You can manually add Windows endpoints to the Malwarebytes Nebula platform in a few different ways. The most common method is to copy an installer file to the endpoint and run the file from the endpoint. You may also add endpoints using the command line or with a dissolvable remediation tool.
This article covers the following methods:
- Use a downloaded installer and copy it to the endpoint.
- Command line remote installation for Windows endpoints, which can be run silently.
- Dissolvable Unmanaged Remediation Tools installation.
If you have many endpoints, you can use the Windows 64-bit MSI installer with many common installation methods including:
- Microsoft Endpoint Manager (SCCM & Intune) and Microsoft GPO.
- Remote Monitoring and Management (RMM) solutions such as SolarWindows, Datto and others.
- Deploy using the Malwarebytes Discovery and Deployment Tool. For more information, see the Malwarebytes Discovery and Deployment Tool Handbook.
Use a downloaded installer
To manually add an endpoint to the Malwarebytes Nebula platform, download the Malwarebytes Endpoint Agent installation file and run the file from the endpoint. Each is pre-configured for your account.
Malwarebytes provides endpoint installers for you to use with your preferred installation method.
Windows Endpoint Installer Notes
- Endpoints are assigned to the Default Group and use the Default Policy unless you specify a different group as a parameter.
- The Installation process shows how to download and manually run the endpoint installer on your Windows devices. Alternatively, you can share the installer with your endpoint users by clicking the following in the Nebula Downloads page:
- Email link: Click this button to email the endpoint installer to your endpoint users. This email pre-populates with a download link unique to your Nebula account. Your recipients can click this link to install the agent. The link expires after 7 days.
- Copy link: Click this button to copy the installer download link to your clipboard. The download link is unique to your Nebula account, and expires after 7 days.
Installation process
- Log in to the Malwarebytes Nebula platform.
- Go to Downloads.
- In the Windows or Windows Server section, select an installer from the drop-down menu. There are both MSI and EXE and installer types, the default 64-bit MSI being smallest and most commonly used for modern Windows endpoints.
- Click Download.
- After you have downloaded the installer, copy it to the endpoint and run the installer.
- When the installation process completes, the Management Agent wp-signup.phps and the endpoint shows up in the Malwarebytes Nebula platform console.
- The Management Agent retrieves Policy information and configures the endpoint, downloading Agents for the configured features. This process takes about 5 minutes until the endpoints is protected and ready to scan.
Command line remote installation for Windows
If you want to perform a silent installation on a Windows endpoint, see the commands below. Run command line installations from the target endpoint. These commands can be run either manually or through automation.
Before running these commands, download the endpoint installer for the command to use. See the downloadable installer section above. The Windows MSI command is shown on multiple lines due to the length of the command. Note: < > denote a variable, but should not be used in commands.
Windows EXE
Setup.Full.MBEndpointAgent.exe /quiet
Windows MSI
msiexec /i “<fullpath1>\Setup.MBEndpointAgent.msi” /quiet /log
“<fullpath2>\Setup.MBEndpointAgent.msi.log”
NEBULA_PROXY_SERVER=http://<ip>
NEBULA_PROXY_PORT=<port>
NEBULA_PROXY_USER=<user@domain>
NEBULA_PROXY_PWD=<password>
GROUP=<gggggggg-gggg-gggg-gggg-gggggggggggg>
@ECHO. %ERRORLEVEL% returned by MSIEXEC
Windows command line switches
- /i – Runs installation. Example:
msiexec /i “<fullpath1>\Setup.MBEndpointAgent.msi” /passive - /x – Runs uninstall. Example:
msiexec /x “<fullpath1>\Setup.MBEndpointAgent.msi” /quiet - /quiet – Optional. Runs silent installation.
- /passive – Optional. Runs installation and shows GUI progress box.
- /log – Optional. Outputs to the specified file. This is equivalent to the switch “/L”. If a software deployment tool is being tested where /log cannot be used, a registry setting can force logging. For more information, see Additional MSI References below.
MSI notes
- The command switches and values need to be used in the order shown.
- msiexec must be run as an administrator. This defaults the working directory to c:\windows\system32. Full quoted path names are recommended.
- UNC networked folders are supported, such as \\server\malwarebytes\Setup.MBEndpointAgent.x64.msi.
MSIEXEC variables
Variables may be used with the MSIEXEC command. These variables are MSIEXEC properties. Variables must come last on the command line but may be in any order.
