Malwarebytes Integration
Table of Contents
Note: This document has been imported from the former KB and has not yet been verified.
This integration utilizes Syncro’s robust scripting engine and adds three certified MBAM scripts to your account. The scripts will be uploaded to your Scripting library in Syncro once the integration is set up. You can:
- Install Malwarebytes directly from Syncro
- Run and schedule a script that monitors a system that has Malwarebytes 3.6.X+ for threats found
- Run and schedule a script that scans for threats
Set Up
To get started with the Malwarebytes head to the Malwarebytes App Card under Admin > App Center. Once all the Malwarebytes set up is complete, go ahead and select the "Setup" button in Syncro here:
This will add all three Malwarebytes scripts to your account. This will also automatically create three asset custom fields needed for the integration. You can view these by going to Admin->Asset Custom Fields->Syncro Device->Manage Fields
Install Script
This script silently installs the latest version of Malwarebytes Premium (3.x) using the license key provided in the script variable $LICENSE_KEY and populates these Asset custom fields if they exist:
- Malwarebytes_Version
- Malwarebytes_InstallDate
- Malwarebytes_LicenseKey
Once everything is all set up and the scripts added there are two ways you can go about utilizing this install script with Syncro’s scripting engine.
Manual Malwarebytes Install
If you want to manually input the license key each time you run this script, what you will want to do is set a runtime variable in the Install script called LICENSE_KEY:
With this runtime variable set, when you go to run the install script, you’ll get prompted to manually input the license key for that asset:
The limitations to this approach are that you will have to manually input the license key every time you run the script.
Automated Malwarebytes Install
In the automated approach, we will take advantage of the scripting engine’s platform variables. Platform variables pull from asset custom fields when the script is run. For each asset you intend to install Malwarebytes on, go edit their custom field “Malwarebytes_LicenseKey” with the license key you intend to use for that asset.
Once that has been set, you’ll want to edit your Malwarebytes install script to use this custom field as a script variable.
Now when you run this script on an asset, Syncro’s scripting engine will automatically pull the custom field for License into the script and use it to install.
What Happens After Install?
After installation is complete those three custom fields you created for your Syncro devices should now be populated and you can utilize the other two scripts included in this integration.
To confirm the install was completed correctly by Syncro, you can check the install date custom field on the asset.
Monitor Threats Script
This script can be set to run on a schedule to monitor a system that has Malwarebytes Premium (3.x) for threats found during scans or real-time protection events. The script saves a timestamp each time it is executed and will only alert for new threats found since the last time the script was executed.
Examples:
First time script runs -> Alert on every threat ever found
Script run 30 minutes later -> Alert only on threats found in last 30 min (if any)
When an alert is made it will trigger an RMM alert that you will see in your Syncro dashboard on the RMM Alerts page
Malwarebytes Scan Script
This script simply scans for threats. You’ll want to run this script semi-regularly so the script that monitors threats will get new threats when it checks. You do have the option to edit some of the arguments in this script if you want to run a different kind of scan.
You can execute a Hyper Scan using the argument “--hyperscan” instead of “--threatscan” in the Scan script
You can also do a custom scan:
--contextscan FilePaths.txt [save_results] [ScanResults.json]
This switch starts the UI if it's not running, starts a context scan that will read the target paths from a UTF-8 text file specified as the first argument, as well as providing an option for a user to specify a "save_results" argument that will output any detections found by the scan to the specified ScanResults json file.
Scheduling Scripts
There are two main ways you can go about utilizing the scripts provided in the Malwarebytes integration. You can run the install script manually when you are ready to install. After it’s installed you can go manually set a schedule for scanning/monitoring threats. You get this option when you go to a specific asset, and go to run a script or try to run a script on many assets in bulk:
Your other option is to utilize the script scheduling feature in Policies. In a policy, you can dictate scripts to be run when a device is first created, as well as any scripts you want to run on a schedule. With this way, you could potentially set up your Malwarebytes script schedule once, and not worry about it in the future.
Uninstalling Malwarebytes on a Mac
Here is a script offered by Malwarebytes to uninstall on a Mac.
https://support.malwarebytes.com/hc/en-us/articles/360051441054-Uninstall-and-reinstall-Malwarebytes-for-Mac