Skip to main content

Endpoint Agent Linux system components

The Malwarebytes Endpoint Agent installs and uses the following components to provide functionality on a Linux endpoint. Some components only exist if the associated feature, capability, or plugin is enabled in the policy assigned to the endpoint.

Directories

The following directories contain files utilized by the Malwarebytes Endpoint Agent and its plugins on a Linux endpoint:

Path Description

/usr/bin/

Default Linux system folder for executables and the home of core Malwarebytes for Linux processes and executables.

/usr/share/mblinux/

Global application data store for Malwarebytes for Linux.

/etc/mblinux

Global configuration data store for Malwarebytes for Linux.

/var/lib/mblinux/

Stores the quarantine and inter-process communication socket used by Malwarebytes for Linux.

/var/log/

Default Linux system folder for logs and Malwarebytes for Linux logs.
 

Daemons

The following table lists the daemons or system processes that run on a Linux endpoint:

Name Path Description

mbdaemon

/usr/bin/mbdaemon

The Malwarebytes Endpoint Agent Daemon provides the Endpoint Agent Engine, plugin framework, and communication to Malwarebytes Nebula.

Kernel Modules (Drivers)

The following table lists the Kernel Modules or drivers that run on a Linux endpoint:

Name Install on-demand Path Description

mbedr_drv

yes
  • /kernel/misc/mbedr_drv
  • /lib/modules/<kernel version>
    /updates/dkms/mbedr_drv.ko

The Malwarebytes EDR Driver provides Malwarebytes Endpoint Detection & Response functionality on Linux.
 

Processes

The following table lists common processes that run on a Linux endpoint:

Path Description

/usr/bin/mbdaemon

The Malwarebytes Endpoint Agent Daemon provides the Endpoint Agent Engine, plugin framework, and communication to Malwarebytes Nebula.

/usr/bin/mblinux

This process hosts a command-line interface for interacting with and configuring Malwarebytes for Linux.

/usr/share/mblinux/plugins/
epa.linux.plugin.edr/epa.linux.plugin.edr

This process hosts the Malwarebytes Endpoint Detection and Response Plugin.
 

Plugins

The following table lists the Plugins that the Malwarebytes Endpoint Agent utilizes on a Linux endpoint for product functionality:

Name Path Description
Endpoint Protection (EP)

/usr/bin/mbdaemon

Enables the following features:

  • Malwarebytes Endpoint Protection:

    • On-demand threat scanning

    • Real Time Protection (RTP)

    • Anti-Malware (AME)
Endpoint Detection and Response (EDR)

/usr/share/mblinux/plugins/
epa.linux.plugin.edr/epa.linux.plugin.edr

Enables the following EDR features:

  • Suspicious Activity Monitoring

  • Endpoint Isolation
 

For information on system components for other operating systems, see the links below:

 

Related articles