Windows client fundamentals with Endpoint Protection

Document created by aprobert Employee on Jul 18, 2018Last modified by aprobert Employee on Jan 6, 2019
Version 30Show Document
  • View in full screen mode

Malwarebytes provides a single endpoint technology for Windows endpoints and servers. It has multiple integrated detection technologies under the hood. This article describes the high level deployment architecture and design.

Version 1.2 - 1 Jan 2019

 

Component Architecture

 

Malwarebytes Endpoint Agent

The Malwarebytes Endpoint Agent is responsible for managing the endpoint's status, online status, retrieval of policy, configuration, plugins for protection/scanning and on-demand tasks.

  • Installed first – service name MBEndPointAgent – Runs as SYSTEM user

  • Communicates with Cloud Management (sirius.mwbsys.com) to convey endpoint status and to receive policy updates, tasks, schedules and manifests which self-update using TLS1.2 secure socket layer over the standard port 443. 
    • The designated client account is set during installation using the -accounttoken xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx switch. 
      • The account can be changed without reinstallation by setting account token to a new value; stopping, then restarting the management agent.
    • During licensing, an endpoint is identified by a unique TokenID which is derived from the Primary MacAddress and other unique information about the endpoint.
      • If an endpoint is deleted via the cloud console, the license count is immediately decremented.
      • A hidden uninstallation task queues for the endpoint and an MSI uninstallation runs immediately, or when the endpoint next comes.
      • This task remains active for 90 days.
    • An endpoint will show a Last Seen timestamp which continuously updates whenever the agent is connected to 'sirius' server. A screen refresh is required in the browser/GUI, to see the latest status.

  • MBEndpointAgent service checks policy, retrieves ZIP files, and installs the appropriate 'plugins' or 'snacks' defined by the policies.

  • It monitors and manages the real-time protection service MBAMService and restarts it if stopped. It also restarts the TrayAgent during reinstallation.

  • It receives and triggers the on-demand tasks for asset and threat scanning, schedule and configuration changes.

  • Software and incremental component updates are periodically retrieved from content servers, identified in a 'manifest' and downloaded as zip files and self-installed.

  • Internal activities are observable through a local journal – MBEndPointAgent.txt, which may be viewed by customers and submitted with support cases.

 

  • Security context:
    • Installation must be performed by an administrator or local administrator. If installed interactively, a 'UAC' prompt will popup. 
      • Folder access and service restart is a privileged operation. Administrative credentials for general activities not recommended.
    • Communication is over Transport Layer Security (TLS) outbound-only and clients authenticate to the server using local secrets. 
    • SSL interception is considered a 'man-in-the-middle-attack', therefore communications should be pass-through and not intercepted.
    • Proxy may be configured with 'basic authentication' credentials. This is a 'SYSTEM' proxy for the non-interactive service and differs from browser proxy configuration. Proxy pass-through is recommended as the agent runs as the SYSTEM user, browser/user credentials are not used.
    • All downloads identified by 'manifest' and have integrity hash/signatures to prevent tampering.
    • Configurations are encrypted and tamper-proofed with integrity signatures. None are locally editable.
    • Service start/stop events are logged into the Windows Event Log under Service Control Manager (SCM) and Malwarebytes sources.

Asset Manager Plugin

The Asset Manager plugin retrieves information about the endpoint such as operating system information, network addresses, disk sizing and installed software. Key points:

  • Runs within the Management Agent service.

  • Installed as a part of the management agent described above.

  • Is responsible for retrieving information about software installed from 'Add Remove Programs' on endpoint (uninstall registry hive), Microsoft Updates, and registry 'Run' keys.

MBIRPlugin - Incident Response

The Malwarebytes Incident Response Plugin only provides the scanning function. Its a separate plugin which downloads and runs when a policy is configured on the server which has all real-time protection turned off.

  • Functionality is Payload Analysis, Anomaly Detection/machine learning, and Linking engine.

  • Scheduling is described below under Schedule Controller.

 

Malwarebytes Service

The Malwarebytes Service provides real-time protections and scanning functions. IMPORTANT: If this service is not running, the endpoint is unprotected. Key points:

  • This service is second – Service name MBAMService – Runs as SYSTEM user.

