Move an endpoint between Nebula accounts or OneView sites (Malwarebytes)

0
(0)

You may want to move an endpoint between Malwarebytes Nebula or Malwarebytes OneView Sites/accounts for the following reasons:

  • Move an endpoint from a Nebula account into a OneView Site account (sub-accounts)
  • Move an endpoint between OneView Site/accounts
  • Move an endpoint between accounts for testing

There are two options for moving endpoints:

  1. Run a command-line utility on each endpoint, to wp-signup.php to a new site without reboot/restart.
  2. Uninstall, then reinstall the Malwarebytes Endpoint Agent, which requires a reboot on Windows devices. Macs do not need a reboot.

Considerations & Constraints

  • Default groups will be used. The target group may be specified for Windows or by reinstall for Macs.  Alternatively, use the console to move endpoints between groups.
  • Quarantined items will be available in the new site.
  • History of Detections, Scans, Tasks, Suspicious Activity remains in the old site.
    • If you require data retention, use Report (exports) to save the data.
  • Contact Malwarebytes Sales Engineering or your Customer Service Manager if you have number of endpoints to move or sites to create.
  • The accounttoken can only be changed by an Administrator running the MBCloudEA.exe utility.

Requirements

  • The Service and Process Protection policy setting in your Nebula console must be turned off for the command-line utility to run.
  • The command-line can only be run with Administrator privileges.

Process Overview

1.Obtain the target site’s account token by one of the following methods:

  • OneView Console – Sites panel or select the site in the Downloads panel
  • Nebula Console – check the macOS PKG file name. e.g.  _[xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx]__.pkg

2.As a Windows Administrator, run these commands interactively* on the endpoint:

C:\Program Files\Malwarebytes Endpoint Agent\UserAgent>EACmd.exe –changeaccounttoken=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
NET STOP MBEndpointAgent
TIMEOUT /T 20
NET START MBEndpointAgent

* See scripting section, for silent scripting

3.As a Mac Administrator, run these commands*

SUDO ‘/Library/Application Support/Malwarebytes/Malwarebytes Endpoint Agent/EndpointAgentDaemon.app/Contents/MacOS/EndpointAgentDaemon’ AccountToken=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx
SUDO launchctl stop com.malwarebytes.agent.daemon
launchctl start ‘com.malwarebytes.agent.daemon

* See sample script for older Malwarebytes version.

4.Confirm the endpoint is now online and wp-signup.phped in the destination account.

5.Delete the offline endpoint from the origin account, using the Nebula console or Excel Plugin.
For safety, delay deletion from source site and ensure endpoints are not checking in.

Windows Deployment: Silent Scripting MBCloudEA.exe with PSEXEC

To run the MBCloudEA.exe command-line silently from a script, use the PSEXEC utility.

“PsExec is a light-weight telnet-replacement that lets you execute processes on other systems, complete with full interactivity for console applications, without having to manually install client software. PsExec’s most powerful uses include launching interactive command-prompts on remote systems and remote-enabling tools like IpConfig that otherwise do not have the ability to show information about remote systems. Some anti-virus scanners report that one or more of the tools are infected with a “remote admin” virus. None of the PsTools contain viruses, but they have been used by viruses, which is why they trigger virus notifications.” – Mark Russinovich – https://docs.microsoft.com/en-us/sysinternals/downloads/psexec

The following is an example of a Windows script for silent use.  It assumes PSEXEC is available. -i -h are mandatory switches.

ECHO OFF
NET SESSION > nul 2>&1 || (@ECHO Error: Must run as Admin & TIMEOUT /T 20 & EXIT /B 1)
:: Make working directory same as script’s path
PUSHD %~dp0
CD /D %CD%
psexec.exe -accepteula \\localhost -i -h &PROGRAMFILES&Malwarebytes Endpoint Agent\UserAgent>EACmd.exe –changeaccounttoken=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
TIMEOUT /T 5 /NOBREAK
NET.EXE STOP MBEndpointAgent
TIMEOUT /T 25 /NOBREAK
NET.EXE START MBEndpointAgent

Notes

  • The above commands may be run manually, or scripted for use with ActiveDirectory GPO, Remote Management and Monitoring (RMM) tools or other methods.
  • The utility may also remotely connect to an endpoint on local LAN by specifying \\hostname and supplying credentials, refer to PSEXEC documentation.
  • When testing, temporarily turn on email notifications for ‘Endpoint wp-signup.phped’ within each Nebula site, to immediately see when an endpoint is changed. Otherwise, have the endpoints list on view and click refresh.

