The Malwarebytes Endpoint Agent installs and uses the following components to provide functionality on a Windows endpoint. Some components only exist if the associated feature, capability, or plugin is enabled in the policy assigned to the endpoint.
Directories
The following directories contain files utilized by the Malwarebytes Endpoint Agent and its plugins on a Windows endpoint:
| Path | Description |
|
C:\Program Files\Malwarebytes Endpoint Agent |
Application files for the Malwarebytes Endpoint Agent and component plugins. |
|
C:\Program Files\Malwarebytes\Anti-Malware |
Application files used by Malwarebytes Endpoint Protection and Malwarebytes Incident Response. |
|
C:\ProgramData\Malwarebytes Endpoint Agent |
Global application data store for the Malwarebytes Endpoint Agent and component plugins. |
|
C:\ProgramData\Malwarebytes\MBAMInstallerService |
Global application data store for the Malwarebytes Installer Service. |
|
C:\ProgramData\Malwarebytes\MBAMService |
Global application data store for the Malwarebytes Endpoint Protection and Malwarebytes Incident Response. |
Services
The following table lists the Malwarebytes services that run on a Windows endpoint:
| Service Name | Process Path | Description |
|
MBEndpointAgent |
C:\Program Files\Malwarebytes Endpoint Agent\MBCloudEA.exe |
The Malwarebytes Endpoint Agent Service provides the Endpoint Agent Engine, plugin framework, and communication to Malwarebytes Nebula. |
|
EAServiceMonitor |
C:\Program Files\Malwarebytes Endpoint Agent\ServiceMonitor\EAServiceMonitor.exe |
The Malwarebytes Endpoint Agent Service Monitor checks the health of the Malwarebytes Endpoint Agent and provides recovery if needed. |
|
dnscrypt-proxy |
C:\Program Files\Malwarebytes Endpoint Agent\Services\DNSProxy\dnscrypt-proxy.exe |
The DNSCrypt Proxy Service provides a proxy Server that sends DNS requests using DNS over HTTPS for Malwarebytes DNS Filtering. |
|
MBAMService |
C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe |
The Malwarebytes Service provides the protection layers and scanning engine of Malwarebytes Endpoint Protection and Malwarebytes Incident Response. |
|
MBAMInstallerService |
C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe |
The Malwarebytes Installer Service provides installation functionality for new versions of Malwarebytes Endpoint Protection. |
Drivers
The following table lists the Malwarebytes drivers that run on a Windows endpoint:
| Service Name | Image Path | Description |
|
MBAMChameleon |
C:\windows\system32\drivers\MbamChameleon.sys |
The Malwarebytes Self-Protection Driver provides Malwarebytes product protection and Device Control functionality. |
|
MBAMElam |
C:\windows\system32\drivers\MbamElam.sys |
The Malwarebytes Early-Launch Anti-Malware Driver (ELAM) provides Windows ELAM functionality. |
|
MBAMFarflt |
C:\windows\system32\drivers\farflt.sys |
The Malwarebytes Anti-Ransomware Driver provides ransomware behavior protection. |
|
MBAMProtection |
C:\windows\system32\drivers\mbam.sys |
The Malwarebytes Real-Time Protection Driver provides real-time threat protection |
|
MBAMSwissArmy |
C:\windows\system32\drivers\mbamswissarmy.sys |
The Malwarebytes Swiss Army Driver provides specialized threat detection and remediation functionality for rootkits and other similar malware. |
|
MBAMWebProtection |
C:\windows\system32\drivers\mwac.sys |
The Malwarebytes Web Access Control Driver provides malicious web traffic protection. |
|
ESProtectionDriver |
C:\windows\system32\drivers\mbae64.sys C:\windows\system32\drivers\mbae.sys |
The Malwarebytes Anti-Exploit Driver provides exploit behavior protection. |
|
FlightRecorder |
C:\windows\system32\drivers\FlightRecorder.sys |
The Malwarebytes Flight Recorder provides Suspicious Activity Monitoring, Ransomware Rollback, Endpoint Isolation, and Active Response Shell functionality |
|
mbdnsfilter |
C:\windows\system32\drivers\mbdnsfilter.sys |
The Malwarebytes DNS Filter Driver provides Malwarebytes DNS Filtering functionality. |
Processes
The following table lists the common Malwarebytes processes that run on a Windows endpoint:
| Path | Description |
|
C:\Program Files\Malwarebytes Endpoint Agent\ConfigurationRecoveryTool.exe |
The utility for recovering a corrupted Endpoint Agent Configuration file. |
|
C:\Program Files\Malwarebytes Endpoint Agent\MBCloudEA.exe |
Provides the Malwarebytes Endpoint Agent Service, Endpoint Agent Engine, plugin framework, and communication to Malwarebytes Nebula. |