  • The Management agent downloads the latest plugin from a content server (ark.mwbsys.com). Management Agent installs and infrequently updates plugins.

  • Runs autonomously from cached configuration even without management running. IMPORTANT: Endpoints are protected when this service is running, even if the Management Agent is not running.

  • Periodically checks for small or full protection rules updates (cdn.mwbsys.com) for Web Blocking and Anti-malware detectors. Malwarebytes Service performs a sub-second restart to turn on new rules. Rules locally cached with extension *.MBDB

  • Real-time protection functions attach to the Microsoft operating system using 'filters' and other formal programming interfaces.

  • Internal controller functions and activities are observable through a local journal - MBAMService.log 
    • MWAC Controller – Malwarebytes Web Access Controller provides Web Blocking of IP communications, using our global list of malicious IP Addresses and Domain Names, via a network filter driver. Rules are updated incrementally multiple times per day. Updates checked hourly by default.
      • Date of latest rule observable in:

%ProgramData%\Malwarebytes\MBAMService\Config\UpdateControllerConfig.json for example

"db_update_time" : "2018-09-03T03:55:08Z",
"db_version" : "2018.09.03.01",
"dbcls_pkg_version" : "1.0.6617",

MBAMService.log by command 

    FIND /I "Db version" %ProgramData%\Malwarebytes\MBAMService\logs\MBAMService.log

  • Third-party monitoring. For example, RMM could monitor this file and search by REGEX, to check rules freshness.

    • RTP Controller – Real Time Protection Driver provides Payload Analysis and Anomaly Detection for real-time analysis of executables and blocking of programs, using our own malware and unwanted program rules, machine-learning layer, via a file filter driver.
    • Anti-Exploit Controller – provides Exploit Protection real-time monitoring, analysis and blocking of programs by a small module attached to monitored programs. For example, Internet Explorer, Word, Media Player, etc. using 'DLL Injection'. Stops many 'fileless' attacks, malware droppers, etc.
    • ARW Controller - provides Behavior Protection/anti-ransomware post infection monitoring for ransomware. At most, one or two files may be encrypted during detection. When demonstrating, run tests on a typical/realistic workstation with multiple directories and multiple documents/files.
    • Self Protection - provides additional monitoring and protection against other processes interfering with Malwarebytes' operations. IMPORTANT: If other anti-virus/anti-malware products are installed alongside Malwarebytes, these may clash. Hence, this setting is initially defaulted to OFF.
    • Clean Controller – provides killing and removal of malware, unwanted programs and registry settings. It will schedule additional cleaning across reboot if required using DOR Controller.
    • Schedule Controller - Scheduled scans are performed on locally stored schedules. Endpoints do not need to communicate with the Malwarebytes cloud to scan.
      • Threat Scan – a very fast scan which targets actively running malware and also scans in places where malware must reside to become active.
      • Custom Scan – can be configured to scan all locally attached IDE and SCSSI drives by ticking 'scan all local drives'. It runs longer but still faster than most other products. Alternatively, it can be configured to scan a specific path only.
      • Hyper Scan - the fastest option which scans running processes and memory objects.
      • Scans can optionally target Rootkits & archives. They can be configured to scan+report or scan+quarantine.
      • In a file scan we look for program executable (PE) headers in all files which is the first few hundred bytes hence hold a file open for a short time. We drill a few levels, but not into archive files (zip). We stop at about 30 Mgb in size. Performance is optimized against attack. If a zip file is later unzipped we will then get other files.
      • Events and scan results are stored into subdirectories with a suffix of JSON. Where detailed investigations are required, these logs are sometimes used.

    • License Controller, Policy Controller, Telemetry Controller, Update Controller - self explanatory.
    • Scan Controller - will show scan starts, stops and any cleaning/quarantining.

  • Exclusions

    Always perform test scans and add exclusions before mass deployments, to ensure good software and registry settings are not quarantined.

