AndrewPP

Correcting my prior statement about GPO. It is no longer possible to disable Defender by GPO - https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-disableantispyware Defender should detect Malwarebytes registering and turn itself off, for Endpoint Protection.

INTRODUCTORY VIDEO

Search for something running on any endpoint e.g. Chrome.exe Ensure you have turned on Suspicious Activity monitoring by policy, for the endpoints you want to monitor. Ensure policy is not greyed out i.e. that you have a subscription Check the Nebula Console - Endpoint General status for the endpoint to see that the agent has been installed Run Windows command on an endpoint to ensure the inner service started SC query flightrecorder If you are a subscribed customer, you can submit a formal ticket here - https://support.malwarebytes.com/hc/en-us/requests/new

Additionally, you have posted this topic in Incident Response. As Incident Response does not have a real-time protection component, I think it does not register as a provider at all.

Malwarebytes by default will not register as primary unless Defender is stopped. Your display above shows that Defender is still running. You can check security registration and status with Windows command. wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get * /Format:List displayName=Windows Defender instanceGuid={D68DDC3A-831F-4fae-9E44-DA132C1ACF46} pathToSignedProductExe=windowsdefender:// pathToSignedReportingExe=%ProgramFiles%\Windows Defender\MsMpeng.exe productState=397568 timestamp=Tue, 27 Apr 2021 11:09:24 GMT displayName=Malwarebytes in

This article may give you some ideas, to get back ownership of c:\ProgramData using a Microsoft utility - https://serverfault.com/questions/789157/server-admin-cant-modify-folder-permissions But, folders could be locked, or it is indicative of other damage. PSEXEC -S CMD takeown /a /f c:\ProgramData icacls c:\ProgramData /reset /t /c

I am not directly in the Support organisation, but I suggest you immediately submit a Support Ticket here - Submit a support ticket. You can also call Support phone number listed in your Console, by clicking on your name at top right, Contact Us. I am not a Malware incident responder, so the following is some general guidance. If both protection products were removed, that is a suspicious activity associated with attacks. If Tamper Proofing had been enabled, it would be very difficult to uninstall Malwarebytes. If Tamper Protection is Off, then turn it on by policy for all other

If you are logged into Nebula site, it is in the URL line https://cloud.malwarebytes.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/dashboard Alternatively, it can be found in the local activity log c:\ProgramData\Malwarebytes Endpoint Agent\logs\EndpointAgent.txt

Files not deleting can occur because: Some process is constantly creating many files, needing backup - resolution is exclusion, with assistance from Support to identify An internal fault is blocking cleaning - resolution may be reinstallation Best to take the diagnostic steps.

Further to comments above: The EDR backup folder is self-protected, so attackers cannot get to it A policy setting controls retention of backups, to a maximum of 72 hours A policy setting controls usage of free space as a quota percentage It self-cleans daily and hourly, to cull older files and manage the quota During an initial learning period of 14 days, additional files are backed up Exclusions can be applied to ignore backups of specified files/folders The diagnostic logs contain internal information for Support team to determine contents of backup

Yes, they are our servers for all customers. Support literature and product manuals are here: https://support.malwarebytes.com/hc/en-us/sections/360005863613-Malwarebytes-Breach-Remediation

Excuse repeat pasted items.

It is in the Product's manual which is in your download. Note, dynamic IPs are used, unless you force it to use static ips. From the manual

TREED is the authoritative source from Malwarebytes, but for some metrics.... "According to data provided by Malwarebytes, Silver Sparrow had infected 29,139 macOS endpoints across 153 countries as of February 17, including high volumes of detection in the United States, the United Kingdom, Canada, France, and Germany," Red Canary's Tony Lambert wrote in a report published last week. https://www.zdnet.com/article/30000-macs-infected-with-new-silver-sparrow-malware/

For future (after login) Support tickets can be submitted into https://support.malwarebytes.com, Business Products page, scroll to bottom. Direct link here: https://support.malwarebytes.com/hc/en-us/requests/new Look at top right of you console, Profile/ContactUs and note down the support phone number I sent you a direct message.