To verify a Malwarebytes Endpoint Protection is running, you can download and run the ServiceStatus.cmd script on the endpoint.
Download and run Service Status script
- Download the attached script zip file (see below) and extract ServiceStatus-x.xx.cmd.txt to the endpoint computer.
- Rename the file to be ServiceStatus-x.xx.cmd
- Administrator privileges are not required to run the script, as it uses only standard Windows commands and scripting.
- It can be run locally by double-clicking and is suitable for remote command-line execution.
- If AppLocker is in use, then it should be placed into an appropriate folder allowed to execute.
- Double-click on the file to run it. Alternatively, it can be run from Windows CMD.EXE prompt and/or its output piped to file e.g.
ServiceStatus-x.xx.cmd > status.txt - A command window displays. The window refreshes every 60 seconds. This is useful when testing for configuration changes and updates e.g. policy or exclusions.
- OnExclusionChanged is new and shows date of last exclusion update/change.
- The script may be edited to change the refresh timer. SET WAITSECS=60
- A command parameter once will suppress refresh/repeat and is useful to output to file e.g.
ServiceStatus-x.xx.cmd once
ServiceStatus-x.xx.cmd once > %homepath%\desktop\ServiceStatus.txt
To cancel the script, enter Ctrl + C or click [x]
Endpoint Detection and Response - typical status
Endpoint Protection - typical status
Note that turning off Real Time Policy Detectors unloads the Malwarebytes real time protection service and its services are disabled.
This is a user community shared utility. Please send questions, comments, and support request to the author directly: Andrew Probert (aprobert@malwarebytes.com)
Restrictions
- Will show Home Premium service, but will not have Management Agent nor Flight Recorder services.
- Will trigger some Suspicious Activity as it is checking status.
Legend
ComputerName
Change history
- 2022-03-15 Version 1.19 Fixed parsing error by delimiters for parsing JSON
- 2021-08-07 Version 1.18 Updated the Endpoint Detection and Response status check logic.
- 2020-11-11 Version 1.17 Fixed version checking, now used EACMD.EXE --versions instead of configuration file. Changed timer to 60 second wait.
- 2019-09-28 Version 1.14 Added Incident Response (MBIRPlugin) version check. It is not a service and runs on demand/scheduled.
- 2019-06-26 Version 1.13 Added OnExclusion which shows latest date/time of an exclusion update item. Fixed error if there is no MBAMService.txt.1 file.
- 2019-06-03 Version 1.12 Added display of SDK/Controllerpackage, which relates to the component update (CU) version. Added display of OnExclusionChanged, so receipt of updates to exclusions can be easily seen. Script will accept variable once as %1, to suppress looping.
- 2019-04-01 Version 1.11 Added status of the configuration of Endpoint Response Settings for Suspicious Activity Monitoring, Rollback and Isolation reading from last log entry in EndpointAgent.txt Note: The log entry also displayed if plugin subsequently uninstalled which obsoletes other entry in log.
- 2019-02-21 Version 1.10 Added count of files in EPR Local Backup
- 2019-01-31 Version 1.08 Added policy.ea_last_update, to show datetime of most recent policy update. Useful when monitoring for recent change.
- 2019-01-22 Version 1.07 Added * warnings in column 1 for disabled and inactive services.
- 2019-01-07 Version 1.06 Added MBAMService.Resource showing Memory and Handles usage. Set timer to 20 seconds with a editable variable in script.
- 2018-12-12 Version 1.05 Fixed problem with reading large EPR backup sizes.
- 2018-10-30 Added controllers_version, date time stamp at top, community note at bottom.
- 2018-10-10 Suppress file not found messages. Search prior log for MBAMService, if not found in current log. Adde.2018-10-08 Added MBAMService CPU% monitor.
- 2018-10-05 Added policy settings, versions for endpoint_protection and mbam_version, EDR Local Backup size estimation.