|
C:\Program Files\Malwarebytes Endpoint Agent\Plugins\Active Response Shell\x64\ARSLauncher.exe C:\Program Files\Malwarebytes Endpoint Agent\Plugins\Active Response Shell\Win32\ARSLauncher.exe |
Provides Active Response Shell functionality. |
|
C:\Program Files\Malwarebytes Endpoint Agent\Plugins\Active Response Shell\x64\Timeliner.exe C:\Program Files\Malwarebytes Endpoint Agent\Plugins\Active Response Shell\Win32\Timeliner.exe |
Provides access to Malwarebytes Forensic Timeliner capabilities in Active Response Shell. |
|
C:\Program Files\Malwarebytes Endpoint Agent\Plugins\Asset Manager\Malwarebytes.AssetPro.Launcher.exe |
Hosts and executes the OPSWAT OESIS SDK for performing advanced asset scans, installing 3rd party software updates, and applying operating system patches. |
|
C:\Program Files\Malwarebytes Endpoint Agent\ServiceMonitor\EAServiceMonitor.exe |
Provides the Malwarebytes Endpoint Agent Service Monitor Service. |
|
C:\Program Files\Malwarebytes Endpoint Agent\Services\AssetPro\native\wa_3rd_party_host_64.exe C:\Program Files\Malwarebytes Endpoint Agent\Services\AssetPro\native\wa_3rd_party_host_32.exe |
The host process for the OPSWAT OESIS SDK used by Malwarebytes Vulnerability Assessment and Patch Management. |
|
C:\Program Files\Malwarebytes Endpoint Agent\Services\DNSProxy\dnscrypt-proxy.exe |
The proxy Server that sends DNS requests using DNS over HTTPS for Malwarebytes DNS Filtering functionality. |
|
C:\Program Files\Malwarebytes Endpoint Agent\UserAgent\EACmd.exe |
The command-line utility for managing specific tasks of the Malwarebytes Endpoint Agent. |
|
C:\Program Files\Malwarebytes Endpoint Agent\UserAgent\Endpoint Agent Tray.exe |
Provides the Malwarebytes Endpoint Agent Tray. |
|
C:\Program Files\Malwarebytes\Anti-Malware\MbamPt.exe |
Provides functionality for Malwarebytes Real-Time Protection. |
|
C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe |
Provides the Malwarebytes Service process and the protection layers and scanning engine of Malwarebytes Endpoint Protection and Malwarebytes Incident Response. |
|
C:\Program Files\Malwarebytes\Anti-Malware\MBAMWsc.exe |
Provides Malwarebytes products with functionality to interact with Windows Security Center. |
|
C:\Program Files\Malwarebytes\Anti-Malware\ig.exe |
Provides Malwarebytes Endpoint Protection and Incident Response with advanced threat detection and remediation capabilities. |
|
C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe |
Provides the Malwarebytes Installer Service and installation functionality for new versions of Malwarebytes Endpoint Protection and Malwarebytes Incident Response. |
Plugins
The following table lists the Malwarebytes plugins and their associated DLL file on a Windows endpoint:
| Name | Path | Description |
|
Asset Manager |
C:\Program Files\Malwarebytes Endpoint Agent\Plugins\Asset Manager\EAAssetMgmtPlugin.dll |
Enables the Malwarebytes Asset Manager for hardware and software asset inventory |
|
Asset Manager Pro |
C:\Program Files\Malwarebytes Endpoint Agent\Plugins\Asset Manager\Malwarebytes.AssetPro.dll |
Enables the Malwarebytes Asset Manager Pro and the OPSWAT OESIS SDK for Vulnerability Assessment and Patch Management features |
|
Endpoint Protection (EP, MBAM Plugin, NCEP Plugin) |
C:\Program Files\Malwarebytes Endpoint Agent\Plugins\Endpoint Protection\EAMBAMPlugin.dll |
Enables the following features:
|
|
DNS Content Filtering |
C:\Program Files\Malwarebytes Endpoint Agent\Plugins\DNS Content Filtering\DNSFilterPlugin.dll |
Enables the Malwarebytes DNS Filtering feature powered by Cloudflare. |
|
Endpoint Detection and Response (EDR) |
C:\Program Files\Malwarebytes Endpoint Agent\Plugins\Endpoint Detection and Response\EDRPlugin.dll |
Enables the following EDR features:
|
|
Active Response Shell (ARS) |
C:\Program Files\Malwarebytes Endpoint Agent\Plugins\Active Response Shell\ARSPlugin.dll |
Enables the following Malwarebytes Active Response Shell features in EDR:
|
|
Windows Remote Intrusion Detection and Prevention / Brute Force Protection (BFP) |
C:\Program Files\Malwarebytes Endpoint Agent\Plugins\Windows Remote Intrusion Detection and Prevention\BFPPlugin.dll |
Enables Malwarebytes Brute Force Protection to prevent brute force attacks over common remote communication protocols. |
For information on system components for other operating systems, see the links below: