AndrewPP

Information about the Endpoint Protection client and its check in frequency, plus a lot of other stuff is in this article on the support site, which describes a lot about its workings - Endpoint Protection - Windows client fundamentals

@Amaroq_Starwind The development team has a copy of this tactical tool for review of concepts and eventual incorporation into our core product. Regarding "I wouldn't mind being able to help out in a more official capacity" - you are welcome to contribute ideas or script fragments via me for possible incorporation. As this is an unofficial tool, simply exchange direct messages with me. I note that I wrote this in Windows batch script so it can run anywhere, which does make programming a bit arcane. PowerShell would have been easier but then is tricker to package to run everywhere. Ditto compiled language requires our development team to arrange a deployable solution.

Change history 2019-04-01 Version 1.11 Added status of the configuration of Endpoint Response Settings for Suspicious Activity Monitoring, Rollback and Isolation reading from last log entry in EndpointAgent.txt Note: The log entry also displayed if plugin subsequently uninstalled which obsoletes other entry in log. 2019-02-21 Version 1.10 Added count of files in EPR Local Backup 2019-01-31 Version 1.08 Added policy.ea_last_update, to show datetime of most recent policy update. Useful when monitoring for recent change.

On this topic, EICAR is actually both a text-readable string and a 16-bit COM/DOS executable with an original purpose to print "EICAR-STANDARD-ANTIVIRUS-TEST-FILE!" It will no longer run on a current Windows operating system. It is archaic and useless, except to demonstrate string/pattern recognition. https://en.wikipedia.org/wiki/EICAR_test_file

Look in this script, it demonstrates extracting versions from Endpoint Protection configuration files. You can copy/replicate the technique.withvother tools/languages. https://support.malwarebytes.com/docs/DOC-2617

The tool was written for supporting the Endpoint Protection cloud/business product,because it has a locked-down minimalist GUI. Home Premium does not have a Management Agent nor Flight Recorder, so status is correctly reported from my tool. Home Premium EXE has a different name to the Endpoint Protection EXEs. It is a minor script change to test/check for that. I will update it by end.of.week. Thanks for your interest.

The Home Premium and Busines - Endpoint Protection cloud-managed products both use the same 'version 3' engine with its 7-layer protection model. Endpoint Protection provides a central cloud-management console for central enforcement of policy and central monitoring. Business Products are only available to customers with 10+ seats. An additional module is available to business users 'response' for isolation, suspicious monitoring and ransomware rollback, but only for much larger seat counts. You are as well protected with Home Premium as you would be with cloud-managed Endpoint Protection i.e. no need to change.

Use [Action] Scan + Quarantine. A task will be queued awaiting endpoint's next login, to be picked up and run. The task will remain on the queue for 3 days and be cancelled - Failied, if not picked up, but you can always queue another.

Both on-demand and scheduled reports Endpoint Exports have a cutoff at 30 days, calculated from last seen. Console can show more endpoints, which haven't checked in, past 30 days. Excel plugin has a date filter, which allows all records to be retrieved.

Try windows command sfc /scannow It can repair obscurely, damaged Windows components.

You can retrieve c:\ProgramData\Malwarebytes Endpoint Agent\logs\MBEndpointAgent.txt and c:\ProgramData\Malwarebytes\MBAMService\MBAMService.log to understand Endpoint behaviour e.g. whether agents and plugins are turned on, running, active at the time, internal errors. They are verbose and for technical support, but you can try reading. All Endpoint Protection customers have an included Premium support subscription, so raise a case via: https://support.malwarebytes.com/community/business/pages/contact-us Log collection instructions are here - https://support.malwarebytes.com/docs/DOC-1818

As responded by another staff member, feature is added to list. My response was a work-around, in case you hadn't seen it.

Alternatively, the logged-in user name at time of a scan is already viewable in Scan Results/History.

A script has been published on the support site, which can be run locally on an endpoint, to show its service status e.g. during testing and demonstrations. It is read only, needs no special permission except ability to run a Windows command script and is for technical staff. It shows interesting information, on a 20 second timer, including CPU usage, Memory and resource usage. https://support.malwarebytes.com/docs/DOC-2617

Page 18 of November 2019 Guide has MSIEXEC example. GUID is obtained from Endpoint add function.