Malwarebytes Spark user guide

Overview

The Malwarebytes Endpoint Agent has a minimal user interface by design. Enterprise customers often prefer a solution where the administrator performs all management functions and controls with minimal distractions to end-users. However, easier access to the data at the endpoints is often helpful for visibility, confirmation, and debugging purposes.

What’s This

Malwarebytes Spark is a system tray application that provides a convenient user interface to information and commands at the endpoint and parses data for better visibility. The functions performed by this tool can also be performed manually on the endpoint.

Installation

• Install Malwarebytes Spark using the MSI installer: MalwarebytesSparkInstaller.zip
• Malwarebytes Spark is installed as a tray application. Right-click to start the main interface.
• This tool can only be installed on Windows devices.

Features

Overview

• Malwarebytes Spark is installed using an MSI installer and runs as a System Tray application.
• The utility can be installed and run on an endpoint without the Malwarebytes Agent.

Protection Status

• The protection layers in the Malwarebytes Agent are automatically installed and managed per the policy defined as File System Drivers. The Protection Status page monitors these drivers, along with some other helpful information at a glance.
• Malwarebytes install two Windows services.
  • The Cloud Endpoint Agent Service (EA) is the service that serves as the command-and-control module. It is responsible for communicating with the Malwarebytes Nebula Cloud service.
  • The Protection Engine Service (MBAM) is a service that consists of many different protection modules.
• The Online icon is a useful indicator to show whether the Malwarebytes Agent has an active socket connection to Nebula.
  
  • The benefit of having an active connection is that server commands are immediately notified.
  • However, not having an active connection is not a functional issue because the agent will still poll the Nebula for new commands and policy changes every 5 minutes.
  • An active online connection is sometimes not possible due to proxy and other network configurations.

Scan Actions

• Start Threat Scan
  • This is done by executing the following program:
    C:\ProgramData\Malwarebytes Endpoint Agent\UserAgent\EACmd.exe --threatscan
  • The threat scan will use scan settings as defined in the policy, such as the priority level, or whether to scan for archives (e.g., zip).
• Scan Full Disk
  • This is done by calling the following program and passing the entire C drive folder.
    C:\ProgramData\Malwarebytes Endpoint Agent\UserAgent\EACmd.exe -c=custom_scan.lst
• Scan Selected Folder
  • This is done by calling the following program and passing the selected folder to the command.
    C:\ProgramData\Malwarebytes Endpoint Agent\UserAgent\EACmd.exe -c=custom_scan.lst

Detection History

• The Scan History selection parses and lists information found in the following directory. Each file represents a scan entry.
  • C:\ProgramData\Malwarebytes\MBAMService\ScanResults
• The Detected Threats selection shows threat detection information that is stored in the following folders.
  • C:\ProgramData\Malwarebytes\MBAMService\*
• Note: Detection data is deleted when the MBAMService is reinstalled.

Help

• Malwarebytes Spark has a built-in self-upgrade feature. If a newer version is available, a red badge will be shown. Click the Upgrade button to install the latest version.

Admin Mode

Admin Mode is meant to show features useful to advanced users or the administrators. These pages are not needed for regular end-users. Press Ctrl-Alt-T or click the toggle at the bottom left to enable Admin Mode.

Agent Log

• The EndpointAgent.txt selection reads and refreshes the following main agent log file:
  C:\ProgramData\Malwarebytes Endpoint Agent\Logs\EndpointAgent.txt
• JSON content is formatted for easier reading.
• The agent log file is being written to by many different modules within the agent. Use the Filters dropdown box to choose displaying messages created by a specific module.
  • For example, select “SiriusWrapper” to see the agent querying the server to determine if newer versions of various components are available.
• The MBAMService.log selection reads and refreshes the following log file:
  C:\ProgramData\Malwarebytes\MBAMService\LOGS\MBAMSERVICE.LOG
• Either log file can be saved or emailed as displayed. 

Test Connections

• Malwarebytes Spark uses the Windows TcpClient class to open a connection to all the services for testing.
• There is currently a hard-coded timeout of 3 seconds to avoid a long wait time.
• Note: Network and content filter appliances can strip responses from these services. In that case, a connection test might be successful, but it does not pinpoint the potential cause of failures.

Settings / Policies

• Setting, policy, and exclusion files are encrypted with keys specific to the endpoint.
• This is being decrypted for display.
• The page is intended to make browsing these log files more productive.

Diagnostics

• Generate the standard Malwarebytes Agent diagnostics log files
  • When requested by support, enable Debug Logging and reproduce the issue before generating logs. 
  • Collect mimics the standard Malwarebytes tray icon Generate Diagnostic Logs command (via Ctrl-Right-Click). The diagnostic zip package is saved on the Desktop. For more information, see Collect Malwarebytes Endpoint Agent diagnostic logs.
  • Collect and Email will run the same command, but removes binary files such as exe, dll, sys, and a few more to reduce the size and remove the possibility of email servers blocking the content. These files can also be uploaded directly into an active support case.
• Malwarebytes Spark can also download, execute, and email the Farbar Recovery Scan Tool (FRST) output.

Versions

• Various information about the many components of the Malwarebytes Agent is available in the settings file.
• This page parses and displays some useful version numbers for the different components.

Install / Uninstall

• For testing and debugging purposes, it is sometimes useful to uninstall and reinstall the endpoint agent.
• An uninstall password will be required if the policy has been configured to require one.
• For the installation option, logging in to the Nebula Cloud is required. This allows Spark to download the specific installer tied to the Nebula account.