Move an endpoint between Cloud Accounts or OneView Sites

Document created by aprobert Employee on May 16, 2019Last modified by jgolomb on Jul 23, 2019
Version 8Show Document
  • View in full screen mode

Purpose

It is sometimes necessary to move an endpoint between Malwarebytes Cloud or Malwarebytes OneView accounts for the following reasons:

  • Move an endpoint from an Cloud Account into a OneView Site Account (sub-accounts)
  • Move an endpoint between OneView Site/accounts
  • Move an endpoint between accounts for testing

 This can be achieved without reinstallation by resetting the endpoint's "accounttoken" value, using the MBCloudEA.exe utility. The endpoint will newly register into the nominated account.  An endpoint may be switched back with the original account or to any other account by changing its "accounttoken".

 

Considerations & Constraints

  • This is a move of an individual endpoint. It will trigger a new registration into the new account.
  • The endpoint's existing history of Detections, Scan History, Tasks, Suspicious Activity, Quarantine etc. will not be copied.  
    If retention is required, then use the Malwarebytes Cloud Excel Addin to export your data for external retention.
  • The MBCloudEA.exe needs an interactive session. It cannot be scripted, except by using the PSEXEC utility. 
  • If you are considering moving very large numbers of endpoints, discuss this first with Customer Support, to check on latest availability of tools and/or revisit this page, as it will be updated occasionally. 
  • Where Endpoint Protection and Response is in use, the rollback ability is limited to the date/time of new registration and commencement of new Suspicious Activity recording into the new account.
  • Where the endpoint is running the SIEMPlugin to relay Syslog events, this functionality becomes inactive.
  • The endpoint appears in the Default Group, unless the ActiveDirectory copying of groups has been performed using the Deployment and Discovery Tool.

    Notes:
    - Ensure that the appropriate policies, exclusions, and schedules are configured in advance for the Default Group and/or other groups.  
    - It is easy to manually move endpoints from the Default Group to other groups using the cloud console. 

 

Security Context

The accounttoken can only be changed by an administrator, running the MBCloudEA.exe utility 'as-administor'.

 

Process Overview

1.   Obtain the accounttoken value for the destination account using one of the methods below:

  1. Using Malwarebytes Excel Tool. See Export data with the Malwarebytes Cloud Excel Addin with Reporting and Utilities for more information.
  2. From an endpoint log file.
    Optionally, obtain the -accounttoken value for the origin account, in case you wish to move an endpoint back.

2.   Delete the Quarantine items, either through the console or using the Malwarebytes Excel plugin for bulk actions.


3.   As administrator, run this command on the endpoint:

c:\Program Files\Malwarebytes Endpoint Agent\MBCLoudEA.exe -accounttoken xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

 

4.   Confirm the endpoint is now online/registered in the destination account.


5.   At some future time, delete the endpoint from the origin account, using the Cloud console or the Malwarebytes Excel Plugin.

For safety, delay deletion and ensure endpoints are not checking in.

 

Obtaining the accounttoken value


Account Token from Malwarebytes Excel Tool

 

Account Token from EndpointAgent.log

  1. Turn on Debug.

  2. Stop and start the Malwarebytes Endpoint Agent service.

  3. Search log c:\ProgramData\Malwarebytes Endpoint Agent\EndpointAgent.txt for an entry like this:
    2019-05-17 15:13:41,385+10:00 [7 ] INFO EAEngine ************** Engine Initializing! Version:1.2.0.689 ***************
    2019-05-17 15:13:41,402+10:00 [7 ] DEBUG SafeAppConfig Initializing AppSettings..
    2019-05-17 15:13:41,494+10:00 [7 ] DEBUG SafeAppConfig Initialized AppSettings..
    2019-05-17 15:13:41,502+10:00 [7 ] DEBUG SafeAppConfig Entering Get - AccountToken
    2019-05-17 15:13:41,509+10:00 [7 ] DEBUG SafeAppConfig In get - acquired the lock
    2019-05-17 15:13:41,521+10:00 [7 ] DEBUG SafeAppConfig In Get, loaded the AccountToken: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx
  4. Turn off Debug.

 

For example, a simple search is:

FIND /i "accounttoken" "%ProgramData%\Malwarebytes Endpoint Agent\logs\EndpointAgent.txt"

 

Scripting MBCloudEA.exe with PSEXEC

"PsExec is a light-weight telnet-replacement that lets you execute processes on other systems, complete with full interactivity for console applications, without having to manually install client software. PsExec's most powerful uses include launching interactive command-prompts on remote systems and remote-enabling tools like IpConfig that otherwise do not have the ability to show information about remote systems. Some anti-virus scanners report that one or more of the tools are infected with a "remote admin" virus. None of the PsTools contain viruses, but they have been used by viruses, which is why they trigger virus notifications." - Mark Russinovich - https://docs.microsoft.com/en-us/sysinternals/downloads/psexec

 

The instructions below describe some techniques to script the MBCloudEA.EXE utility using the PSEXEC utility. Use an administrative account to launch the utility. The -i switch allows the utility to launch as interactive in a privileged mode, without needing approval via User Account Control (UAC) popups. 

 

> c:\psexec.exe -accepteula \\COMPUTERNAME -i "C:\Program Files\Malwarebytes Endpoint Agent\MBCloudEA.exe" -accounttoken xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

PsExec v2.2 - Execute processes remotely
Copyright (C) 2001-2016 Mark Russinovich
Sysinternals - www.sysinternals.com

 

C:\Program Files\Malwarebytes Endpoint Agent\MBCloudEA.exe exited on localhost with error code 0.

 

The following two examples include methods to dynamically download PSEXEC, if not present on the endpoints, and launch it locally via \\localhost.

 

Windows 10:

powershell -command "& {[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'https://live.sysinternals.com/psexec.exe' -OutFile 'c:\psexec.exe'}

c:\psexec.exe -accepteula \\localhost -i "C:\Program Files\Malwarebytes Endpoint Agent\MBCloudEA.exe" -accounttoken xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

 

Windows 7:

bitsadmin  /transfer mydownloadjob  /download  /priority normal https://live.sysinternals.com/psexec.exe  c:\psexec.exe

c:\psexec.exe -accepteula \\localhost -i "C:\Program Files\Malwarebytes Endpoint Agent\MBCloudEA.exe" -accounttoken xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

Attachments

    Outcomes