AndrewPP

Further to comments above: The EDR backup folder is self-protected, so attackers cannot get to it A policy setting controls retention of backups, to a maximum of 72 hours A policy setting controls usage of free space as a quota percentage It self-cleans daily and hourly, to cull older files and manage the quota During an initial learning period of 14 days, additional files are backed up Exclusions can be applied to ignore backups of specified files/folders The diagnostic logs contain internal information for Support team to determine contents of backups Entries will be logged in c:\ProgramData\Malwarebytes Endpoint Agent\Logs\EndpointAgent.txt, each hour to show cleaning is occurring. INFO FRCoreManager [FRSDK] Next backup cleanup scheduled for 2021-03-30 16:41:30+1100 INFO FRCoreManager [FRSDK] Next ALL cleanup scheduled for 2021-04-05 15:41:30+1000 View with File Manager, or run this Windows command to list the files in the backup directory, in name ascending order: DIR /O:N c:\ProgramData\Malwarebytes Endpoint Agent\Plugins\EDRPlugin 03/29/2021 04:41 PM 38,917 0000001616996491019_756C2F71.frb The name of the first file contains the datetime of the earliest file e.g. lookup 0000001616996491019 at a site like this: https://www.unixtimestamp.com/index.php If cleaning is working, files should be no older than your configured retention. Save the listing to a file, for submission with Support case DIR /O:N c:\ProgramData\Malwarebytes Endpoint Agent\Plugins\EDRPlugin > %homepath%\desktop\Malwarebytes-BackupList.txt Support can advise additional triage steps

Yes, they are our servers for all customers. Support literature and product manuals are here: https://support.malwarebytes.com/hc/en-us/sections/360005863613-Malwarebytes-Breach-Remediation

Excuse repeat pasted items.

It is in the Product's manual which is in your download. Note, dynamic IPs are used, unless you force it to use static ips. From the manual

TREED is the authoritative source from Malwarebytes, but for some metrics.... "According to data provided by Malwarebytes, Silver Sparrow had infected 29,139 macOS endpoints across 153 countries as of February 17, including high volumes of detection in the United States, the United Kingdom, Canada, France, and Germany," Red Canary's Tony Lambert wrote in a report published last week. https://www.zdnet.com/article/30000-macs-infected-with-new-silver-sparrow-malware/

For future (after login) Support tickets can be submitted into https://support.malwarebytes.com, Business Products page, scroll to bottom. Direct link here: https://support.malwarebytes.com/hc/en-us/requests/new Look at top right of you console, Profile/ContactUs and note down the support phone number I sent you a direct message.

Use a service like this to look up DNS records - https://www.findip-address.com/ you will find it originates from Russia. Or - Google who is 91.241.19.173 https://www.abuseipdb.com/check/91.241.19.173 You may need to use Intrusion Detection network monitoring and firewall port monitoring to investigate at an IP Packet level, how the traffic is entering your network. If all of your endpoints only use VPN to connect, then you will need to track down SourceIP, maybe by the VPN server's logs to find the compromised endpoint. These topics are beyond the scope of Malwarebytes products and you may need to enlist some expert assistance from a network specialist or penetration tester.

If the Management Agent is running, this command will display component versions. c:\Program Files\Malwarebytes Endpoint Agent\UserAgent\EACMD.EXE --versions Help will show additional useful commands c:\Program Files\Malwarebytes Endpoint Agent\UserAgent\EACMD.EXE -h

The Excel tool uses a Nebula API and can instruct the Nebula Console to delete duplicate endpoints, kick off scans, move endpoints etc. A description of features is here: https://support.malwarebytes.com/hc/en-us/articles/360038540994-Export-data-with-the-Malwarebytes-Nebula-Excel-Addin-with-Reporting-and-Utilities Note, the Nebula Public API is now available via Settings and documented here - https://api.malwarebytes.com/nebula/v1/docs should customers wish to perform their own integrations. 1. If you rerun the function from Excel, it will do a new query for freshest endpoints and confirm endpoints were deleted. 2. Click refresh in the Nebula Console. There also may have been a slight propagation delay. If you still have an issue, it is best to raise a support ticket here - https://support.malwarebytes.com/hc/en-us/requests/new

