Package Malwarebytes Endpoint Agent

dwaterbury
New Contributor III

Does anyone know how to best Package up the Malwarebytes Endpoint Agent for Business? The file they provide has special characters so it prevents me from just uploading it directly into Jamf. I have tried changing the name and am able to upload it, but when it installs, the icon appears on the Menu bar, but is not interactive (can't click to start a scan) and does not appear in their Nebula platform.

I've added the kernel extension in Configuration Profiles. And I can perform the manual install on a computer successfully. I'm currently using Movaje, but will be looking for any other help for Catalina that might vary given we will be migrating this summer.

Thank you.

15 REPLIES 15

georgecm12
Contributor III

I haven't looked into this specific case, but you might be able to create a "package in a package." Using your preferred package creation tool, create an installer that places the Malwarebytes .pkg file into someplace like /tmp. Then, add a postinstall script to the package that installs the Malwarebytes .pkg.

pete_c
Contributor III

I've never had any trouble uploading or deploying Malwarebytes packages generated from AutoPkgr.

As always, test before deployment.

georgecm12
Contributor III

@pete_c Are you referring to the consumer Malwarebytes, or the managed Malwarebytes Cloud client? I wouldn't think you'd be able to do a Autopkg recipe for the managed client.

bjones
New Contributor III

@dwaterbury Good afternoon i am also trying to get this application running in our environment at the moment if you dont mind me asking how did you setup your configuration profile to bypass the KEXT for the app. So that the requirement to have user click allow is not a need?

hkrewson
New Contributor

@dwaterbury I sent the same question in to Malwarebytes support. We just pulled the trigger to get started so we can deploy this out. The way I'm intending to get around this in Jamf is by hosting the file and creating a shell script to curl it down.

@bjones Malwarebytes have two articles here, and here that should be helpful.

dwaterbury
New Contributor III

Hi Everyone. Thank you for the responses. I reached out to Malwarebytes Support to get the answer. I was able to use push it out last Friday and I started seeing computers come into their "Nebula" interface.

The Support Tech said to download the mac .pkg from them and just change the 2 brackets in the name to _
I had initially tried renaming it differently, but some sort of licensing number is within those brackets and it prevents the laptop from registering within Nebula.

Here is an example of what it looks like initially when you download it:
Setup.MBEndpointAgent_[abcdefghi-1234-5678–jklm-nopqrstuvwxy]__.pkg

Here is how it will look after you edit the name of the file:
Setup.MBEndpointAgent__abcdefghi-1234-5678–jklm-nopqrstuvwxy___.pkg

After doing this, I was able to load it into our JAMF cloud instance without a problem.
After I pushed it out, with a Restart of the computer after install, the users appeared in the Nebula interface.

I also created a Configuration Profile that Approved Kernel Extension TeamID: GVZRY6KDKR
As was instructed here.

I hope this helps everyone.

danlaw777
Contributor III

@dwaterbury are you simply removing the brackets and adding an underscore to make the pkg file work? if so how many on each end?

ryan_ball
Valued Contributor

@dwaterbury Last time I checked, the MalwareBytes package did not correctly load the LaunchAgent it installs. So you can add this as a payload to your policy to load the LaunchAgent after the package installs, which might eliminate the need to restart:

#!/bin/bash

loggedInUser=$(/usr/sbin/scutil <<< "show State:/Users/ConsoleUser" | /usr/bin/awk '/Name :/ && ! /loginwindow/ { print $3 }' )
loggedInUID=$(/usr/bin/id -u "$loggedInUser")
identifier="com.malwarebytes.UserAgent"
agentPlist="/Library/LaunchAgents/$identifier.plist"

# Stop the LaunchAgent if it is running
if launchctl list | grep "$identifier" &> /dev/null ; then
    /bin/launchctl asuser "$loggedInUID" /bin/launchctl unload "$agentPlist"
fi

# Load the LaunchAgent
/bin/launchctl asuser "$loggedInUID" /bin/launchctl load "$agentPlist"

exit 0

DPolly
New Contributor III

I have the policy created without the brackets and adding the underscore but it doesn't show that its being installed, I just show a pending in the logs, I seen the payload info above but can you tell me where that would go?

wnazari
New Contributor

I also have the policy without the brackets. With JAMF, since brackets are not allowed, you'll need to replace the brackets with underscores.

rocrusso
New Contributor II

(just chiming in to confirm removing the bracket on either end and replacing with _ works, you will have 2 underscores in front and 3 on the trail)

Anyone know how to make a smart group to search who has this installed and who does not? I've been banging away at a few different ways but can't seem to find it.

rocrusso
New Contributor II

also this is helpful as well:
https://support.malwarebytes.com/hc/en-us/articles/360047485253-Grant-Malwarebytes-Endpoint-Agent-Full-Disk-Access-for-Mac-endpoints-using-UAMDM
config profile for Malwarebytes full disk access, which is needed

rocrusso
New Contributor II

I couldn't find anything to search with so I created an Extension Attribute to check if Malwarebytes Nebula Endpoint Agent is installed or not.

#!/bin/sh
if [ -d "/Library/Application Support/Malwarebytes/Malwarebytes Endpoint Agent" ] 
then
    echo "<result>Installed</result>"
else
    echo "<result>Not Installed</result>"
fi

mani2care
Contributor

Malwarebytes uninstall script any thing is available?

danlaw777
Contributor III

as a follow up, if your running MB from the enterprise web version, simply deleting it from the server will force an uninstall on the end points.