    • Websites - If websites are blacklisted or malware is detected by rules customers can override the blocking with a local exclusion. 
      Report incorrectly blocked sites via https://forums.malwarebytes.com/forum/122-false-positives/ or via a support case.
    •  Exclude executables by folder, file and file extension, with wildcards. The MD5 hash/fingerprint of a file can be used for exclusion from anti-ransomware detectors.
    • The anomaly detection, aka machine learning detector, cannot be locally excluded. An entry must be added to the 'whitelist' server via the https://forums.malwarebytes.com/forum/122-false-positives/ process, or via a support case. The requisite MD5 hash for exclusion is found by restoring an item from quarantine, or by viewing in the MBEndpointAgent.txt log and also in JSON files in the local xxxDetection or ScanResults folders on an endpoint.
    • Where exclusions are applied to folders, files, registry entries and files by hash, errors may show in the log files, but can be ignored.

  • Security context
    • Same context as the Management Agent.
    • MBAMService plugin installed/updated automatically by the Management Agent. Can be individually installed.
    • The Management Agent restarts the MBAMService immediately if it is stopped. A Self Protection Controller additionally monitors and blocks malicious attempts to stop the service.
    • Service start/stop events and filter driver installations are logged into the Windows Event Log under Service Control Manager (SCM) and Malwarebytes sources.
    • Web blocking and malware, potentially unwanted program (PUP) and potentially unwanted modification (PUM) registry rules are cached locally for offline operation with an extension of *.MBDB. They are encrypted when stored for tamper-proofing. They cannot be copied between endpoints as they are encrypted specifically for each endpoint, upon receipt.

TrayAgent

  • Runs at login, under the context of the logged-user and communicates with the Management Agent.

  • The TrayAgent service is started for each logged-in user, using a 'run' key.

  • Can optionally provide status notifications or be suppressed by policy control.

  • Can be 'right-clicked' to start an on demand Threat Scan.

  • 'Shift' 'right-click' runs a diagnostic utility to collect logs and/or toggle debug level logging.

Explorer Context Menu

  • 'right click' in Windows Explorer shows the Malwarebytes' icon and a file, folder or USB drive may be scanned.

Capacity Planning and Sizing Information 

This information is gathered by informal observation using 'Sysinternals Procexp64' from Microsoft. Malwarebytes' solutions are undergoing constant change and optimizations. Customers should perform their own observations/validation.

  • MBEndpoint Agent uses approximately 80 Mgb memory and negligible CPU.

  • MBAMService
    • Less than %1 CPU used when idle. Jumps to 10-20% for a few seconds when launching programs as they are analysed.
    • Uses 200 Mgb memory for real-time protection.
    • Allocates additional 300 Mgb memory when scanning but is released after ~= 5 minutes for a Threat Scan, on typical modern Windows 10 endpoint.
      • Uses available CPU when scanning, but uses Windows low priority setting, so that 'interactive' user is not impeded.
    • Rules database including Web Blocking rules and malware detection rules is less than 10 Mgb.

  • MBAE64.SYS & MBAE.SYS use approximately 80 Mgb, plus attach small monitoring agents MBAE64.DLL and MBAE.DLL to programs such as Word.EXE etc.

  •  TrayAgent.exe uses negligible RAM at 70 Mgb.

Server Capacity and Scanning

  • Malwarebytes uses the same capacity as above on servers for each Windows image. 

 

Virtual Server 

  • Each virtual server runs its own full copy of Malwarebytes.

  • Where there are many virtual servers in the one physical server, ensure that scanning does not occur on all servers simultaneously. Multiple groups and schedules can control this. We recommend scanning outside of prime time.

  • Register each server individually. Malwarebytes Endpoint Agent is either installed after server build, or alternatively blocked from communicating with https:\\sirius.mwbsys.com until ready to register. Cloud management is required to be available to perform initial registration.

  • See appendix for more information on deferring registration and sysprep-ing.

Hypervisor

Each virtual machine needs to be individually registered. See appendix for more information.

