AndrewPP

Minor note - EMET is end-of-life - https://support.microsoft.com/en-au/help/2458544/the-enhanced-mitigation-experience-toolkit

Lee Wei, the VP of Solution Engineering is the real MVP on this one. I'm just telling you about his work. LOL.

Agent checkin time defaults to every hour (minimum) and it set by policy in the cloud console. Some additional filters are being added to the Cloud console, watch for monthly announcements.

Refer to this support topic - https://support.malwarebytes.com/docs/DOC-2914

Asset scans updates the lists of software, updates and startup programs. It picks up information from the endpoint's registry. It can be run on demand or scheduled. Endpoint activity of Last Seen/Last communication time relates to when the Malwarebytes Management Agent last checked in. When online via the Internet, the endpoints are checking in continuously. Endpoints are added to lists upon installation and initial registration. Thereafter, they are tracked until deleted by console our uninstalled triggered at the endpoint. Use the Excel plugin for more sophisticated reporting.

Malwarebytes traffic is TLS encrypted, always outbound to identified servers. There is nothing inspectable and we disallow interception. Malwarebytes runs as a 'SYSTEM' proxy. The resolution most customers use, is to configure to pass-through of the proxy to Malwarebytes' servers, only.

There is a sophisticated Excel-based Reporting tool on the support site, as a plugin. It meets the requirements stated above. It has 'slicers' to drill in. It has scheduling. It has bulk editing and actions back into console. It logs in and 'pulls' the data. https://support.malwarebytes.com/docs/DOC-2672 Enjoy!

I am on Malwarebytes' staff, in technical PreSales. I see this question asked often, so I am providing a comprehensive response, for you and reference by others too. Your question, in essence, is seeking peer advice about Malwarebytes from existing customers. There are already excellent sources of independent peer review from substantial customers, especially at Gartner PeerInsights (Gartner are a renowned authoritative source of information about the IT industry at-large). Malwarebytes independent reviews at Gartner PeerInsights(tm) https://www.gartner.com/reviews/market/endpoint-protection-platforms/vendor/malwarebytes/product/endpoint-security I suggest you also filter for reviews from companies, same size as yours. Malwarebytes tops PC Magazine Business Choice – Security Software list, 2019 https://www.pcmag.com/news/365749/business-choice-awards-2019-security-software Malwarebytes tops G2 Crowd Anti-virus customer satisfaction list, 2019 https://www.g2crowd.com/categories/antivirus?segment=mid-market This is a formal case study from a customer I worked with, who replaced Kaspersky with Malwarebytes totally. They were happy enough to be publicly referenced. https://resources.malwarebytes.com/files/2019/04/Waverly-Christian-College-CS.pdf We have similar case studies with comparisons to other vendors. https://resources.malwarebytes.com/casestudies/ We run along side Windows Defender very well. Also, if you have the technical capability and skills, you can carefully perform your own independent tests on an isolated/recoverable endpoint of what we find/block which the others miss. We provide 50 current samples and additionallythe same 50 samples with their MD5 Hash changed, which often evades anti-virus only protections. Contact your local Malwarebytes reseller, partner or Malwarebytes sales contact for more information and a link to the samples. Ransomware Protection is one of the seven techniques included in Endpoint Protection. Unlike earlier versions of our product, all protections are included into a single bundle for management. However the inner protection driver services can still be seen running, using this diagnostic script from our support site - https://support.malwarebytes.com/docs/DOC-2617 Endpoint Protection and Response is more advanced and REPLACES and UNINSTALLS Endpoint Security and other variants of Malwarebytes product, across a reboot. Please discuss with your Malwarebytes representative or reseller, if you need to know more. +++ Is Malwarebytes a primary protection solution? +++ I would like to dispel a common myth! Anti-Virus is an old, narrow definition of malware and attack methods. It has become generic and misunderstood by association to long-term vendors. It is also failing, evidenced by these same vendors announcing a rash of 'new generation' detectors added to their suites over the last 12-18 months. Malwarebytes business products which have been available for over 5 years, with latest cloud managed product released in Oct 2017. Our consumer products have been available and used by businesses too, for 10 years. We have many layers of detectors/protections already. Malwarebytes protects against virus, trojans, rootkits and much much more, including adware, Bitcoin miners and more. We do this both with real-time protection, antivirus-like rules, exploit protection, behaviour monitoring against scripts and macros, machine-learning, ransomware monitoring, and also with post-infection disk/system scanning. Many customers use us for post infection cleaning and remediation 'in situ', because their current primary solution is failing them. IF they see too many misses by their current solution, they should to protect in advance with our full product. The Endpoint Protection and Response plugin, an extra subscription, adds flight-recording, suspicious activity analysis, ability to isolate endpoints if lateral infection/malware spread is occurring and rollback ransomware damaged files from a local backup cache. Your account representative, sales team member, or one of our many Reseller partners can assist you with trial etc.

Use the Malwarebytes Excel plugin. It can extract endpoint lists and do deletions. https://support.malwarebytes.com/docs/DOC-2672 Also, you can filter by last seen. It is safer to not delete, if still checking in.

Information about the Endpoint Protection client and its check in frequency, plus a lot of other stuff is in this article on the support site, which describes a lot about its workings - Endpoint Protection - Windows client fundamentals

@Amaroq_Starwind The development team has a copy of this tactical tool for review of concepts and eventual incorporation into our core product. Regarding "I wouldn't mind being able to help out in a more official capacity" - you are welcome to contribute ideas or script fragments via me for possible incorporation. As this is an unofficial tool, simply exchange direct messages with me. I note that I wrote this in Windows batch script so it can run anywhere, which does make programming a bit arcane. PowerShell would have been easier but then is tricker to package to run everywhere. Ditto compiled language requires our development team to arrange a deployable solution.

Change history 2019-04-01 Version 1.11 Added status of the configuration of Endpoint Response Settings for Suspicious Activity Monitoring, Rollback and Isolation reading from last log entry in EndpointAgent.txt Note: The log entry also displayed if plugin subsequently uninstalled which obsoletes other entry in log. 2019-02-21 Version 1.10 Added count of files in EPR Local Backup 2019-01-31 Version 1.08 Added policy.ea_last_update, to show datetime of most recent policy update. Useful when monitoring for recent change.

On this topic, EICAR is actually both a text-readable string and a 16-bit COM/DOS executable with an original purpose to print "EICAR-STANDARD-ANTIVIRUS-TEST-FILE!" It will no longer run on a current Windows operating system. It is archaic and useless, except to demonstrate string/pattern recognition. https://en.wikipedia.org/wiki/EICAR_test_file

Look in this script, it demonstrates extracting versions from Endpoint Protection configuration files. You can copy/replicate the technique.withvother tools/languages. https://support.malwarebytes.com/docs/DOC-2617

The tool was written for supporting the Endpoint Protection cloud/business product,because it has a locked-down minimalist GUI. Home Premium does not have a Management Agent nor Flight Recorder, so status is correctly reported from my tool. Home Premium EXE has a different name to the Endpoint Protection EXEs. It is a minor script change to test/check for that. I will update it by end.of.week. Thanks for your interest.