PSEXEC -accepteula -i -h -s ..... It requires a Console window to run. The -i causes it to be interactive to meet this requirement. Management Agent restart is required for it to take effect. More information is here https://support.malwarebytes.com/hc/en-us/articles/360039018233-Move-an-endpoint-between-Nebula-accounts-or-OneView-sites

The tool discovers endpoint names and addresses by a number of methods. When you deploy is when it connects to the endpoint, initially for a file copy, run installer and trigger Management Agent service start. If ping is timing out, then resolve that and ability to file mount, then it should work. Check network settings, public/private to ensure File and Print Sharing is enabled. https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-vista/bb727037(v=technet.10)?redirectedfrom=MSDN (If the endpoints are domain-joined to an ActiveDirectory then GPO/GPUPDATE is an alternative)

Log shows endpoint is not reachable ErrorMessage:System.IO.IOException: The network path was not found. Domain name: *********.local; IP Address(es): IP Address: 192.168.1.xx, ; : Error: Bad Net Name The D&D Tool uses SMB (445) for file copy RPC (135) for kicking off process, or alternatively WMI. 1. Try running D&D Tool from a workstation on the same LAN segment, if you have a segmented/routed network 2. Ensure endpoint is PING-able 3. Recheck hostname and IP addresses match i.e. DHCP/DNS/AD all line up 3. Get the file share working with Windows basic commands to diagnose e.g. try mounting the file share from your endpoint running D&D Tool. Something like .... NET USE z: \\HP-PAV-SWID.swiderski.local\admin$ /PERSISTENT:NO /USER:domain\adminuser * :: and/or NET USE z: \\192.168.1.66\admin$ /PERSISTENT:NO /USER:domain\adminuser * :: To cleanup NET USE z: /DELETE When you can diagnose/do a Windows mount of the Share, all pre-requisites should be working. Try to deploy to IP address explicitly, instead of name. If you are a subscribed user, then submit a formal case/support ticket for more formal assistance. https://support.malwarebytes.com/hc/en-us/requests/new

Hi Alex, as you are a New Zealand partner, let's discuss directly. I will drop you an email. Andrew Probert Senior Sales Engineer, CISSP Australia and New Zealand Malwarebytes

In future, this would be better forum topic to use for Malwarebytes Endpoint Security Console. Https//:forums.malwarebytes.com/forum/230-malwarebytes-management-console/ Use [Register] and re-input your license keys again to re-verify console. Support will get back to you.

https://support.malwarebytes.com/docs/DOC-2672 Support This is a user community shared utility. Please post questions and comments on this Forum thread. You can also send requests to the author directly. Lee Wei (lwei@malwarebytes.com)

Minor note - EMET is end-of-life - https://support.microsoft.com/en-au/help/2458544/the-enhanced-mitigation-experience-toolkit

Lee Wei, the VP of Solution Engineering is the real MVP on this one. I'm just telling you about his work. LOL.

Agent checkin time defaults to every hour (minimum) and it set by policy in the cloud console. Some additional filters are being added to the Cloud console, watch for monthly announcements.

Refer to this support topic - https://support.malwarebytes.com/docs/DOC-2914

Asset scans updates the lists of software, updates and startup programs. It picks up information from the endpoint's registry. It can be run on demand or scheduled. Endpoint activity of Last Seen/Last communication time relates to when the Malwarebytes Management Agent last checked in. When online via the Internet, the endpoints are checking in continuously. Endpoints are added to lists upon installation and initial registration. Thereafter, they are tracked until deleted by console our uninstalled triggered at the endpoint. Use the Excel plugin for more sophisticated reporting.

Malwarebytes traffic is TLS encrypted, always outbound to identified servers. There is nothing inspectable and we disallow interception. Malwarebytes runs as a 'SYSTEM' proxy. The resolution most customers use, is to configure to pass-through of the proxy to Malwarebytes' servers, only.