Example log entry

The following are compiled log entries from a successful change, important items are bolded. To locate full logs, navigate to: “%programdata%\Malwarebytes Endpoint Agent\logs\EndpointAgent.txt”

INFO MBCloudEA.Program Process start
INFO EngineController Duplicate copy of selected cut already exists in root. Use existing app cut file to verify file sigs
INFO EAEngine Setting Account Token
INFO EAEngine Removing all config settings except AccountToken,NebulaUri,Proxy.Server,Proxy.Port,Proxy.User,Proxy.Password,SiriusChannel,SiriusToken,SiriusUri,ArkUri,log4net.Config,log4net.Config.Watch,MB3PluginSiriusChannel
INFO SafeAppConfig No settings were found to be cleaned
INFO EAEngine Requesting to be assigned to group 5747f0e9-4159-4768-8777-a847b7ac2620

INFO EAService Service Stopping….
INFO EAService Service Stopped….

INFO MBCloudEA.Program Process start
INFO EAService Service Started!
INFO EAEngine ************** Engine Initializing! Version:1.2.0.863 ***************
INFO EAEngine Service Version:1.2.0.508, EngineVersion: 1.2.0.863
INFO EAEngine Entering ProcessSiriusModulesUpdateResponse
INFO EAEngine Received an empty response from Sirius, no modules to update.
INFO EAEngine Continuing to startup
INFO EAEngine Loading settings
INFO EAEngine LoadSettingsAndwp-signup.php — wp-signup.phpMachine(retry:True) nebulaMachineId=[] TokenNull=True IsTokenValid=False

INFO EAEngine SendRegistrationRequest – AccountToken:xxxxxxxx-7a9c-43f3-9b82-48956abb3843 MachineName:DESKTOP-TWO MachineId:42ab58bda6f0ed5ac567403ab2e55e9e9b363bee NebulaId: GroupId:gggggggg-4159-4768-8777-a847b7ac2620 ADObjectId: OSInfo:{“os_platform”:”Windows”,”os_version”:”10.0.19042″,”os_architecture”:”Amd64″,”os_release_name”:”Microsoft Windows 10 Pro”,”os_type”:”Workstation”}
INFO IOSocketWrapper AuthTokenStore_TokensChanged

INFO ExclusionsProcessor Waiting for a new Exclusion Etag to be queued.
INFO NebulaCommunicator Starting Nebula Communicator
INFO BoomerangHandler Calling machine sync api
INFO EAEngine Refreshing Policy ….
INFO EAEngine Fetching new policy….
INFO EAEngine fetching policy.
INFO EAPolicy Incident Response is disabled.
INFO EAPolicy Mac Incident Response is disabled.
INFO EAEngine loaded policy from nebula
INFO SafeSettings In SavePolicyETag, refreshed the settings, saving: 97cfad3949dabddee84b541c246fbf6d

INFO SiriusWrapper Sirius channel: release
INFO SiriusWrapper Sending request to https://sirius.mwbsys.com/api/v1/updates/manifest
INFO SiriusWrapper Request content {“product”:”epa-win”,”build”:”common”,”semver”:”1.2.1″,”os_version”:”10.0.19042″,
“installation_token”:”epa.win.42ab58bda6f0ed5ac567403ab2e55e9e9b363bee”,
“installed_packages”:[{“name”:”epa.win.plugin.mbam”,”semver”:”1.2.876″,”channel”:”release”},
{“name”:”epa.win.plugin.assetmanager”,”semver”:”1.2.331″,”channel”:”release”},
{“name”:”epa.win.plugin.edr”,”semver”:”1.2.305″,”channel”:”release”},
{“name”:”epa.win.plugin.bfp”,”semver”:”1.2.31″,”channel”:”release”},
{“name”:”epa.win.svc”,”semver”:”1.2.508″,”channel”:”release”},
{“name”:”epa.win.engine”,”semver”:”1.2.863″,”channel”:”release”},
{“name”:”epa.win.useragent”,”semver”:”1.2.413″,”channel”:”release”}]}
INFO SiriusWrapper Response status code: OK

Deploying PSEXEC

PSEXEC needs to be available to the endpoints.  There are multiple techniques:

  • Pre-deploy
  • Make available from a network share
  • Dynamically download with a script

Some customers prefer to delete PSEXEC immediately after use.

