Export data with the Malwarebytes Cloud Excel Addin

Document created by lwei Employee on Sep 12, 2018Last modified by lwei Employee on Jun 26, 2019
Version 60Show Document
  • View in full screen mode


What's This?

The Malwarebytes Cloud server collects a rich set of information from the endpoints and a common request we get is to turn this data into useful information. Malwarebytes provides a complete set of RESTful APIs for this purpose. The Management Console uses these same APIs to extract the data. However, it does require some scripting and technical work to make the data useful.


To make this easier for our customers, we have introduced the Malwarebytes Excel Addin, which provides easy access to import data directly into Microsoft Excel.


Note: There is a corresponding addin for Malwarebytes On-Prem MBES deployment.



Watch a 4 minute video tour of the Excel Addin.
Video on YouTube



  • An account on the Malwarebytes Cloud server (https://cloud.malwarebytes.com).
  • Microsoft Excel 2010, 2013, 2016, 2019, or Office 365 on Windows.
  • .NET Framework v4.5.2.



Download and install the Addin. Latest version is v2.7.

download icon Download the latest Malwarebytes Excel Addin Installer



This is a user community shared utility.

Please post questions and comments on this Forum thread.

You can also send requests to the author directly. 



  • Extract and import most of the Malwarebytes Cloud server object such as the following. Please requests others as needed.
    • Agent Info and Health Data
    • Detection / Threats
    • Endpoints / Machines
    • Quarantine
    • Suspicious Activity
    • Events
    • Tasks / Jobs
    • Others - Exceptions, Users, Groups, Policies, Schedules
  • Some pivot tables and charts are automatically created in Excel.
  • A summary report can be generated in HTML and PDF, and emailed for delivery.
  • Bulk removal of endpoints offline for any specified number of days.
  • Bulk import of exclusions of different types.
  • Bulk restore or delete of quarantined items.
  • RESTful APIs used with the corresponding response data can be viewed.



Latest version is v2.7.


  • v2.7 (2019-06-24)
    • Added feature to delete duplicate endpoints.
  • v2.6 (2019-06-12)
    • Supports OneView login.
    • Added support to bulk remediate or close Suspicious Activities.
    • Fixed bug with failed install when AppData is a remote file share.
    • Fixed Scan Results not showing local date time.
  • v2.5 (2019-04-07)
    • Added new import for endpoint scan statuses. Note the useful column to see scan duration.
    • Added the ability to move endpoints to a different group in bulk.
    • Fixed Bulk Load Exclusions due to changes in the back-end. Now supports adding exclusions by policies.
  • v2.4 (2019-03-13)
    • Confirmed support for Excel 2019.
    • Added column "No of Schedules" in Groups to help identify groups with no threat scans scheduled.
    • Added selection list for Bulk Exclusions for common 3rd Party security software.
  • v2.3.1 (2019-02-18)
    • Fixed bug associated with API change in Detection import. Error generating report: "Item method of PivotFields class failed".
  • v2.3 (2019-01-31)
    • Added support for Excel 2010.
  • v2.2.1 (2019-01-24)
    • Fix error on DateTime from Suspicious Activity export due to API change
  • v2.2 (2019-01-15)
    • Aggregate detection events.
    • Added authentication using tokens.
  • v2.1 (2019-01-09)
    • Enhanced summary report to include KPI warnings with recommendations.
  • v2.0 (2018-12-19)
    • Enhanced summary report to include Endpoint Statuses as key KPI.
    • Enhanced Group management to include children and display with hierarchy.
    • Removed arbitrary 10,000 iteration limit for Agent Info. It was left behind from testing.
    • All date-time fields are now available in either local or UTC time.
    • Type field that was displayed in JSON is now decoded correctly to simple text.
    • Fixed error "Unable to set FreezePane property".
    • Added End Date search parameter for Detection and Quarantine. Noted that the since API search for Detection is based on "reported_at", whereas based on "scanned_at" for Quarantine.
    • Fixed dialog box sizing error caused by display scaling.
  • v1.7 (2018-11-09) 
    • Some fields are stored as JSON blobs and hard to read. Added feature (Show JSON) to pop up a formatted page for these fields such as Policies-->Content, and Schedules-->Command Data.
    • Groups with hierarchy are shown with the names of parents for easier identification.
    • Groups are identified as originating from Active Directory.
    • Separated Software Installed for Windows and macOS.
    • Fixed Select All and Unselect All errors in Delete Endpoints and Restore Quarantine data screen.
    • Fixed error when there are duplicate endpoint IDs.
    • Added Group Name to the summary report, and default email subject field.
  • v1.6 (2018-09-30) - Added bulk delete and restore of Quarantine items.
  • v1.5 (2018-09-28) - Added many items and fixed bugs. 
    • Of note is a new Health Check report to show endpoints check-in status, and whether they are protected.
    • The installer is code signed for proper identification.
    • Exclusions can be imported in a batch.
  • v1.4 (2018-07-31) - Fixed errors caused by changing Regions. Now expected to work with different region formatting, especially with DateTime.
  • v1.3 (2018-07-29) - updated to support the latest release of Malwarebytes Cloud server (code name Kermit).
  • v1.2 (2018-July) - First release.



  • The installation folder is located in the following user appdata directory.
    • C:\Users\[user-name]\AppData\Roaming\Malwarebytes\Malwarebytes Excel Addin [version]
  • The installation logs are located in the following directory. They are useful to determine the reasons why the addin might not have been attached to Excel correctly.
    • C:\Users\[user-name]\AppData\Local\Temp\Malwarebytes Excel Addin
    • C:\Users\[user-name]\Documents\Add-in Express
  • If the Addin does not show up in the menu for Excel, the first thing to try is to run the setup.exe as Administrator.



  1. Detection data imported from the Cloud server.
    Detection data imported from the Cloud server

  2. Pivot tables and charts are created for some key objects.
    Pivot tables and charts

  3. HTML and PDF summary report generated.
    PDF Summary Report

  4. RESTful APIs used for data extraction can be viewed.
    RESTful API