Jump to content

Announcing: Script to Display Malwarebytes Endpoint Protection Agent


AndrewPP

Recommended Posts

A script has been published on the support site, which can be run locally on an endpoint, to show its service status e.g. during testing and demonstrations.  It is read only, needs no special permission except ability to run a Windows command script and is for technical staff.

It shows interesting information, on a 20 second timer, including CPU usage, Memory and resource usage.

 Windows script to display Malwarebytes Endpoint Protection Agent Health and Service Status 

image.png.9a589db44403b28262f6502138b1e596.png

 

 

 

Edited by AdvancedSetup
updated links
Link to post
Share on other sites

  • djacobson pinned this topic
  • 1 month later...

The tool was written for supporting the Endpoint Protection cloud/business product,because it has a locked-down minimalist GUI.

Home Premium does not have a Management Agent nor Flight Recorder, so status is correctly reported from my tool.

Home Premium EXE has a different name to the Endpoint Protection EXEs.  It is a minor script change to test/check for that.  I will update it by end.of.week.

Thanks for your interest.

 

Link to post
Share on other sites

There's a typo in the file.

::---------------------------------------------------------------------------------------
:MBAMSIZE
::---------------------------------------------------------------------------------------
REM %windir%\system32\wbem\WMIC.exe path win32_process WHERE Name=^"MBAMService.exe^" get Caption^,HandleCount^,PrivatePageCount^,WorkingSetSize
SETLOCAL EnableDelayedExpansion
FOR /F "usebackq skip=1 tokens=1-5*" %%a IN  (`CMD /S /C "WMIC path win32_process WHERE Name="MBAMService.exe" get Caption^,HandleCount^,PrivatePageCount^,WorkingSetSize"`) DO (
   IF [%%a] EQU [MBAMService.exe] (
      REM ECHO %%c %%d b:%%b 
      SET /A pps= %%c / 1000000
      SET /A wss= %%d / 1000000
      ECHO.  MBAMService.resource. PrivatePageCount !pps! Mgb  WorkingSetSize !wss! Mgb HandleCount %%b
      IF !pps! GTR 1000 (ECHO *WARNING* Memory usage is high)
      IF %%b   GTR 5000 (ECHO *WARNING* Handle cound is high) 
   )
)
GOTO :EOF

It should say "Handle count" instead of "Handle cound"

Link to post
Share on other sites

Change history

2019-04-01 Version 1.11 Added status of the configuration of Endpoint Response Settings for Suspicious Activity Monitoring, Rollback and Isolation reading
                     from last log entry in EndpointAgent.txt   Note: The log entry also displayed if plugin subsequently uninstalled which obsoletes other entry in log. 
2019-02-21 Version 1.10 Added count of files in EPR Local Backup
2019-01-31 Version 1.08 Added policy.ea_last_update, to show datetime of most recent policy update.  Useful when monitoring for recent change.

image.thumb.png.efac37c30704163c0d7c132b473ac516.png 

 

Link to post
Share on other sites

@Amaroq_Starwind 
The development team has a copy of this tactical tool for review of concepts and eventual incorporation into our core product. 

Regarding "I wouldn't mind being able to help out in a more official capacity" - you are welcome to contribute ideas or script fragments via me for possible incorporation.  As this is an unofficial tool, simply exchange direct messages with me.

I note that I wrote this in Windows batch script so it can run anywhere, which does make programming a bit arcane.  PowerShell would have been easier but then is tricker to package to run everywhere.  Ditto compiled language requires our development team to arrange a deployable solution.  

Edited by AdvancedSetup
Corrected font issue
Link to post
Share on other sites

  • 3 years later...
  • Root Admin
On 3/31/2019 at 6:10 AM, AndrewPP said:

I note that I wrote this in Windows batch script so it can run anywhere, which does make programming a bit arcane.  PowerShell would have been easier but then is trickier to package to run everywhere.  Ditto compiled language requires our development team to arrange a deployable solution.  

I'm sure it could be easily converted. Providing the product works the same and someone has time to make the conversion.

 

Link to post
Share on other sites

  • 3 months later...
  • Root Admin

Hello @peopleworks

You can try something like the following for PowerShell

NOTE: It is not going to be very accurate for Disk IO and CPU Usage but should give you a ballpark figure. If you need more accuracy you'd probably need to use a dedicated app or the built-in Task Manager

I don't have the full batch script so not sure what else was in there.

 

function Get-MBAMServiceMetrics {
    [CmdletBinding()]
    param (
        [string]$ProcessName = 'MBAMService.exe'
    )

    # Get the number of logical processors
    $logicalProcessors = (Get-WmiObject -Class Win32_ComputerSystem).NumberOfLogicalProcessors

    # Retrieve the Disk I/O for a process
    function Get-DiskIO {
        param (
            [int]$ProcessId
        )
    
        # Extract the base name of the process without the .exe extension for counter usage
        $counterProcessName = [System.IO.Path]::GetFileNameWithoutExtension($ProcessName)
    
        try {
            $counterData = Get-Counter -Counter "\Process($counterProcessName)\IO Data Bytes/sec" -ErrorAction Stop
            $ioDataBytesPerSec = $counterData.CounterSamples[0].CookedValue
            return [math]::Round($ioDataBytesPerSec / 1MB, 2) # Calculate usage in MB
        } catch {
            Write-Warning "Failed to retrieve Disk I/O for process ID: $ProcessId."
            return 0
        }
    }
    

    # Retrieve the CPU usage for a process
    function Get-CPUUsage {
        param (
            [int]$ProcessId
        )

        $cpuUsage = $global:WmiProcesses | Where-Object { $_.IDProcess -eq $ProcessId } | Select-Object -ExpandProperty PercentProcessorTime
        # Adjust the CPU usage based on the number of logical processors
        $adjustedCpuUsage = [math]::Min(100, $cpuUsage / $logicalProcessors)
        return $adjustedCpuUsage
    }

    $global:WmiProcesses = Get-WmiObject -Class Win32_PerfFormattedData_PerfProc_Process

    $targetProcesses = Get-WmiObject -Class Win32_Process | Where-Object { $_.Name -eq $ProcessName }

    foreach ($process in $targetProcesses) {
        $pps = [math]::Round($process.PrivatePageCount / 1MB, 2)
        $wss = [math]::Round($process.WorkingSetSize / 1MB, 2)
        $handleCount = $process.HandleCount
        $processId = $process.ProcessId

        Write-Output "Process ID: $processId"
        Write-Output "PrivatePageCount: $pps MB"
        Write-Output "WorkingSetSize: $wss MB"
        Write-Output "HandleCount: $handleCount"

        # Additional information
        $diskIO = Get-DiskIO -ProcessId $processId
        $cpuUsage = Get-CPUUsage -ProcessId $processId

        Write-Output "Disk I/O: $diskIO MB/s"
        Write-Output "CPU Usage: $cpuUsage %"
    }
}

# Invoke the function
Get-MBAMServiceMetrics

 

  • Like 1
Link to post
Share on other sites

  • Root Admin

However, we do have a mobile app that can provide much more information for you

Introducing the Malwarebytes Admin app: Endpoint security at your fingertips
https://www.malwarebytes.com/blog/business/2023/04/introducing-the-malwarebytes-admin-app-endpoint-security-at-your-fingertips

 

 

  • Like 1
Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.