Dynamically downloading PSEXEC

The following two examples include methods to dynamically download PSEXEC, if not present on the endpoints, and launch it locally via \\localhost.

Windows 10

powershell -command “& {[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri ‘https://live.sysinternals.com/psexec.exe‘ -OutFile ‘c:\psexec.exe’}”

c:\psexec.exe -accepteula \\localhost -i -h “C:\Program Files\Malwarebytes Endpoint Agent\MBCloudEA.exe” -accounttoken xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

Windows 7

bitsadmin  /transfer mydownloadjob  /download  /priority normal http://live.sysinternals.com/psexec.exe  c:\psexec.exe

c:\psexec.exe -accepteula \\localhost -i -h “C:\Program Files\Malwarebytes Endpoint Agent\MBCloudEA.exe” -accounttoken xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

macOS Scripting

The following is an example script which may be run from a software deployment or remote monitoring and management solution.

#!/bin/bash
#
echo ‘—————————————————————————————-‘
echo ‘Changing AccountToken and restarting agent, to wp-signup.php to a new OneView or Nebula Site ‘
echo ‘Input: sudo setenv MWB_accounttoken aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa ‘
echo ‘ Using an environment variable is compatible with RMM scripting ‘
echo ‘Version 1.2 2020-12-07’
echo ‘—————————————————————————————-‘

# If script is not running as root e.g manual testing, then prefix all commands with SUDO
SUDO=”
if (( $EUID != 0 )) ; then
echo ‘Info : Not running as PID 0 root, therefore prefixing commands with sudo’
SUDO=’sudo’
# Retrieve MWB_accounttoken from root environment and set into a local value
MWB_accounttoken=$(sudo launchctl getenv MWB_accounttoken)
fi

if [ $MWB_accounttoken ] ; then
echo “Info : Environment variable \$MWB_accounttoken is $MWB_accounttoken”
else
echo “Error : Blank value. Must set environment variable prior to running this script.”
echo ” Or, edit this script to hardcode it”
echo ” sudo setenv MWB_accounttoken aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa”
return 1
fi

# Check if Endpoint Agent is Version 1.5, by its pathname
if test -f ‘/Library/Application Support/Malwarebytes/Malwarebytes Endpoint Agent/EndpointAgentDaemon’; then
$SUDO ‘/Library/Application Support/Malwarebytes/Malwarebytes Endpoint Agent/EndpointAgentDaemon’ AccountToken=$MWB_accounttoken
exitcode=$?
echo “Info : $exitcode exitcode from change accounttoken”
echo “Info : Restarting Endpoint Management Agent”
$SUDO launchctl unload ‘/Library/LaunchDaemons/com.malwarebytes.EndpointAgent.plist’
echo “Info : $? exitcode from unload com.malwarebytes.EndpointAgent.plist”
$SUDO launchctl load ‘/Library/LaunchDaemons/com.malwarebytes.EndpointAgent.plist’
echo “Info : $? exitcode from load com.malwarebytes.EndpointAgent.plist”
exit $exitcode
fi

# Check if Endpoint Agent is Version 1.6….., by its pathname
# engine/daemon version 1.6.481 or higher
if test -f ‘/Library/Application Support/Malwarebytes/Malwarebytes Endpoint Agent/EndpointAgentDaemon.app/Contents/MacOS/EndpointAgentDaemon’; then
$SUDO ‘/Library/Application Support/Malwarebytes/Malwarebytes Endpoint Agent/EndpointAgentDaemon.app/Contents/MacOS/EndpointAgentDaemon’ AccountToken=$MWB_accounttoken
exitcode=$?
echo “Info : $exitcode exitcode from change accounttoken”
sleep 5
echo “Info : Restarting Endpoint Management Agent”
$SUDO launchctl stop com.malwarebytes.agent.daemon
echo “Info : $? exitcode from stop com.malwarebytes.agent.daemon”
sleep 5
$SUDO launchctl start ‘com.malwarebytes.agent.daemon’
echo “Info : $? exitcode from start com.malwarebytes.agent.daemon”
# exit $exitcode
return $exitcode
fi

Source : Official Malwarebytes Brand
Editor by : BEST Antivirus KBS Team

How useful was this post?

Click on a star to rate it!

Average rating 0 / 5. Vote count: 0

No votes so far! Be the first to rate this post.

(Visited 35 times, 1 visits today)
Tagged: