Endpoint Protection - Windows client fundamentals

Document created by aprobert Employee on Jul 18, 2018Last modified by aprobert Employee on Jul 17, 2019
Version 37Show Document
  • View in full screen mode

Malwarebytes provides a single endpoint technology for Windows endpoints and servers. It has multiple integrated detection technologies under the hood. This article describes the high level deployment architecture and design.

Version 1.3 - 17 Jul 2019

 

Component Architecture

 

Malwarebytes Endpoint Agent

The Malwarebytes Endpoint Agent is responsible for managing the endpoint's status, online status, retrieval of policy, configuration, plugins for protection/scanning and on-demand tasks.

  • Installed first – service name MBEndPointAgent – Runs as SYSTEM user

  • Communicates with Cloud Management (sirius.mwbsys.com) to convey endpoint status and to receive policy updates, tasks, schedules and manifests which identify the plugins for download and self-update, using TLS1.2 secure socket layer over the standard port 443. 
    • The designated client account is set during installation using the -accounttoken xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx switch. 
      • The account can be changed without reinstallation by setting account token to a new value using MBCloudEA.exe -accounttoken switch.
    • During licensing, an endpoint is identified by a unique TokenID which is derived from the Primary MacAddress, Windows system identifier, HDD identifier and other unique information about the endpoint.  If the preceding information is changed, a new TokenID will be generated and a new endpoint registered resulting in duplicates, however the earlier endpoint will remain offline and should be deleted.  Note also, an operating system update from Windows 7 to Windows 10 will change the Windows system identifier and generate a new token. 
      • If an endpoint is deleted via the cloud console, the license count is immediately decremented.
      • A hidden uninstallation task queues for the endpoint and an MSI uninstallation runs immediately or up to 5 minute delay, or when the endpoint next comes online
      • This task remains active for 90 days.
    • An endpoint will show a Last Seen timestamp which continuously updates whenever the agent is connected to the 'sirius' server. A screen refresh is required in the browser/GUI, to see the latest status.

  • MBEndpointAgent service checks policy, retrieves ZIP files, and installs the appropriate 'plugins' or 'snacks' defined by the policies.

  • It monitors and manages the real-time protection service MBAMService and restarts it if stopped. It also restarts the TrayAgent during reinstallation.

  • It receives and triggers the on-demand tasks for asset and threat scanning, schedule and configuration changes.

  • Software and incremental component updates are periodically retrieved from content servers, identified in a 'manifest' and downloaded as zip files and self-installed.

  • Internal activities are observable through a local journal – MBEndPointAgent.txt, which may be viewed by customers and submitted with support cases.

 

  • SECURITY CONTEXT
    • Installation must be performed by an administrator or local administrator. If installed interactively, a 'UAC' prompt will popup.  Malwarebytes services run as the SYSTEM user. 
      • Folder access and service restart is a privileged operation. Administrative credentials for general activities are not recommended.
    • Communication is over Transport Layer Security (TLS) outbound-only and clients authenticate to the server using local secrets. 
    • There are two communication modes, both are client to server outbound-only connections. Malwarebytes cloud servers never initiate an inbound connection to a customer.
      - WebSocket communications provide real-time communications; and
      - Connections are made on a 5 minute timer, if real-time communications are overloaded/unavailable.
    • SSL interception is considered a 'man-in-the-middle-attack', therefore communications must be pass-through and not intercepted.
    • Proxy may be configured with 'basic authentication' credentials. This is a 'SYSTEM' proxy for the non-interactive service and differs from browser proxy configuration. Proxy pass-through is recommended as the agent runs as the SYSTEM user. Browser/user credentials are not used.  Proxy.PAC switching of configuration is not supported.
    • All downloads identified by 'manifest' and have integrity hash/signatures to prevent tampering.
    • Configurations are encrypted and tamper-proofed with integrity signatures. None are locally editable.
    • Service start/stop events are logged into the Windows Event Log under Service Control Manager (SCM) and Malwarebytes sources.

Asset Manager Plugin

The Asset Manager plugin retrieves information about the endpoint such as operating system information, network addresses, disk sizing and installed software. Key points:

  • Runs within the Management Agent service.
  • Installed as a part of the management agent described above.
  • Is responsible for retrieving information about software installed from 'Add Remove Programs' on endpoint (uninstall registry hive), Microsoft Updates, and registry 'Run' keys.

MBIRPlugin - Incident Response

The Malwarebytes Incident Response Plugin only provides the scanning function.

