AndrewPP

@Amaroq_Starwind The development team has a copy of this tactical tool for review of concepts and eventual incorporation into our core product. Regarding "I wouldn't mind being able to help out in a more official capacity" - you are welcome to contribute ideas or script fragments via me for possible incorporation. As this is an unofficial tool, simply exchange direct messages with me. I note that I wrote this in Windows batch script so it can run anywhere, which does make programming a bit arcane. PowerShell would have been easier but then is tricker to package to run everywhere. Ditto compiled language requires our development team to arrange a deployable solution.

Change history 2019-04-01 Version 1.11 Added status of the configuration of Endpoint Response Settings for Suspicious Activity Monitoring, Rollback and Isolation reading from last log entry in EndpointAgent.txt Note: The log entry also displayed if plugin subsequently uninstalled which obsoletes other entry in log. 2019-02-21 Version 1.10 Added count of files in EPR Local Backup 2019-01-31 Version 1.08 Added policy.ea_last_update, to show datetime of most recent policy update. Useful when monitoring for recent change.

On this topic, EICAR is actually both a text-readable string and a 16-bit COM/DOS executable with an original purpose to print "EICAR-STANDARD-ANTIVIRUS-TEST-FILE!" It will no longer run on a current Windows operating system. It is archaic and useless, except to demonstrate string/pattern recognition. https://en.wikipedia.org/wiki/EICAR_test_file

Look in this script, it demonstrates extracting versions from Endpoint Protection configuration files. You can copy/replicate the technique.withvother tools/languages. https://support.malwarebytes.com/docs/DOC-2617

The tool was written for supporting the Endpoint Protection cloud/business product,because it has a locked-down minimalist GUI. Home Premium does not have a Management Agent nor Flight Recorder, so status is correctly reported from my tool. Home Premium EXE has a different name to the Endpoint Protection EXEs. It is a minor script change to test/check for that. I will update it by end.of.week. Thanks for your interest.

The Home Premium and Busines - Endpoint Protection cloud-managed products both use the same 'version 3' engine with its 7-layer protection model. Endpoint Protection provides a central cloud-management console for central enforcement of policy and central monitoring. Business Products are only available to customers with 10+ seats. An additional module is available to business users 'response' for isolation, suspicious monitoring and ransomware rollback, but only for much larger seat counts. You are as well protected with Home Premium as you would be with cloud-managed Endpoint Protection i.e. no need to change.

Use [Action] Scan + Quarantine. A task will be queued awaiting endpoint's next login, to be picked up and run. The task will remain on the queue for 3 days and be cancelled - Failied, if not picked up, but you can always queue another.

Both on-demand and scheduled reports Endpoint Exports have a cutoff at 30 days, calculated from last seen. Console can show more endpoints, which haven't checked in, past 30 days. Excel plugin has a date filter, which allows all records to be retrieved.

Try windows command sfc /scannow It can repair obscurely, damaged Windows components.

You can retrieve c:\ProgramData\Malwarebytes Endpoint Agent\logs\MBEndpointAgent.txt and c:\ProgramData\Malwarebytes\MBAMService\MBAMService.log to understand Endpoint behaviour e.g. whether agents and plugins are turned on, running, active at the time, internal errors. They are verbose and for technical support, but you can try reading. All Endpoint Protection customers have an included Premium support subscription, so raise a case via: https://support.malwarebytes.com/community/business/pages/contact-us Log collection instructions are here - https://support.malwarebytes.com/docs/DOC-1818

As responded by another staff member, feature is added to list. My response was a work-around, in case you hadn't seen it.

Alternatively, the logged-in user name at time of a scan is already viewable in Scan Results/History.

A script has been published on the support site, which can be run locally on an endpoint, to show its service status e.g. during testing and demonstrations. It is read only, needs no special permission except ability to run a Windows command script and is for technical staff. It shows interesting information, on a 20 second timer, including CPU usage, Memory and resource usage. Windows script to display Malwarebytes Endpoint Protection Agent Health and Service Status

Page 18 of November 2019 Guide has MSIEXEC example. GUID is obtained from Endpoint add function.

For an installed threat, Malwarebytes remediation function has a 'linking engine' which finds all related object of a threat and quarantines them, including EXE, DLL, registry settings and files etc. The Detection result will list all components of a threat which have been quarantined. If a scan of type Threat or Custom scan-all-local-drives, that the above process would be applied as running processes are checked. Files on disk should also be found.

Ask toolbar is an 'Unwanted Program' which will be quarantined upon launch, or if scanned. It is fairly benign. https://ask-com-toolbar.en.softonic.com/

I am on a different team in different timezone, but suggest: If the server happens to have ActiveDirectory/DNS co-located with Terminal Server, then review this article - https://support.malwarebytes.com/docs/DOC-2591 If there is any other anti-malware product also running, then configure exclusions to avoid clashes. If the other product has Web Filtering, then disable Malwarebytes' web filtering as two web filters can be redundant/clash. Otherwise, submit a case via https://support.malwarebytes.com/community/business/pages/contact-us To expedite a response, ensure to identify Server Operating system versions. Provide logs up front: https://support.malwarebytes.com/docs/DOC-1818 Submit FRST logs - https://support.malwarebytes.com/docs/DOC-1318 Submit report from Microsoft MSINFO32 utility. Remember to forward the 'FileMail' receipt to the case.

Try this Malwarebytes Excel plugin for advanced reporting - https://support.malwarebytes.com/docs/DOC-2672

Look at latest version of manual - Malwarebtyes Cloud Adminstrator Guide, page 3 Mac Endpoints directories /var/log/com.malwarebytes.EndpointAgent.log /Library/Application Support/Malwarebytes/Malwarebytes Endpoint Agent /Library/Application Support/Malwarebytes/Malwarebytes Endpoint /Library/LaunchDaemons/com.malwarebytes.EndpointAgent.plist Your symptom means the Malwarebytes Endpoint Agent is not in communication with Cloud Management. A 'good' entry for agent reporting looks like this: 2018-11-19 19:13:01.029 EndpointAgentDaemon[101:613] INFO NebulaWebService: postAgentInfo: 2018-11-19 19:13:01.029 EndpointAgentDaemon[101:613] INFO URL: https://cloud.malwarebytes.com/api/v1/machine/results 2018-11-19 19:13:01.029 EndpointAgentDaemon[101:613] INFO parameters: { data = "{\"schedules\":[],\"engine_version\":\"1.5.0.121\",\"object_guid\":\"\",\"os_info\":{\"os_platform\":\"MacOS\",\"os_architecture\":\"amd64\",\"os_version\":\"10.13.6\",\"os_release_name\":\"macOS High Sierra 10.13.6\",\"os_type\":\"workstation\"},\"policy_etag\":\"3a403b2ecafe4a3e7b398b16858b8f7b\",\"nics\":[{\"description\":\"en0\",\"ips\":[\"10.0.0.1\"],\"mac_address\":\"C4:B3:01:BA:26:5B\"}],\"tray_version\":\"1.5.0.108\",\"object_sid\":\"\",\"plugins\":[{\"plugin_version\":\"1.5.58\",\"product_name\":\"Incident Response\",\"sdk_version\":\"macosx10.13\"},{\"plugin_version\":\"1.5.59\",\"product_name\":\"Asset Manager\",\"sdk_version\":\"macosx10.13\"}],\"culture\":\"en_US\",\"host_name\":\"RMT-3019\",\"time_zone\":\"Australia\\/Melbourne\",\"fully_qualified_host_name\":\"RMT-3019.local\"}"; "duration_seconds" = 0; "job_id" = ""; "schedule_etag" = ""; "started_at_local" = "2018-11-19T08:13:01+11:00"; type = "AGENT_INFORMATION"; } 2018-11-19 19:13:01.031 EndpointAgentDaemon[101:613] INFO EndpointAgent: Boomerang connected. 2018-11-19 19:13:01.543 EndpointAgentDaemon[101:613] INFO EndpointAgent: Update agent info successful! 2018-11-19 19:13:01.555 EndpointAgentDaemon[101:613] INFO AgentSettings: Reading custom settings.txt file... 2018-11-19 19:13:01.555 EndpointAgentDaemon[101:613] INFO AgentSettings: Using external setting: NebulaUrl=https://cloud.malwarebytes.com 2018-11-19 19:13:01.555 EndpointAgentDaemon[101:613] INFO AgentSettings: Using external setting: AccountToken=b1db5245-b788-4950-8c8b-xxxxxxxxxxx 2018-11-19 19:13:01.568 EndpointAgentDaemon[101:613] INFO PluginManager: setPluginLogLevel: INFO 2018-11-19 19:13:01.568 EndpointAgentDaemon[101:613] INFO PluginModule: Setting plugin log level to: INFO

See this article regarding Malwarebytes Endpoint Agent not starting - https://support.malwarebytes.com/docs/DOC-2613 and configuration to ensure startup.

