You may manually add endpoints to the Malwarebytes Nebula platform in a few different ways. The most common method is to copy an installer file to the endpoint and run the file from the endpoint. You may also add endpoints using the command line or with a dissolvable remediation tool.
This article covers the following methods:
- Use a downloaded installer and copy it to the endpoint
- Command line remote installation for Windows or Mac, which may also be run silently
- Dissolvable Unmanaged Remediation Tools installation
If you have a lot of endpoints, instead use the Malwarebytes Discovery and Deployment Tool or another tool of your choice. For more information on deployment, see the Malwarebytes Discovery and Deployment Tool Handbook.
Use a downloaded installer
To manually add an endpoint to the Malwarebytes Nebula platform, download the Malwarebytes Endpoint Agent installation file and run the file from the endpoint.
Malwarebytes provides endpoint installers for you to use with your preferred installation method.
Important Endpoint Installer Notes
- When using a Mac endpoint installer, do not change the name of the downloaded installer file. The installation process requires that the filename is not changed.
- Endpoints are assigned to the Default Group and use the Default Policy unless you specify a different group.
- Log in to the Malwarebytes Nebula platform.
- Go to Downloads.
- In the Download Endpoint Installers section, download the installer you need based on your endpoint operating system.
- For Windows operating systems:
- Select an installer from the drop-down menu. There are both EXE and MSI installer types.
- Click Download.
- For Mac operating systems, click Download. It is mandatory to keep _[xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx]__ naming as this identifies your account to the installer. If you are deploying via Mobile Device Management app and the brackets [ ] are incompatible i.e. JAMF, replace the PKG filename brackets to an underscore enclosing the account token:
File name downloaded New file name Setup.MBEndpointAgent_[xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx]__.pkg Setup.MBEndpointAgent__xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx___.pkg
- For Windows operating systems:
- After you have downloaded the installer, copy it to the endpoint and run the installer.
- When the installation process completes, the endpoint shows up in the Malwarebytes Nebula platform console.
Command line remote installation for Windows
If you want to perform a silent installation on a Windows endpoint, see the commands below. Run command line installations from the target endpoint. These commands can be run either manually or through automation.
Before running these commands, download the endpoint installer for the command to use. See the downloadable installer section above. The Windows MSI command is shown on multiple lines due to the length of the command.
msiexec /i "<fullpath1>\Setup.MBEndpointAgent.msi" /quiet /log
@ECHO. %ERRORLEVEL% returned by MSIEXEC
Windows command line switches
- /i - Runs installation. Example:
msiexec /i "<fullpath1>\Setup.MBEndpointAgent.msi" /passive
- /x - Runs uninstall. Example:
msiexec /x "<fullpath1>\Setup.MBEndpointAgent.msi" /quiet
- /quiet - Optional. Runs silent installation.
- /passive - Optional. Runs installation and shows GUI progress box.
- /log - Optional. Outputs to the specified file. This is equivalent to the switch “/L”. If a software deployment tool is being tested where /log cannot be used, a registry setting can force logging. For more information, see Additional MSI References below.
- The command switches and values need to be used in the order shown.
- msiexec must be run as an administrator. This defaults the working directory to c:\windows\system32. Full quoted path names are recommended.
- UNC networked folders are supported, such as \\server\malwarebytes\Setup.MBEndpointAgent.msi.
Variables may be used with the MSIEXEC command. These variables are MSIEXEC properties. Variables must come last on the command line but may be in any order.
See the table below for details on MSIEXEC variables. An “x” in the EXE or MSI column means the variable works with that installer. All variables below are optional.
When Endpoint Protection is running or being installed, two services show in Add/Remove Programs: Malwarebytes Endpoint Agent, and Malwarebytes Service.
ARPNOREMOVE is a Microsoft variable that hides the Uninstall option for the Malwarebytes Endpoint Agent in Add/Remove Programs. The Malwarebytes Service is not affected and will still display. Use this variable to prevent casual removal of the agent by end users such as students with local administrator rights.
