logs: - .\mrfcs.log
- Previous logs: - .\mrfcx_nnn.log
- Scan reports: .\ScanReports\yy-mm-dd_hh-mm-_guid1_computername_guid2.json
Collect logs from the host machines
To collect logs from a host machine with the Falcon Sensor:
- Open the CrowdStrike Falcon app.
- Navigate to Settings, then select General.
- Uncheck Auto remove MBBR files in the menu.
- Run a scan in the CrowdStrike console.
- The log directory on each host is in:
- C:\mbbr\
- Retrieve the following logs:
- ScanResults\ScanResults.json
- Logs\ScanProgress.json
- Logs\MBBR-ERROUT.TXT
Enable trace logging
If instructed to by support, you can configure Breach Remediation to produce verbose diagnostic logs for troubleshooting. Once enabled, use the CrowdStrike Solution applet to scan host machines and provide trace logs.
Trace logging is enabled on the target host machine using Windows Environment variables. A restart is required for the environment variable to become available. To enable trace logging, use one of the following methods:
Enable trace logging on the target host machine
- On the target host machine, open the Windows System Properties.
- Click the Advanced tab. Then click Environment Variables.
- Click New and add the following system variable to enable:
- Variable: MBBR_TRACE
- Value: 1
- To disable, verbose trace logging, edit the variable to the following:
- Variable: MBBR_TRACE
- Value: 0
Enable trace logging using Falcon RTR command-line
To enable trace logging, create and run the following CrowdStrike RTR script and restart the endpoint:
- MalwarebytesMBBRTraceON
# Malwarebytes. Turn MBBR debug trace on
[Environment]::SetEnvironmentVariable("MBBR_TRACE","1","Machine")
$output = "INFO: Restart endpoint for MBBR trace. System environment var MBBR_TRACE=1"
return "$output"
To turn off trace logging, create and run the following CrowdStrike RTR script and restart the endpoint:
- MalwarebytesMBBRTraceOFF
# Malwarebytes Turn MBBR debug trace off
[Environment]::SetEnvironmentVariable("MBBR_TRACE","0","Machine")
$output = "INFO: Restart endpoint to disable MBBR trace. System environment var MBBR_TRACE=0
return "$output"
Sample log entry the solution applet
MRfCS v.1.0.17.142 starting up.
[INF] POST: https://api.crowdstrike.com/oauth2/token
[INF] ClientID 84d6476a3b53461296d3fe7d4213a8f3 logged in on api.crowdstrike.com
[INF] POST: https://api.crowdstrike.com/oauth2/token
[INF] ClientID 84d6476a3b53461296d3fe7d4213a8f3 logged in on api.crowdstrike.com
[INF] Loading 100 most recent hosts by Last Seen.
[INF] GET: https://api.crowdstrike.com/devices/queries/devices/v1?filter=platform_name:'Windows'&sort=last_seen%7Cdesc&offset=0&limit=100
...
Loading 100 most recent hosts by Last Seen.
...
[INF] Initiating a '-scan threat' scan with parameters: ''
[INF] Checking server for existing scripts...
[INF] GET: https://api.crowdstrike.com/real-time-response/queries/scripts/v1
[INF] Checking for outdated scripts...
[INF] GET: https://api.crowdstrike.com/real-time-response/entities/scripts/v1?ids=ee6d247455bf11ec85e8ba31bc821ee4_84d6476a3b53461296d3fe7d4213a8f3
[INF] GET: https://api.crowdstrike.com/real-time-response/entities/scripts/v1?ids=edb2274055bf11ec85e8ba31bc821ee4_84d6476a3b53461296d3fe7d4213a8f3
[INF] Deleting outdated script from server...
[INF] DELETE: https://api.crowdstrike.com/real-time-response/entities/scripts/v1?ids=edb2274055bf11ec85e8ba31bc821ee4_84d6476a3b53461296d3fe7d4213a8f3
[INF] Deleting outdated script completed successfully.
[INF] Uploading remediation script...
[INF] POST: https://api.crowdstrike.com/real-time-response/entities/scripts/v1
[INF] Uploading remediation script completed successfully.
[INF] Initiating a scan for devices: 40dd361542214114a310a5a8de146fc8
[INF] POST: https://api.crowdstrike.com/real-time-response/entities/sessions/v1
[INF] POST: https://api.crowdstrike.com/real-time-response/entities/admin-command/v1
...
[WRN] Scan failed on device 40dd361542214114a310a5a8de146fc8 (RMM-APP-AU). MBBR license registration failed.
...
[INF] Initiating a scan for devices: 40dd361542214114a310a5a8de146fc8
[INF] POST: https://api.crowdstrike.com/real-time-response/entities/sessions/v1
[INF] POST: https://api.crowdstrike.com/real-time-response/entities/admin-command/v1
[INF] Scan successfully completed on device 40dd361542214114a310a5a8de146fc8 (RMM-APP-AU). No threats found!
Troubleshoot status messages
This table details the messages shown in the Falcon console for a scan occurring on an endpoint and the status meaning for the message.
If there is any underlying issues with a scan, this table can assist with troubleshooting.
Message |
Status |
Info: Stop scan option available after MBBRScan-hostname started. | PowerShell script was delivered to the endpoint, and the script has started. |
Scan initiated. | PowerShell script started. |
Checking scan tasks for MBBRScan-Desktop-hostname | Checking if a scheduled scan is already in progress. |
Cannot access the file c:\mbbr\Logs because it is being used by another process. The directory is not empty. | The PowerShell script has or is in the process of removing the Breach Remediation working folder. |
Error: Filename Exception calling "GetResponse" with "0" arguments(0) "Unable to connect to the remote server" | Download Breach Remediation.
Errors reported relate to network connectivity problems or proxy misconfiguration.
|
MBBR version: x.x.x.xxx | Breach Remediation version x.x.x.xxx was downloaded successfully, unzipped, and run. |
Registering MBBR product key. | Validating MBBR License Key |
Downloaded latest rule definitions. | The heuristic rules are updated regularly. It is downloading the latest version available. |
Registering scan task MBBRScan-hostname | Creating a Windows Scheduled Task on the target host to run a scan. This task can be viewed by the Windows Scheduler function. |
Parameters scan -nnnnn -pfi:5 | Parameters input to MBBR.EXE by the script. For more information, see Breach Remediation Windows Administrator Guide. |
Pending scan task for 2 seconds. | Waiting for the Windows Scheduled Task to start, then the ./Logs/ScanProgress.json file is monitored. |
Scan task MBBRScan-hostname started. | The scheduled task running Breach Remediation has started, and the Logs/ScanProgress.json file updates every pfi:x seconds. |
Current scan phase Memory Objects. | Scan phases: Memory Objects, Startup Objects, Filesystem Objects, and Complete. |
Objects scanned: xxxx |
Cumulative count of Processes, Memory Regions, Registry Keys, and Files scanned. |
Scan task MBBRScan-hostname ended. | The scan was completed on the shown target Falcon Host. |
Scan ended: hh:mm:ss | Duration of scan in hours, minutes, and seconds |
|
No threats or threats were found on the endpoint. |
Error numbers. | For details on errors in Remediation Connector Solution relating to registration, licensing, and update failures, see Errors in Remediation Connector Solution. |
Troubleshoot endpoint
- Confirm the MBBRScan scheduled task is running in Windows Task Scheduler using the following command:
-
tasksch.msc
-
tasksch.msc
- Check if the scan engine process is running on the endpoint using the following Windows command:
- tasklist /V /FO LIST /FI "IMAGENAME eq MBBR.EXE"
- Collect the Breach Remediation logs using the following commands:
cat c:\mbbr\Logs\ScanProgress.json
get c:\mbbr\Logs\ScanProgress.json
get c:\mbbr\ScanResults\ScanResults.json
get c:\mbbr\Logs\MBBR-ERROUT.TXT