Malwarebytes official Privacy Statement is here - https://www.malwarebytes.com/privacy/

Would you recommend running alongside another AV product? Malwarebytes is a primary AV/Anti-malware product so running alongside other products is no longer necessary. We have many customers running with Malwarebytes-only or Malwarebytes + Defender. However, Malwarebytes has a long history of running alongside other products and also led the market with anti-exploitation and anti-ransomware detectors. Other vendors product should be configured to ignore/exclude Malwarebytes, refer the documentation, and visa versa. Web Protection may be mutually exclusive with some vendors and need disabling in one vendor or the other. Can we fully control the MalwareBytes installations from a single MalwareBytes Endpoint Protection console (we have 2 geographically separate offices)? Yes, you can log in to the cloud console with a Chrome browser and manage from anywhere in the world. We have no formal network at either office (Domain or Workgroup) in place. Would we have access to the full functionality of the cloud console given all our PCs are effectively "standalone" (Asset Management, installs & re-installs, definition updates, scan scheduling, Virus removal etc.)? Yes, this is a very common deployment scenario in our smaller business customers. MSI and EXE are pre-configured for your account. In your scenario, you will need to have local-machine Administrator credentials for each machine to do an initial install. Endpoints self-update, pull updates directly from the cloud servers. Each connects to the cloud server to retrieve commands for updates, scheduling, scans and other policy items. A free Discovery and Deployment Tool (8 Mgb) can be downloaded into workstations in a subnet and scan from there to do a push-deploy, local machine\Administrator credentials are required. If all have same password, then tool can push to all endpoints in a single scan. We have assumed we would need Malwarebytes Endpoint Protection but what is MalwareBytes Endpoint Security? Endpoint security needs an on-premises server. You will have added complexity in networking if you went down that path. We were really asking for reassurance that the Console doesn’t require a formal network and that our collection of (what are effectively) standalone PCs can be managed by the Console. Confirmed. I am a pre-sales engineer with Malwarebytes and have worked with customers on many of these scenarios. Malwarebytes freely offers trials, so if you kickoff a trial from the website, you can easily validate the above. Most of the information you require is in the administration guide - https://www.malwarebytes.com/pdf/guides/MBQSG.pdf?d=2018-11-01-14-34-03--0700 The questions you are asking are pre-sales questions and will get low priority in the queue, behind subscribed customers, whereas if you are on trial, they will be answered through the sales channel.

1. Viewing Endpoint Versions - Use Malwarebytes Excel Add-In From this you can see versions of components and protection update status. There is an asset information and health data view. https://support.malwarebytes.com/docs/DOC-2672 available for Endpoint Security too 2. Knowing Endpoint are Working Currently, this can be best seen through the Excel Add-in. Freshness of versions and online/offline status can be checked. There is colour-coding for unprotected endpoints. Web blocks are voluminous and better viewed through reporting. 3. Information from Endpoints Comprehensive information as an endpoint status can be viewed by this script - https://support.malwarebytes.com/docs/DOC-2617 Apart from ctrl-right-click, the protection logs are all directly available in c:\ProgramData\Malwarebytes\MBAMService\ xxDetections\ and scanResults\ subdirectories have much more detailed JSON logs than Endpoint Security. The management agent log is similarly available These logs can be silently viewed via network share e.g. c$, if required 4. Viewing Detections Elaborating, the dashboard panel shows last 72 hours/3 days. Viewing Detections list for last 3 days gives you the data you required. The Malwarebytes Add-in for Excel can filter for last 3. Agree a quick-link to filter Detections table to 3-days, only, would be neater

In addition to the above and elaboration for Endpoint Protection capabilities. 1. Run 'Windows script to display Malwarebytes Endpoint Protection Agent Health and Service Status' to show all services and inner detector services are running. https://support.malwarebytes.com/docs/DOC-2617 2. Download a relatively harmless potentially unwanted program (PUM) such as Ask Toolbar which is annoying but not damaging and double-click to start installation. https://en.softonic.com/download/ask-com-toolbar/windows The Real Time Protection (RTP) Payload Analysis detector will quarantine it. This will assure to you that protection is operational and detects an EXE program executable (PE) launch. Note, a PUP is detected by our same anti-malware 'rules' engine which detects viruses/malware. One of our many vectors.of protection. 3. Consider also, the Malwarebytes Excel Addin, for detailed checking of endpoint versioning and freshness. https://support.malwarebytes.com/docs/DOC-2672 4. Succinctly, technically, EICAR is an archaic/obsolete16-bit COM program which will not even execute in modern Windows workstation to display its message 'EICAR-STANDARD-ANTIVIRUS-TEST-FILE'. EICAR need to update this to a modern and relevant test. Using a PUP is a much more relevant test that Malwarebytes is operational. Otherwise more details on testing have been provided by DCollins.

You previously stated "Granted, we've never turned on active protection which may be the key " Correct - If you configure this, you are running the MBIR plugin which has zero IP blocking capability and would see no symptom If you turn on any realtime protection, MBIR plugin will be replaced by MBAMPlugin and you will see MBAMService started. The workaround on our support site was written in response to customers experiencing a problem with ActiveDirectory and DNS on the same host. DNS was inadvertently blocked, the defect was reproducible, hence the article published. If you are not experiencing the issue/never had the issue and have realtime protection enabled, can you please provide some more specifics about your Windows operating system and configuration for each, so we can add to testing. The defect is in our queue for resolution.