It is a smaller separate plugin which downloads and runs when a policy is configured on the server, which has all real-time protection turned off.

  • Functionality is Payload Analysis, Anomaly Detection/machine learning, and Linking Engine.
  • Scheduling is described below under Schedule Controller.

 

SIEMPlugin - Syslog

The Malwarebytes SIEMPlugin retrieves events from the Cloud Server, then forwards the events as Syslog Common Event Format (CEF) to syslog receivers.  The key points of its operation are:

  • The Cloud Server aggregates events into a zip file
  • On a 5-minute timer, the SIEMPlugin will contact the server and download the zip file, if events are available
  • Syslog:CEF events are sent to the designated Syslog Receiver
  • Activity can be seen in the MBEndpointAgent.txt activity log
  • Tips
    • The plugin is an integrated part of an Endpoint Protection client. Only one receiver may be configured
    • The Windows Endpoint Protection client could be co-located onto the Syslog Receiver e.g. on a Windows Server
    • The Windows Endpoint Protection client could be an endpoint adjacent/in the same subnet as the Syslog Receiver

 

Malwarebytes Service

The Malwarebytes Service provides real-time protections and scanning functions. IMPORTANT: If this service is not running, the endpoint is unprotected. Key points:

  • This service is second – Service name MBAMService – Runs as SYSTEM user.
  • The Management agent downloads the latest plugin from a content server (ark.mwbsys.com). Management Agent installs and infrequently updates plugins.
  • Runs autonomously from cached configuration even without management running. IMPORTANT: Endpoints are protected when this service is running, even if the Management Agent is not running.
  • Periodically checks for incremental or full protection rules updates (cdn.mwbsys.com) for Web Blocking and Anti-malware detectors. Malwarebytes Service performs a sub-second restart to turn on new rules. Rules are locally cached with extension *.MBDB
  • Real-time protection functions attach to the Microsoft operating system using 'filters' and other formal programming interfaces.
  • Internal controller functions and activities are observable through a local journal - MBAMService.log 
    • MWAC Controller – Malwarebytes Web Access Controller provides Web Blocking of IP communications, using our global list of malicious IP Addresses and Domain Names, via a network filter driver. Rules are updated incrementally multiple times per day. Updates checked hourly by default.
      • Date of latest rule observable in:

%ProgramData%\Malwarebytes\MBAMService\Config\UpdateControllerConfig.json for example

"db_update_time" : "2018-09-03T03:55:08Z",
"db_version" : "2018.09.03.01",
"dbcls_pkg_version" : "1.0.6617",

MBAMService.log by command 

    FIND /I "Db version" %ProgramData%\Malwarebytes\MBAMService\logs\MBAMService.log

  • Third-party monitoring. For example, RMM could monitor this file and search by REGEX, to check rules freshness.

    • RTP Controller – Real Time Protection Driver provides Payload Analysis and Anomaly Detection for real-time analysis of executables and blocking of programs, using our own malware and unwanted program rules, machine-learning layer, via a file filter driver.
    • Anti-Exploit Controller – provides Exploit Protection real-time monitoring, analysis and blocking of programs by a small module attached to monitored programs. For example, Internet Explorer, Word, Media Player, etc. using 'DLL Injection'. Stops many 'fileless' attacks, malware droppers, etc.
    • ARW Controller - provides Behavior Protection/anti-ransomware post infection monitoring for ransomware. At most, one or two files may be encrypted during detection. When demonstrating, run tests on a typical/realistic workstation with multiple directories and multiple documents/files.
    • Self Protection - provides additional monitoring and protection against other processes interfering with Malwarebytes' operations. IMPORTANT: If other anti-virus/anti-malware products are installed alongside Malwarebytes, these may clash. Hence, this setting is initially defaulted to OFF.
    • Clean Controller – provides killing and removal of malware, unwanted programs and registry settings. It will schedule additional cleaning across reboot if required using DOR Controller.
    • Schedule Controller - Scheduled scans are performed on locally stored schedules. Endpoints do not need to communicate with the Malwarebytes cloud to scan.
      • Threat Scan – a very fast scan which targets actively running malware and also scans in places where malware must reside to become active.
      • Custom Scan – can be configured to scan all locally attached IDE and SCSSI drives by ticking 'scan all local drives'. It runs longer but still faster than most other products. Alternatively, it can be configured to scan a specific path only.
      • Hyper Scan - the fastest option which scans running processes and memory objects.
      • Scans can optionally target Rootkits & archives. They can be configured to scan+report or scan+quarantine.
      • In a file scan we look for program executable (PE) headers in all files which is the first few hundred bytes hence hold a file open for a short time. We drill a few levels, but not into archive files (zip). We stop at about 30 Mgb in size. Performance is optimized against attack. If a zip file is later unzipped we will then get other files.
      • Events and scan results are stored into subdirectories with a suffix of JSON. Where detailed investigations are required, these logs are sometimes used.
    • License Controller, Policy Controller, Telemetry Controller, Update Controller - self explanatory.
    • Scan Controller - will show scan starts, stops and any cleaning/quarantining.
  • Exclusions

