Add endpoints in Malwarebytes Cloud Platform

Document created by drossler Employee on Aug 29, 2017Last modified by bgoddard on Nov 11, 2019
Version 24Show Document
  • View in full screen mode

You may manually add endpoints to the Malwarebytes Cloud Platform in a few different ways. The most common method is to copy an installer file to the endpoint and run the file from the endpoint. You may also add endpoints using the command line or with a dissolvable remediation tool.

 

This article covers the following methods:

  • Use a downloaded installer and copy it to the endpoint
  • Command line remote installation for Windows or Mac, which may also be run silently
  • Dissolvable Unmanaged Remediation Tools installation

 

If you have a lot of endpoints, instead use the Malwarebytes Discovery and Deployment Tool or another tool of your choice. For more information on deployment, see the Malwarebytes Discovery and Deployment Tool Handbook.

 

Use a downloaded installer

To manually add an endpoint to the Malwarebytes Cloud Platform, download the Malwarebytes Endpoint Agent installation file and run the file from the endpoint.

 

Malwarebytes provides endpoint installers for you to use with your preferred installation method. 

 

Important Endpoint Installer Notes

  • When using a Mac endpoint installer, do not change the name of the downloaded installer file. The installation process requires that the filename is not changed.
  • Endpoints are assigned to the Default Group and use the Default Policy unless you specify a different group.

 

  1. Log in to the Malwarebytes Cloud Platform.

  2. Go to Downloads.


  3. In the Download Endpoint Installers section, download the installer you need based on your endpoint operating system.
    • For Windows operating systems:
      1. Select an installer from the drop-down menu. There are both EXE and MSI installer types.
      2. Click Download.
    • For Mac operating systems, click Download.


  4. After you have downloaded the installer, copy it to the endpoint and run the installer.

  5. When the installation process completes, the endpoint shows up in the Malwarebytes Cloud Platform console. 

 

Command line remote installation for Windows

If you want to perform a silent installation on a Windows endpoint, see the commands below. Run command line installations from the target endpoint. These commands can be run either manually or through automation.

 

Before running these commands, download the endpoint installer for the command to use. See the downloadable installer section above. The Windows MSI command is shown on multiple lines due to the length of the command.


Windows EXE:

Setup.Full.MBEndpointAgent.exe /quiet

 

Windows MSI:

msiexec /i "<fullpath1>\Setup.MBEndpointAgent.msi" /quiet /log

"<fullpath2>\Setup.MBEndpointAgent.msi.log"
NEBULA_PROXY_SERVER=http://<ip>
NEBULA_PROXY_PORT=<port>
NEBULA_USER=<user>
NEBULA_PWD=<password>
GROUP=<group_ID>
@ECHO. %ERRORLEVEL% returned by MSIEXEC

 

Windows command line switches

  • /i - Runs installation. Example:
    msiexec /i "<fullpath1>\Setup.MBEndpointAgent.msi" /passive
  • /x - Runs uninstall. Example:
    msiexec /x "<fullpath1>\Setup.MBEndpointAgent.msi" /quiet
  • /quiet - Optional. Runs silent installation.
  • /passive - Optional. Runs installation and shows GUI progress box.
  • /log - Optional. Outputs to the specified file. This is equivalent to the switch “/L”. If a software deployment tool is being tested where /log cannot be used, a registry setting can force logging. For more information, see Additional MSI References below.

 

MSI notes

  • The command switches and values need to be used in the order shown.
  • msiexec must be run as an administrator. This defaults the working directory to c:\windows\system32. Full quoted path names are recommended.
  • UNC networked folders are supported, such as \\server\malwarebytes\Setup.MBEndpointAgent.msi.

 

MSIEXEC variables

Variables may be used with the MSIEXEC command. These variables are MSIEXEC properties. Variables must come last on the command line but may be in any order.

 

See the table below for details on MSIEXEC variables. An “x” in the EXE or MSI column means the variable works with that installer. All variables below are optional.

 

VariableEXEMSIDescription
ARPNOREMOVEx

When Endpoint Protection is running or being installed, two services show in Add/Remove Programs: Malwarebytes Endpoint Agent, and Malwarebytes Service.

