Deploying Malwarebytes for Mac 1.1.3.72

AVmcclint
Honored Contributor

Until now, I've been content with deploying Malwarebytes for Mac via Self Service as basically a drag-n-drop install to /Applications. This new version that was released recently requires admin rights upon first launch to install a new helper tool. (What's the deal with all these new helper tools?) It looks like it installs /Library/PrivilegedHelperTools/com.malwarebytes.MBAMHelperTool and /Library/LaunchDaemons/com.malwarebytes.MBAMHelperTool.plist I guess we'll have to roll these along with a launchctl command to enable the LaunchDaemon in any updated policies. Does anyone know what these PrivilegedHelperTools do?

1 ACCEPTED SOLUTION

ttyler1999
Contributor

I was wondering about that helper tool also. According to the manual on the web site "This tool will be used to remove adware or malware that has been installed into locations that require a higher privilege level to access. Without this helper tool, Malwarebytes Anti-Malware will not be able to remove all adware and malware."

https://www.malwarebytes.org/pdf/guides/MBAM-Mac-Guide.pdf

I haven't used launchctl very much before. Would the helper automatically get started next time the computer is rebooted? Do you just need to run launchctl to get it started that first time? What would the syntax of the launchctl command look like?

View solution in original post

16 REPLIES 16

ttyler1999
Contributor

I was wondering about that helper tool also. According to the manual on the web site "This tool will be used to remove adware or malware that has been installed into locations that require a higher privilege level to access. Without this helper tool, Malwarebytes Anti-Malware will not be able to remove all adware and malware."

https://www.malwarebytes.org/pdf/guides/MBAM-Mac-Guide.pdf

I haven't used launchctl very much before. Would the helper automatically get started next time the computer is rebooted? Do you just need to run launchctl to get it started that first time? What would the syntax of the launchctl command look like?

AVmcclint
Honored Contributor

I created a package that contains

/Applications/Malwarebytes.app 
 /Library/LaunchDaemons/com.malwarebytes.MBAMHelperTool.plist
/Library/PrivilegedHelperTools/com.malwarebytes.MBAMHelperTool

and in the policy: Files and Processes > Execute Command:

 launchctl load -w /Library/LaunchDaemons/com.malwarebytes.MBAMHelperTool.plist

AVmcclint
Honored Contributor

BTW, a really good (and FREE) tool that puts a wonderful GUI on launchctl is LaunchControl . Lingon used to be the good one but LaunchControl blew it out of the water in my opinion. I used to be intimidated of doing anything with launch agents and daemons until I found that app.

ttyler1999
Contributor

Awesome, thanks for your help Clint!

Just for clarification, you only need the launchctl to launch the process that first time because on the next restart of the computer it will launch itself?

On the other hand, some of our users go a really long time without a restart so the launchctl command is probably a good idea!

AVmcclint
Honored Contributor

I would assume so. This is my first exposure to these PrivilegedHelperTools. Generally speaking, once you "load" an agent or daemon, the plist determines exactly when it is supposed to run. Some are set to keep alive and always run, some are set to run every few hours, and it looks like this one for Malwarebytes is set to run when it is called upon. I dunno. I'm just guessing because this one is a little different from others I've had to work with.

Now that's not to say that the process won't ever crash. Sometimes if it crashes, the launchdaemon won't start up again until you restart the computer.

AVmcclint
Honored Contributor

The 1.2.4 update changes the names of the LaunchDaemon and PrivilegedHelperTool files.
OLD:

 /Library/LaunchDaemons/com.malwarebytes.MBAMHelperTool.plist
/Library/PrivilegedHelperTools/com.malwarebytes.MBAMHelperTool

NEW:

 /Library/LaunchDaemons/com.malwarebytes.HelperTool.plist
/Library/PrivilegedHelperTools/com.malwarebytes.HelperTool

So this means the command you'd have to run to activate the LaunchDaemon is:

launchctl load -w /Library/LaunchDaemons/com.malwarebytes.HelperTool.plist

TomDay
Release Candidate Programs Tester

@AVmcclint Thx for sharing this, working on deploying this to Self Service as well. Have you figured out a way to keep the signatures up to date on this or does the user have to initiate the check of "Update Signatures" from the menu bar?

AVmcclint
Honored Contributor

I have not. I just rely on the app to check for signatures at launch or manually checking from the menu bar. I have been told that if you pay for the business version of MalwareBytes, there is a command line component to it for applying updates and even running scans (like if you were using ARD or ssh'd to a Mac). However, I was unable to get the malwarebytes folks to give me a straight answer on the cost. I couldn't get a straight answer out of them for anything, in fact. I can only assume if you want to do anything with the app that is NOT in the GUI, you'll have to pay big bucks.

krispayne
Contributor

In theory, shouldn't you be able to script the user update action via AppleScript?

It's very crude, but:

tell application "/Applications/Malwarebytes Anti-Malware.app"
    activate
    delay 1
    tell application "System Events" to tell process "Malwarebytes Anti-Malware" to set visible to false
    delay 30 --set this to whatever. This is when the updating happens.
    quit
end tell

AVmcclint
Honored Contributor

Only if the app itself has Applescript dictionaries built into it (right?). I just launched the Applescript editor and did File > Open Dictionary... Malwarebytes did not appear in the list. It also does not seem to include Automator support either.

krispayne
Contributor

Hey @AVmcclint I posted an example that crudely works. I don't believe for this purpose you need to have an App that is "scriptable." With AppleScript (in my extremely limited knowledge) this is all just objects on the screen. I didn't get into scripting the menu actions of "Scanner" and "Scan" but it seems plausible.

With the above script, this opens the app, waits a second, hides it, and then waits however long you want while it's updating definitions (couldn't find a way to force, but every time it opened, it scanned) then quits. The hiding bit is very inconsistent, though. Maybe an AppleScripter with actual knowledge could help :-)

stevenjklein
Contributor II

Thanks, @AVmcclint. I just built a package and policy using your guidance, and deployed it to my test Mac. It worked properly on my first try.

njzlalo
New Contributor

Has anyone verified that this is working for them for Malwarebytes 3.0.1 ?

AVmcclint
Honored Contributor

I haven't tried the new version yet. At first glance it looks to be a very different app because now it has a trial period for certain components.

brian_stringham
New Contributor

I just used the Malwarebytes pkg (version 3.0) and it worked perfectly. I installed it on one of our work machines via Casper Remote and it worked without an issue. Just dragged and dropped the pkg into admin.

mani2care
Contributor

Malwarebytes uninstall script anything is available?