If you would like to install endpoints using the command line and assign them to a specific group, use the GROUP variable and GroupID. The GroupID can be found in the Downloads page in the console.
Go to Downloads. On the right side of the screen, click Specify group assignment link. From the list of GroupIDs that displays, copy the GroupID that you want to assign the server to.
If the GroupID entered in the command does not match any groups, the installer will use the Default Group and Default Policy.
|NEBULA_PROXY_SERVER||x||x||Address of the proxy server.|
|NEBULA_PROXY_PORT||x||x||Proxy server port to connect on.|
|NEBULA_PROXY_USER||x||x||Proxy server username. If the username contains spaces, enclose it in quotes, like “Donald Blake”.|
|NEBULA_PROXY_PWD||x||x||Password to log in to the proxy server. If the password contains spaces, enclose it in quotes, like “s3cr3t p4ssw0rd”.|
This optional variable checks connectivity during installation.
When set to VERIFY_NETWORK=1, the installer checks for network connectivity and DNS resolution against:
Any addresses that fail this connection test are shown on screen and in the installer log. If VERIFY_NETWORK fails, endpoint installation fails.
Additional MSI References
See the following articles for more information on using MSIs and the command line.
- How to enable Windows Installer logging
- Standard Installer Command-Line Options
- Windows Installer Error Messages
Command line remote installation for Mac
You may use the terminal command below to perform a silent install on Mac endpoints while specifying the group. See the GROUP variable above for details on locating the GroupID. The command is shown on multiple lines due to the length of the command.
sudo launchctl setenv MALWAREBYTES_GROUP <GroupID> ; sudo -E /usr/sbin/installer -pkg Setup.MBEndpointAgent.pkg -target /
To uninstall the Mac agent, launch EndpointAgentDaemon with the -uninstall option:
sudo "/Library/Application Support/Malwarebytes/Malwarebytes Endpoint Agent/EndpointAgentDaemon -uninstall"
You may also manually uninstall without the daemon. Perform the following commands:
sudo rm -r /Library/LaunchDaemons/com.malwarebytes.EndpointAgent.plist
sudo rm -r /Library/LaunchDaemons/com.malwarebytes.ncep.rtprotection.daemon.plist
sudo rm -r /Library/LaunchDaemons/com.malwarebytes.ncep.settings.daemon.plist
sudo rm -r "/Library/Application Support/Malwarebytes/"
Dissolvable unmanaged remediation tools
You may prefer to use a dissolvable remediation tool instead of an installer. At the bottom of the console Downloads screen is the Remediation (Unmanaged) section. Here you may download the following Malwarebytes dissolvable unmanaged remediation tools.
Malwarebytes Breach Remediation is our dissolvable remediation program for Windows and Mac endpoints. For more information, see the Malwarebytes Breach Remediation Windows Administrator Guide or Malwarebytes Breach Remediation (Mac) Administrator Guide.
Malwarebytes AdwCleaner is our free adware cleaner. Click Download to get the application. For more information, see the Malwarebytes AdwCleaner guide.
Using Sysprep to deploy images
Administrators that use machine images for fast endpoint deployment may wish to include Malwarebytes on their images. Malwarebytes endpoints have a unique identity assigned to them. Therefore, creating a deployable image containing Malwarebytes takes a few extra steps. You want to avoid accidentally creating multiple endpoints that try to share the same identity.
The Microsoft Sysprep utility is useful for stripping the identity of the Malwarebytes agent. A Sysprep-stripped agent can use a unique identity when copied from a deployed image onto a new endpoint. Sysprep is built into modern Windows versions.
Please see these articles to use Sysprep with Malwarebytes:
- Microsoft's "How to Sysprep" article
- Prepare an image in Sysprep for Malwarebytes Endpoint Protection endpoint agent
- Prepare an image in Sysprep for Malwarebytes Endpoint Security managed client
Return to the Malwarebytes Nebula platform Administrator Guide