    Always perform test scans and add exclusions before mass deployments, to ensure good software and registry settings are not quarantined.

    • Websites/IP exclusions - If websites are blacklisted or malware is detected by rules customers can override the blocking with a local exclusion.  The endpoint will regularly use DNS to lookup current IP addresses.
      Report incorrectly blocked sites via https://forums.malwarebytes.com/forum/122-false-positives/ or via a support case, then local exclusion can be removed.
    •  Exclude executables by folder, file and file extension, with wildcards. The MD5 hash/fingerprint of a file can be used for exclusion from anti-ransomware detectors.
    • The anomaly detection, aka machine learning detector, cannot be locally excluded. An entry must be added to the 'whitelist' server via the https://forums.malwarebytes.com/forum/122-false-positives/ process, or via a support case. The requisite MD5 hash for exclusion is found by restoring an item from quarantine, or by viewing in the MBEndpointAgent.txt log and also in JSON files in the local xxxDetection or ScanResults folders on an endpoint.
    • Where exclusions are applied to folders, files, registry entries and files by hash, but these are not present on the endpoint errors may show in the log files, but can be ignored.
  • SECURITY CONTEXT
    • Same context as the Management Agent.
    • MBAMService plugin is installed/updated automatically by the Management Agent.
    • The Management Agent restarts the MBAMService immediately if it is stopped. A Self Protection Controller additionally monitors and blocks malicious attempts to stop the service.
    • Service start/stop events and filter driver installations are logged into the Windows Event Log under Service Control Manager (SCM) and Malwarebytes sources.
    • Web blocking, malware detection, potentially unwanted program (PUP) and potentially unwanted modification (PUM) registry detection and cleaning rules are cached locally for offline operation with an extension of *.MBDB. They are encrypted when stored for tamper-proofing. They cannot be copied between endpoints as they are encrypted specifically for each endpoint upon receipt.
    • Exploit Protection, Behavioural Protection and Ransomware detectors are statically programmed and updated infrequently, as algorithms are enhanced.  Updates may be incremental.

TrayAgent

  • Runs at login, under the context of the logged-user and communicates with the Management Agent.
  • The TrayAgent service is started for each logged-in user, using a 'run' key.  In the special case of Terminal Server, multiple TrayAgents are started
  • Can optionally provide status notifications or be suppressed by policy control.
  • Can be 'right-clicked' to locally start an on demand Threat Scan.
  • 'Shift' 'right-click' runs a diagnostic utility to collect logs, toggle debug level logging and optionally pause the protection service.

Explorer Context Menu

  • 'right click' in Windows Explorer shows the Malwarebytes' icon and a file, folder or USB drive may be scanned.

Capacity Planning and Sizing Information 

This information is gathered by informal observation using 'Sysinternals Procexp64' from Microsoft. Malwarebytes' solutions are undergoing constant change and optimizations. Customers should perform their own observations/validation.

  • MBEndpoint Agent uses approximately 80 Mgb memory and negligible CPU.
  • MBAMService
    • Less than %1 CPU used when idle. Jumps to 10-20% for a few seconds when launching programs as they are analysed.
    • Uses 200 Mgb memory for real-time protection.
    • Allocates additional 300 Mgb memory when scanning but is released after ~= 5 minutes for a Threat Scan, on typical modern Windows 10 endpoint.
      • Uses available CPU when scanning, but uses Windows low priority setting, so that 'interactive' user is not impeded.
    • Rules database including Web Blocking rules and malware detection rules is less than 10 Mgb.
  • MBAE64.SYS & MBAE.SYS use approximately 80 Mgb, plus attach small monitoring agents MBAE64.DLL and MBAE.DLL to programs such as Word.EXE etc.
  •  TrayAgent.exe uses negligible RAM at 70 Mgb.

