Administrators can delete endpoints using the console, which removes them from Nebula. After a period of time, the deleted endpoint is also removed from the Malwarebytes database. Malwarebytes then uninstalls the agent from the endpoint. This article explains what happens when you mark endpoints for deletion, and how to perform this action.
Alternatively, you can automate the removal of inactive and obsolete endpoints. For more information, refer to the article Configure Inactive Endpoint Removal option in Nebula.
When endpoints are marked for deletion using the Nebula console
When you select endpoints for deletion, the following happens:
- The console flags the endpoint for uninstall.
- The console removes the endpoint from the UI. This frees up one of your seat licenses.
- A hidden task is created to delete the endpoint
- If the endpoint is online, the uninstall task is executed immediately
- If the endpoint checks in within 90 days:
- The task is picked up and the endpoint uninstalls Malwarebytes.
- If the endpoint checks in after 90 days:
- The Delete task has expired in the console since the endpoint did not check in within the 90 day period.
- Malwarebytes remains installed on the endpoint and the endpoint re-registers and appears in the console again. You must re-initiate the Delete task in the console.
Delete endpoint in Nebula
To delete an endpoint from the Nebula console:
- On the left navigation pane, go to Manage > Endpoints.
- Check the boxes next to endpoints you want to delete.
- In the upper-right, click Actions
- In the drop down menu, click Delete.
- A confirmation window displays. Enter the number of endpoints and click Delete endpoint.
Delete Windows endpoint
By logging in with administrative privileges, you can delete the Malwarebytes agent on an endpoint. If the endpoint is online, Malwarebytes Nebula removes the endpoint from the list. If offline, you must manually delete the agent from the Windows endpoint.
If Tamper Protection with an Uninstall Password is enabled, then one of the following must occur:
- The Uninstall Password is entered when prompted from the uninstaller.
- The Uninstall Password is provided as a command line argument using MSIEXEC.
- The endpoint is moved to a group with a policy where an Uninstall Password is disabled, and the policy has propagated to the endpoint.
Methods available:
- Use Programs and Features.
- Launch the installer from Windows command line as an administrator:
MSIEXEC.exe /x "<fullpath1>\Setup.MBEndpointAgent.x64.msi" /qn /log "<fullpath2>\Setup.MBEndpointAgent.x64.msi.log"
- If Tamper Protection is enabled, you must use the following syntax and input the password from the policy associated with the endpoint's group:
MSIEXEC.exe /X {949D1792-E377-4348-8BC4-6D643EF49B21} /qn /log "<fullpath>\Setup.MBEndpointAgent.x64.msi.log" Password="$ecure Password 1234!"
- If Tamper Protection is enabled, you must use the following syntax and input the password from the policy associated with the endpoint's group:
- For endpoints which may be corrupted or cannot be deleted normally, download and run the Malwarebytes Business Support Tool if they are not tamper protected, or use the Discovery and Deployment tool if they are tamper protected.
Delete macOS Endpoint
If the endpoint is online, Malwarebytes Nebula is notified and removes the endpoint. If offline, you must manually delete the agent from the Mac endpoint.
Methods available:
- Launch EndpointAgentDaemon with the -uninstall option.
- Use single quotes for literal string, or blanks should be escaped with \ if the command is scripted.
sudo '/Library/Application Support/Malwarebytes/Malwarebytes Endpoint Agent/EndpointAgentDaemon.app/Contents/MacOS/EndpointAgentDaemon' -uninstall
- If Tamper Protection is enabled, you need to include it as part of the Uninstall command. If the Uninstall Password has special characters, use single quotes or escape characters.
sudo '/Library/Application Support/Malwarebytes/Malwarebytes Endpoint Agent/EndpointAgentDaemon.app/Contents/MacOS/EndpointAgentDaemon' -uninstall 'UninstallPassword1234!'
- Use single quotes for literal string, or blanks should be escaped with \ if the command is scripted.
- For endpoints which may be corrupted or cannot otherwise be deleted normally, you can manually delete them with the following commands:
sudo rm -r /Library/LaunchDaemons/com.malwarebytes.EndpointAgent.plist
sudo rm -r /Library/LaunchDaemons/com.malwarebytes.agent.daemon.plist
sudo rm -r /Library/LaunchAgents/com.malwarebytes.UserAgent.plist
sudo rm -r /Library/LaunchDaemons/com.malwarebytes.ncep.rtprotection.daemon.plist
sudo rm -r /Library/LaunchDaemons/com.malwarebytes.ncep.settings.daemon.plist
sudo rm -r '/Library/Application Support/Malwarebytes/'
Delete Linux Endpoint
If the endpoint is online, Malwarebytes Nebula is notified and removes the endpoint. If offline, you must manually delete the agent from the Linux endpoint.
Methods available:
- For DPKG distros, enter the following command in your Linux CLI:
sudo apt remove mblinux
- For RPM distros, enter the following command in your Linux CLI:
sudo yum remove mblinux
Return to the Malwarebytes Nebula Administrator Guide.