  • VMWare
  • Xen - AWS
  • Hyper-V - Not in core
  • Citrix/XenApp - No

 

Server Roles 

  • RDP Server aka Terminal Server 
    • A terminal server runs a single copy of Malwarebytes Agent and Service under the SYSTEM account.
    • Individual sessions for each logged in user run a copy of the TrayAgent and copies of anti-exploit monitoring agents attached to Word, Excel, browsers etc.
    • A terminal server appears as a single device in the cloud console. Individual logged in users are not identified.
    • Scanning should be suppressed for end-users.

  • VDI Server
    • Each VDI session has its own full copy of Malwarebytes.
    • Scanning is redundant as VDI sessions are often destroyed and new sessions are started from a 'gold image'.
    • Each VDI session should be individually registered. Malwarebytes Endpoint Agent is either: installed after server build, or alternatively blocked from communicating with https:\\sirius.mwbsys.com until ready to register.
    • Cloud management availability is required to perform initial registration.
    • See appendix for more information on deferring registration and sysprep-ing.

  • ActiveDirectory/DNS
    • WARNING: There is a mandatory pre-requisite setting 'DNS=127.0.0.1' to the IP stack otherwise DNS traffic will be blocked by the MWAC.SYS filter even with Web Blocking disabled.

  • Other Server roles
    • Match Microsoft's recommended exclusions if you intend to scan during during peak operations. 
    • Contact Malwarebytes support or pre-sales for additional information.

Appendix

 

GPO Installation

Malwarebytes provides its installer in an MSI package suitable for deployment via GPO or 3rd party deployment tools. A batch command is shown below, for testing/debugging MSI installation prior to using GPO:

MSIEXEC /i "C:\...\Setup.MBEndpointAgent.x64.msi"   /qn /lv "C:\...\MBendpointAgentLog.txt"

 

Key points:

  • A fresh copy of Setup.MBEndpointAgent.x64.msi should be retrieved from Malwarebytes occasionally.

  • Additional information about switches is in the Malwarebytes Cloud Console Administrator Guide.

  • The management agent installer is available under (*) Advanced Installers. For Windows 10, it is about 10 Mgb, as it does not have/need the .Net 4.5+ framework. 

 

Unique registration for Virtual Server and VDI endpoint

As each endpoint is uniquely registered and identified by MacAddress and other characteristics, the registration to the Cloud Server must be performed for each virtual instance, otherwise all appear as a single device in the cloud console. The following sections describe techniques to achieve uniqueness.

 

 

Register by GPO or by Startup Script

The Malwarebytes Management Agent can be installed upon startup by GPO or by RunOnce script.

 

Sysprep-ing

Malwarebytes Management can be pre-installed, but registration needs to be blocked. Methods are described below:

  • Disable Network card (easiest)

  • Block registration - etc\HOSTS file
    • etc\HOSTS file - Blackhole 127.0.0.1  sirius.mwbsys.com  
    • Make gold image.  
    • At or after boot replace HOSTS file using Group Policy Preferences, GPO script or a RunOnce script.

  • Block registration - Firewall rule
    • Block MBCloudEA.exe from outbound communication. Ditto above for unblocking
    • At or after unblock firewall rule with Group Policy Preferences, GPO script or a RunOnce script.

Bulk installation and deployment in low-bandwidth sites

The MBAMService module is approximately 80 Mgb and can be locally installed using the following techniques. The module self-updates, but a fresh copy should be retrieved upon version updates, if using this technique.

  • Retrieve installer https://ark.mwbsys.com/ncep-win.installer.common/release 
    • Example - mb3-setup-common-3.5.1-2600.exe

  • Stage mb3-setup-common.x.x.x.xxxx.exe onto a file server or deploy by other means.

  • Block access to ark.mwbsys.com e.g. by HOSTS file
    • Blackhole 127.0.0.1 ark.mwbsys.com

  • Run installation silently, using Innosoft installer command switches
    • mb3-setup-common-3.5.1.2600.exe /SP- /VERYSILENT /SUPPRESSMSGBOXES /LOG="%WINDIR%\MB3Setup.log" /NOCANCEL /RESTARTAPPLICATIONS

  • After update, replace HOSTS file using Group Policy Preferences, GPO script or a RunOnce script.
5 people found this helpful

Attachments

    Outcomes