There is a sophisticated Excel-based Reporting tool on the support site, as a plugin. It meets the requirements stated above. It has 'slicers' to drill in. It has scheduling. It has bulk editing and actions back into console. It logs in and 'pulls' the data. https://support.malwarebytes.com/docs/DOC-2672 Enjoy!

I am on Malwarebytes' staff, in technical PreSales. I see this question asked often, so I am providing a comprehensive response, for you and reference by others too. Your question, in essence, is seeking peer advice about Malwarebytes from existing customers. There are already excellent sources of independent peer review from substantial customers, especially at Gartner PeerInsights (Gartner are a renowned authoritative source of information about the IT industry at-large). Malwarebytes independent reviews at Gartner PeerInsights(tm) https://www.gartner.com/reviews/market/endpoint-protection-platforms/vendor/malwarebytes/product/endpoint-security I suggest you also filter for reviews from companies, same size as yours. Malwarebytes tops PC Magazine Business Choice – Security Software list, 2019 https://www.pcmag.com/news/365749/business-choice-awards-2019-security-software Malwarebytes tops G2 Crowd Anti-virus customer satisfaction list, 2019 https://www.g2crowd.com/categories/antivirus?segment=mid-market This is a formal case study from a customer I worked with, who replaced Kaspersky with Malwarebytes totally. They were happy enough to be publicly referenced. https://resources.malwarebytes.com/files/2019/04/Waverly-Christian-College-CS.pdf We have similar case studies with comparisons to other vendors. https://resources.malwarebytes.com/casestudies/ We run along side Windows Defender very well. Also, if you have the technical capability and skills, you can carefully perform your own independent tests on an isolated/recoverable endpoint of what we find/block which the others miss. We provide 50 current samples and additionallythe same 50 samples with their MD5 Hash changed, which often evades anti-virus only protections. Contact your local Malwarebytes reseller, partner or Malwarebytes sales contact for more information and a link to the samples. Ransomware Protection is one of the seven techniques included in Endpoint Protection. Unlike earlier versions of our product, all protections are included into a single bundle for management. However the inner protection driver services can still be seen running, using this diagnostic script from our support site - https://support.malwarebytes.com/docs/DOC-2617 Endpoint Protection and Response is more advanced and REPLACES and UNINSTALLS Endpoint Security and other variants of Malwarebytes product, across a reboot. Please discuss with your Malwarebytes representative or reseller, if you need to know more. +++ Is Malwarebytes a primary protection solution? +++ I would like to dispel a common myth! Anti-Virus is an old, narrow definition of malware and attack methods. It has become generic and misunderstood by association to long-term vendors. It is also failing, evidenced by these same vendors announcing a rash of 'new generation' detectors added to their suites over the last 12-18 months. Malwarebytes business products which have been available for over 5 years, with latest cloud managed product released in Oct 2017. Our consumer products have been available and used by businesses too, for 10 years. We have many layers of detectors/protections already. Malwarebytes protects against virus, trojans, rootkits and much much more, including adware, Bitcoin miners and more. We do this both with real-time protection, antivirus-like rules, exploit protection, behaviour monitoring against scripts and macros, machine-learning, ransomware monitoring, and also with post-infection disk/system scanning. Many customers use us for post infection cleaning and remediation 'in situ', because their current primary solution is failing them. IF they see too many misses by their current solution, they should to protect in advance with our full product. The Endpoint Protection and Response plugin, an extra subscription, adds flight-recording, suspicious activity analysis, ability to isolate endpoints if lateral infection/malware spread is occurring and rollback ransomware damaged files from a local backup cache. Your account representative, sales team member, or one of our many Reseller partners can assist you with trial etc.

Use the Malwarebytes Excel plugin. It can extract endpoint lists and do deletions. https://support.malwarebytes.com/docs/DOC-2672 Also, you can filter by last seen. It is safer to not delete, if still checking in.

Information about the Endpoint Protection client and its check in frequency, plus a lot of other stuff is in this article on the support site, which describes a lot about its workings - Endpoint Protection - Windows client fundamentals