Server Capacity and Scanning

  • Malwarebytes uses the same capacity as above on servers for each Windows image.

 

Virtual Server 

  • Each virtual server runs its own full copy of Malwarebytes.
  • Where there are many virtual servers in the one physical server, ensure that scanning does not occur on all servers simultaneously.
    • Multiple groups and schedules can control this.
    • We recommend scanning outside of prime time.  Where there are large disks e.g. File Servers, scanning can take extended periods.
  • Register each server individually. Malwarebytes Endpoint Agent is either installed after server build, or alternatively blocked from communicating with https:\\sirius.mwbsys.com until ready to register. IMPORTANT: Cloud management is required to be available to perform initial registration.
  • See appendix for more information on deferring registration and sysprep-ing.

Hypervisor

Each virtual machine needs to be individually registered. See appendix for more information.

  • VMWare
  • Xen - AWS
  • Hyper-V - Not in core
  • Citrix/XenApp - No

 

Server Roles 

  • RDP Server aka Terminal Server 
    • A terminal server runs a single copy of Malwarebytes Agent and Service under the SYSTEM account.
    • Individual sessions for each logged in user run a copy of the TrayAgent and copies of anti-exploit monitoring agents attached to Word, Excel, browsers etc.
    • A terminal server appears as a single device in the cloud console. Individual logged in users are not identified.
    • Scanning should be suppressed for end-users.

  • VDI Server
    • Each VDI session has its own full copy of Malwarebytes.
    • Scanning is redundant as VDI sessions are often destroyed and new sessions are started from a 'gold image'.
    • Each VDI session should be individually registered. Malwarebytes Endpoint Agent is either: installed after server build, or alternatively blocked from communicating with https:\\sirius.mwbsys.com until ready to register.
    • Cloud management availability is required to perform initial registration.
    • See appendix for more information on deferring registration and sysprep-ing.

  • ActiveDirectory/DNS
  • Other Server roles
    • Match Microsoft's recommended exclusions if you intend to scan during during peak operations. 
    • Contact Malwarebytes support or pre-sales for additional information.

Appendix

 

GPO Installation

Malwarebytes provides its installer in an MSI package suitable for deployment via GPO or 3rd party deployment tools. A batch command is shown below, for testing/debugging MSI installation prior to using GPO:

:: Set current directory to path from which the script was executed. This also supports running from network shares.  It assumes

:: installer is in the same path as the script.  /passive is used to show GUI whilst installing.  Replace with /qn for fully silent.

:: Must run as administrator

PUSHD %~dp0

MSIEXEC /i "%CD%\Setup.MBEndpointAgent.x64.msi" /passive /lv "%TEMP%\MBendpointAgentLog.txt"

 

Key points:

  • A fresh copy of Setup.MBEndpointAgent.x64.msi should be retrieved from Malwarebytes occasionally.
  • Additional information about switches is in the Malwarebytes Cloud Console Administrator Guide.
  • For Windows 10 the recommended management agent installer is available under [Advanced Installers] as it is smaller at 11 Mgb and does not have/need the .Net 4.5+ framework. 

 

Unique registration for Virtual Server and VDI endpoint

As each endpoint is uniquely registered and identified by MacAddress and other characteristics, the registration to the Cloud Server must be performed for each virtual instance, otherwise all appear as a single device in the cloud console. The following sections describe techniques to achieve uniqueness.

 

Register by GPO or by Startup Script

The Malwarebytes Management Agent can be installed upon startup by GPO or by RunOnce script, just after boot. 
The Management Agent will install immediately, register, then download and install the 80 Megabyte Malwarebytes Service (MBAMService)
Some additional techniques are described below in Sysprep section

 

Sysprep-ing

Malwarebytes Management can be pre-installed, but registration needs to be blocked. Methods are described below:

  • Disable Network card (easiest)
  • Block registration - Firewall rule
    • Block MBCloudEA.exe from outbound communication. Ditto above for unblocking

At or after unblock firewall rule with Group Policy Preferences, GPO script or a RunOnce script.

 

Remove Obsolete Endpoint

As each endpoint is uniquely registered, a manual process should be used periodically to delete obsolete endpoints.
The Malwarebytes Cloud Excel Addin has a function to search and delete old endpoints, to assist with this process: Export data with the Malwarebytes Cloud Excel Addin with Reporting and Utilities  

5 people found this helpful

Attachments

    Outcomes