 

ARPNOREMOVE is a Microsoft variable that hides the Uninstall option for the Malwarebytes Endpoint Agent in Add/Remove Programs. The Malwarebytes Service is not affected and will still display. Use this variable to prevent casual removal of the agent by end users such as students with local administrator rights.

GROUPxx

If you would like to install endpoints using the command line and assign them to a specific group, use the GROUP variable and GroupID. The GroupID can be found in the Downloads page in the console.

 

Go to Downloads. On the right side of the screen, click Specify group assignment link. From the list of GroupIDs that displays, copy the GroupID that you want to assign the server to.

 

If the GroupID entered in the command does not match any groups, the installer will use the Default Group and Default Policy.

NEBULA_PROXY_SERVERxxAddress of the proxy server.
NEBULA_PROXY_PORTxxProxy server port to connect on.
NEBULA_PROXY_USERxxProxy server username. If the username contains spaces, enclose it in quotes, like “Donald Blake”.
NEBULA_PROXY_PWDxxPassword to log in to the proxy server. If the password contains spaces, enclose it in quotes, like “s3cr3t p4ssw0rd”.
VERIFY_NETWORKx

This optional variable checks connectivity during installation.

 

When set to VERIFY_NETWORK=1, the installer checks for network connectivity and DNS resolution against:

  • cloud.malwarebytes.com
  • sirius.mwbsys.com

 

Any addresses that fail this connection test are shown on screen and in the installer log. If VERIFY_NETWORK fails, endpoint installation fails.

 

Additional MSI References

See the following articles for more information on using MSIs and the command line.

 

Command line remote installation for Mac

You may use the terminal command below to perform a silent install on Mac endpoints while specifying the group. See the GROUP variable above for details on locating the GroupID. The command is shown on multiple lines due to the length of the command.

sudo launchctl setenv MALWAREBYTES_GROUP <GroupID> ; sudo -E /usr/sbin/installer -pkg Setup.MBEndpointAgent.pkg -target /

 

To uninstall the Mac agent, launch EndpointAgentDaemon with the -uninstall option:

sudo "/Library/Application Support/Malwarebytes/Malwarebytes Endpoint Agent/EndpointAgentDaemon -uninstall"

 

You may also manually uninstall without the daemon. Perform the following commands:

sudo rm -r /Library/LaunchDaemons/com.malwarebytes.EndpointAgent.plist

sudo rm -r /Library/LaunchDaemons/com.malwarebytes.ncep.rtprotection.daemon.plist

sudo rm -r /Library/LaunchDaemons/com.malwarebytes.ncep.settings.daemon.plist
sudo rm -r "/Library/Application Support/Malwarebytes/"

 

Dissolvable unmanaged remediation tools

You may prefer to use a dissolvable remediation tool instead of an installer. At the bottom of the console Downloads screen is the Remediation (Unmanaged) section. Here you may download the following Malwarebytes dissolvable unmanaged remediation tools.

 

 

Malwarebytes Breach Remediation is our dissolvable remediation program for Windows and Mac endpoints. For more information, see the Malwarebytes Breach Remediation Windows Administrator Guide or Malwarebytes Breach Remediation (Mac) Administrator Guide.

 

Malwarebytes AdwCleaner is our free adware cleaner. Click Download to get the application. For more information, see the Malwarebytes AdwCleaner guide.

 

Using Sysprep to deploy images

Administrators that use machine images for fast endpoint deployment may wish to include Malwarebytes on their images. Malwarebytes endpoints have a unique identity assigned to them. Therefore, creating a deployable image containing Malwarebytes takes a few extra steps. You want to avoid accidentally creating multiple endpoints that try to share the same identity.

 

The Microsoft Sysprep utility is useful for stripping the identity of the Malwarebytes agent. A Sysprep-stripped agent can use a unique identity when copied from a deployed image onto a new endpoint. Sysprep is built into modern Windows versions.

 

Please see these articles to use Sysprep with Malwarebytes:

 

See also

 

 

Return to the Malwarebytes Cloud Platform Administrator Guide 

Attachments

    Outcomes