Jump to content
AndrewPP

Announcing: Script to Display Malwarebytes Endpoint Protection Agent

Recommended Posts

A script has been published on the support site, which can be run locally on an endpoint, to show its service status e.g. during testing and demonstrations.  It is read only, needs no special permission except ability to run a Windows command script and is for technical staff.

It shows interesting information, on a 20 second timer, including CPU usage, Memory and resource usage.

 Windows script to display Malwarebytes Endpoint Protection Agent Health and Service Status 

image.png.9a589db44403b28262f6502138b1e596.png

 

 

 

Edited by AdvancedSetup
updated links

Share this post


Link to post
Share on other sites

I have the consumer version of MalwareBytes, and noticed that in addition to both the MBEndpointAgent reading as NOT_INSTALLED and the flightrecorder as NOT_INSTALLED (both of which I understand), MBAMService.CPU%..... reads as no. What's going on there?

Share this post


Link to post
Share on other sites

The tool was written for supporting the Endpoint Protection cloud/business product,because it has a locked-down minimalist GUI.

Home Premium does not have a Management Agent nor Flight Recorder, so status is correctly reported from my tool.

Home Premium EXE has a different name to the Endpoint Protection EXEs.  It is a minor script change to test/check for that.  I will update it by end.of.week.

Thanks for your interest.

 

Share this post


Link to post
Share on other sites

The status of the MalwareBytes Windows Firewall Control Service needs to be added as well. You can get MalwareBytes Windows Firewall Control from the Binisoft website.

Share this post


Link to post
Share on other sites

There's a typo in the file.

::---------------------------------------------------------------------------------------
:MBAMSIZE
::---------------------------------------------------------------------------------------
REM %windir%\system32\wbem\WMIC.exe path win32_process WHERE Name=^"MBAMService.exe^" get Caption^,HandleCount^,PrivatePageCount^,WorkingSetSize
SETLOCAL EnableDelayedExpansion
FOR /F "usebackq skip=1 tokens=1-5*" %%a IN  (`CMD /S /C "WMIC path win32_process WHERE Name="MBAMService.exe" get Caption^,HandleCount^,PrivatePageCount^,WorkingSetSize"`) DO (
   IF [%%a] EQU [MBAMService.exe] (
      REM ECHO %%c %%d b:%%b 
      SET /A pps= %%c / 1000000
      SET /A wss= %%d / 1000000
      ECHO.  MBAMService.resource. PrivatePageCount !pps! Mgb  WorkingSetSize !wss! Mgb HandleCount %%b
      IF !pps! GTR 1000 (ECHO *WARNING* Memory usage is high)
      IF %%b   GTR 5000 (ECHO *WARNING* Handle cound is high) 
   )
)
GOTO :EOF

It should say "Handle count" instead of "Handle cound"

Share this post


Link to post
Share on other sites

Change history

2019-04-01 Version 1.11 Added status of the configuration of Endpoint Response Settings for Suspicious Activity Monitoring, Rollback and Isolation reading
                     from last log entry in EndpointAgent.txt   Note: The log entry also displayed if plugin subsequently uninstalled which obsoletes other entry in log. 
2019-02-21 Version 1.10 Added count of files in EPR Local Backup
2019-01-31 Version 1.08 Added policy.ea_last_update, to show datetime of most recent policy update.  Useful when monitoring for recent change.

image.thumb.png.efac37c30704163c0d7c132b473ac516.png 

 

Share this post


Link to post
Share on other sites

@Amaroq_Starwind 
The development team has a copy of this tactical tool for review of concepts and eventual incorporation into our core product. 

Regarding "I wouldn't mind being able to help out in a more official capacity" - you are welcome to contribute ideas or script fragments via me for possible incorporation.  As this is an unofficial tool, simply exchange direct messages with me.

I note that I wrote this in Windows batch script so it can run anywhere, which does make programming a bit arcane.  PowerShell would have been easier but then is tricker to package to run everywhere.  Ditto compiled language requires our development team to arrange a deployable solution.  

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.