Jump to content

Announcing: Script to Display Malwarebytes Endpoint Protection Agent

Recommended Posts

  • Staff

A script has been published on the support site, which can be run locally on an endpoint, to show its service status e.g. during testing and demonstrations.  It is read only, needs no special permission except ability to run a Windows command script and is for technical staff.

It shows interesting information, on a 20 second timer, including CPU usage, Memory and resource usage.

 Windows script to display Malwarebytes Endpoint Protection Agent Health and Service Status 





Edited by AdvancedSetup
updated links
Link to post
Share on other sites

  • djacobson pinned this topic
  • 1 month later...
  • Staff

The tool was written for supporting the Endpoint Protection cloud/business product,because it has a locked-down minimalist GUI.

Home Premium does not have a Management Agent nor Flight Recorder, so status is correctly reported from my tool.

Home Premium EXE has a different name to the Endpoint Protection EXEs.  It is a minor script change to test/check for that.  I will update it by end.of.week.

Thanks for your interest.


Link to post
Share on other sites

There's a typo in the file.

REM %windir%\system32\wbem\WMIC.exe path win32_process WHERE Name=^"MBAMService.exe^" get Caption^,HandleCount^,PrivatePageCount^,WorkingSetSize
SETLOCAL EnableDelayedExpansion
FOR /F "usebackq skip=1 tokens=1-5*" %%a IN  (`CMD /S /C "WMIC path win32_process WHERE Name="MBAMService.exe" get Caption^,HandleCount^,PrivatePageCount^,WorkingSetSize"`) DO (
   IF [%%a] EQU [MBAMService.exe] (
      REM ECHO %%c %%d b:%%b 
      SET /A pps= %%c / 1000000
      SET /A wss= %%d / 1000000
      ECHO.  MBAMService.resource. PrivatePageCount !pps! Mgb  WorkingSetSize !wss! Mgb HandleCount %%b
      IF !pps! GTR 1000 (ECHO *WARNING* Memory usage is high)
      IF %%b   GTR 5000 (ECHO *WARNING* Handle cound is high) 

It should say "Handle count" instead of "Handle cound"

Link to post
Share on other sites

  • Staff

Change history

2019-04-01 Version 1.11 Added status of the configuration of Endpoint Response Settings for Suspicious Activity Monitoring, Rollback and Isolation reading
                     from last log entry in EndpointAgent.txt   Note: The log entry also displayed if plugin subsequently uninstalled which obsoletes other entry in log. 
2019-02-21 Version 1.10 Added count of files in EPR Local Backup
2019-01-31 Version 1.08 Added policy.ea_last_update, to show datetime of most recent policy update.  Useful when monitoring for recent change.



Link to post
Share on other sites

  • Staff

The development team has a copy of this tactical tool for review of concepts and eventual incorporation into our core product. 

Regarding "I wouldn't mind being able to help out in a more official capacity" - you are welcome to contribute ideas or script fragments via me for possible incorporation.  As this is an unofficial tool, simply exchange direct messages with me.

I note that I wrote this in Windows batch script so it can run anywhere, which does make programming a bit arcane.  PowerShell would have been easier but then is tricker to package to run everywhere.  Ditto compiled language requires our development team to arrange a deployable solution.  

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.