EAcmd.exe Popup every 2 minutes

[StinsmanJ]

Hey There, 

Recently we have been getting a CMD Window pop-up on a couple of our machines with Malwarebytes Installed on them. 
Our Malwarebytes is installed and patched via NinjaRMM.

In our logs we are seeing:
> NinjaRMM.exe Calls EAcmd.exe > EAcmd.exe Calls CMD.exe > CMD.exe Calls conhost.exe > EAcmd.exe, CMD.exe and conhost.exe are all terminated.

To the user what happens is:
 They are typing > A CMD Window Popups and takes Keyboard Focus > The CMD Window disappears less than a second later, they need to refocus the window and continue typing


Is EAcmd.exe supposed to generate a visible cmd window? or is it supposed to operate in a silent fashion? 

[AndrewPP]

EACmd.exe is a useful command line utility which can be run to retrieve information from the Malwarebytes Management Agent.

I suspect someone has created a script in NinjaRMM to periodically call it.  Is NinjaRMM an on-premises implementation which you have configured, or has someone configured it for you?

You should contact your local NinjaRMM administrator to stop it; or submit a fault ticket to them.

Further technical detail:

• Two minutes is too frequent to be doing this sort of check and if the Management Agent may be busy doing other things, handle an error
• If launched with PowerShell, then use parameters with $p = Start-Process  .........   -NoNewWindow -Passthru
• Then pickup STDOUT from the process object.  When run without a Window, the header and footer are suppressed and pure JSON is returned

There are many programming articles available describing how to do this.

 

[AndrewPP]

Support Article here - https://support.malwarebytes.com/hc/en-us/articles/360040260553-Use-the-Endpoint-Agent-Command-line-tool-with-Malwarebytes-Nebula-platform

eacmd -h
EACmd Usage:
  --loglevel=VALUE the level of logging to set the service
  -d, --diag collect diagnostic log
  --debug set the level of logging for this program to debug level
  --refreshagentinfo Update the agent information for the endpoint.
    This will immediately post the information to the cloud console.
  --updateprotection Update Protection now
  --updatesoftware Update Malwarebytes Software now
  --versions Collect and display versions
  --runpendingsoftwareupdate
    Will run any pending software updates that are available.
  -h, --help show this message and exit
  --syncnow sync with server now
  --testconnections Tests connection to Malwarebytes servers
  --certcheck=VALUE Check if file passes signature check
  --startmbamservice start the MBAMService

[StinsmanJ]

Hey thanks for the reply :) 

Yes I logged a ticket with Ninja as well. It's a cloud RMM Software so lots has been setup in the backend that we don't have direct control over. 

It does appear to have been a Ninja Issue as we updated their clients and they stopped the repeating calls :) 

Thanks again for the help :)