See the table below for details on MSIEXEC variables. An “x” in the EXE or MSI column means the variable works with that installer. All variables below are optional.
Variable | EXE | MSI | Description |
---|---|---|---|
ARPNOREMOVE | x | When Endpoint Protection is running or being installed, two services show in Add/Remove Programs: Malwarebytes Endpoint Agent, and Malwarebytes Service.
ARPNOREMOVE is a Microsoft variable that hides the Uninstall option for the Malwarebytes Endpoint Agent in Add/Remove Programs. The Malwarebytes Service is not affected and will still display. Use this variable to prevent casual removal of the agent by end users such as students with local administrator rights. |
|
GROUP | x | x | If you would like to install endpoints using the command line and assign them to a specific group, use the GROUP variable and GroupID. The GroupID can be found in the Downloads page in the console.
Go to Downloads. On the right side of the screen, click Specify group assignment link. From the list of GroupIDs that displays, copy the GroupID that you want to assign the server to. If the GroupID entered in the command does not match any groups, the installer will use the Default Group and Default Policy. |
NEBULA_PROXY_SERVER | x | x | Address of the proxy server. |
NEBULA_PROXY_PORT | x | x | Proxy server port to connect on. |
NEBULA_PROXY_USER | x | x | Proxy server username. If the username contains spaces, enclose it in quotes, like “Donald Blake”. |
NEBULA_PROXY_PWD | x | x | Password to log in to the proxy server. If the password contains spaces, enclose it in quotes, like “s3cr3t p4ssw0rd”. |
VERIFY_NETWORK | x | This optional variable checks connectivity during installation.
When set to VERIFY_NETWORK=1, the installer checks for network connectivity and DNS resolution against:
Any addresses that fail this connection test are shown on screen and in the installer log. If VERIFY_NETWORK fails, endpoint installation fails. |
Additional MSI References
See the following articles for more information on using MSIs and the command line:
- How to enable Windows Installer logging
- Standard Installer Command-Line Options
- Windows Installer Error Messages
- Deploying and MSI through GPO tutorial
Check Windows Services
At the endpoint the Malwarebytes Management Agent [MBEndpointAgent] is mandatory to be running.
The Malwarebytes Service [MBAMService] is mandatory for Malwarebytes Endpoint Protection and Malwarebytes Endpoint Detection and Response. It does not run in the Malwarebytes Incident Response configuration.
The services may be checked by Windows command line:
> sc.exe query MBEndpointAgent
SERVICE_NAME: mbendpointagent
TYPE : 10 WIN32_OWN_PROCESS
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
> sc.exe query MBAMService
SERVICE_NAME: mbamservice
TYPE : 10 WIN32_OWN_PROCESS
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, ACCEPTS_PRESHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
Dissolvable unmanaged remediation tools
You may prefer to use a dissolvable remediation tool instead of an installer. At the bottom of the console Downloads screen is the Remediation (Unmanaged) section. Here you may download the following Malwarebytes dissolvable unmanaged remediation tools.
Windows Breach Remediation: our dissolvable remediation program for Windows endpoints. For more information, see the Malwarebytes Breach Remediation Windows Administrator Guide.
Malwarebytes AdwCleaner: our free adware cleaner for Windows devices. Click Download to get the application. For more information, see the Malwarebytes AdwCleaner guide.
Using Sysprep to deploy images
Administrators that use machine images for fast endpoint deployment may wish to include Malwarebytes on their images. Malwarebytes endpoints have a unique identity assigned to them. Therefore, creating a deployable image containing Malwarebytes takes a few extra steps. You want to avoid accidentally creating multiple endpoints that try to share the same identity.
The Microsoft Sysprep utility is useful for stripping the identity of the Malwarebytes agent. A Sysprep-stripped agent can use a unique identity when copied from a deployed image onto a new endpoint. Sysprep is built into modern Windows versions.
Please see these articles to use Sysprep with Malwarebytes:
- Microsoft’s “How to Sysprep” article
- Prepare an image in Sysprep for Malwarebytes Endpoint Protection endpoint agent
- Prepare an image in Sysprep for Malwarebytes Endpoint Security managed client
Return to the Malwarebytes Nebula platform Administrator Guide.
Source : Official Malwarebytes Brand
Editor by : BEST Antivirus KBS Team