The Endpoint Agent installs and uses the following components to provide functionality on Windows, Mac, and Linux devices. Some components only exist if the associated feature, capability, or plugin is enabled in the policy assigned to the endpoint.
Windows
Directories
The following directories contain files utilized by the Endpoint Agent and its plugins on a Windows endpoint:
Path | Description |
C:\Program Files\Malwarebytes Endpoint Agent |
Application files for the Endpoint Agent and component plugins. |
C:\Program Files\Malwarebytes\Anti-Malware |
Application files used by Endpoint Protection and Incident Response. |
C:\ProgramData\Malwarebytes Endpoint Agent |
Global application data store for the Endpoint Agent and component plugins. |
C:\ProgramData\Malwarebytes\MBAMInstallerService |
Global application data store for the Malwarebytes Installer Service. |
C:\ProgramData\Malwarebytes\MBAMService |
Global application data store for the Endpoint Protection and Incident Response. |
Services
The following table lists the services that run on a Windows endpoint:
Service Name | Process Path | Description |
MBEndpointAgent |
C:\Program Files\Malwarebytes Endpoint Agent\MBCloudEA.exe |
The Endpoint Agent Service provides the Endpoint Agent Engine, plugin framework, and communication to OneView. |
EAServiceMonitor |
C:\Program Files\Malwarebytes Endpoint Agent\ServiceMonitor\EAServiceMonitor.exe |
The Endpoint Agent Service Monitor checks the health of the Endpoint Agent and provides recovery if needed. |
dnscrypt-proxy |
C:\Program Files\Malwarebytes Endpoint Agent\Services\DNSProxy\dnscrypt-proxy.exe |
The DNSCrypt Proxy Service provides a proxy Server that sends DNS requests using DNS over HTTPS (DoH) for DNS Filtering. |
MBAMService |
C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe |
The Malwarebytes Service provides the protection layers and scanning engine of Endpoint Protection and Incident Response. This also includes our Tamper Protection and Process protection service. |
MBAMInstallerService |
C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe |
The Malwarebytes Installer Service provides installation functionality for new versions of Endpoint Protection. |
Drivers
The following table lists the drivers that run on a Windows endpoint:
Service Name | Image Path | Description |
MBAMChameleon |
C:\windows\system32\drivers\MbamChameleon.sys |
The Self-Protection Driver provides product protection and Device Control functionality. |
MBAMElam |
C:\windows\system32\drivers\MbamElam.sys |
The Early-Launch Anti-Malware Driver (ELAM) provides Windows ELAM functionality. This also includes the Service and Process protection driver. |
MBAMFarflt |
C:\windows\system32\drivers\farflt.sys |
The Anti-Ransomware Driver provides ransomware behavior protection. |
MBAMProtection |
C:\windows\system32\drivers\mbam.sys |
The Real-Time Protection Driver provides real-time threat protection |
MBAMSwissArmy |
C:\windows\system32\drivers\mbamswissarmy.sys |
The Swiss Army Driver provides specialized threat detection and remediation functionality for rootkits and other similar malware. |
MBAMWebProtection |
C:\windows\system32\drivers\mwac.sys |
The Web Access Control Driver provides malicious web traffic protection. |
ESProtectionDriver |
C:\windows\system32\drivers\mbae64.sys C:\windows\system32\drivers\mbae.sys |
The Anti-Exploit Driver provides exploit behavior protection. |
FlightRecorder |
C:\windows\system32\drivers\FlightRecorder.sys |
The Flight Recorder provides Suspicious Activity Monitoring, Ransomware Rollback, Endpoint Isolation, and Active Response Shell functionality |
mbdnsfilter |
C:\windows\system32\drivers\mbdnsfilter.sys |
The DNS Filter Driver provides DNS Filtering functionality. |
Processes
The following table lists the common processes that run on a Windows endpoint:
Path | Description |
C:\Program Files\Malwarebytes Endpoint Agent\ConfigurationRecoveryTool.exe |
The utility for recovering a corrupted Endpoint Agent Configuration file. |
C:\Program Files\Malwarebytes Endpoint Agent\MBCloudEA.exe |
Provides the Endpoint Agent Service, Endpoint Agent Engine, plugin framework, and communication to OneView. |
C:\Program Files\Malwarebytes Endpoint Agent\Plugins\Active Response Shell\x64\ARSLauncher.exe C:\Program Files\Malwarebytes Endpoint Agent\Plugins\Active Response Shell\Win32\ARSLauncher.exe |
Provides Active Response Shell functionality. |
C:\Program Files\Malwarebytes Endpoint Agent\Plugins\Active Response Shell\x64\Timeliner.exe C:\Program Files\Malwarebytes Endpoint Agent\Plugins\Active Response Shell\Win32\Timeliner.exe |
Provides access to Forensic Timeliner capabilities in Active Response Shell. |
C:\Program Files\Malwarebytes Endpoint Agent\Plugins\Asset Manager\Malwarebytes.AssetPro.Launcher.exe |
Hosts and executes the OPSWAT OESIS SDK for performing advanced asset scans, installing 3rd party software updates, and applying operating system patches. |
C:\Program Files\Malwarebytes Endpoint Agent\ServiceMonitor\EAServiceMonitor.exe |
Provides the Endpoint Agent Service Monitor Service. |
C:\Program Files\Malwarebytes Endpoint Agent\Services\AssetPro\native\wa_3rd_party_host_64.exe C:\Program Files\Malwarebytes Endpoint Agent\Services\AssetPro\native\wa_3rd_party_host_32.exe |
The host process for the OPSWAT OESIS SDK used by Vulnerability Assessment and Patch Management. |
C:\Program Files\Malwarebytes Endpoint Agent\Services\DNSProxy\dnscrypt-proxy.exe |
The proxy Server that sends DNS requests using DNS over HTTPS for DNS Filtering functionality. |
C:\Program Files\Malwarebytes Endpoint Agent\UserAgent\EACmd.exe |
The command-line utility for managing specific tasks of the Endpoint Agent. |
C:\Program Files\Malwarebytes Endpoint Agent\UserAgent\Endpoint Agent Tray.exe |
Provides the Endpoint Agent Tray. |
C:\Program Files\Malwarebytes\Anti-Malware\MbamPt.exe |
Provides functionality for Real-Time Protection. |
C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe |
Provides the Malwarebytes Service process and the protection layers and scanning engine of Endpoint Protection and Incident Response. |
C:\Program Files\Malwarebytes\Anti-Malware\MBAMWsc.exe |
Provides products with functionality to interact with Windows Security Center. |
C:\Program Files\Malwarebytes\Anti-Malware\ig.exe |
Provides Endpoint Protection and Incident Response with advanced threat detection and remediation capabilities. |
C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe |
Provides the Malwarebytes Installer Service and installation functionality for new versions of Endpoint Protection and Incident Response. |
Plugins
The following table lists the plugins and their associated DLL file on a Windows endpoint:
Name | Path | Description |
Asset Manager |
C:\Program Files\Malwarebytes Endpoint Agent\Plugins\Asset Manager\EAAssetMgmtPlugin.dll |
Enables the Asset Manager for hardware and software asset inventory |
Asset Manager Pro |
C:\Program Files\Malwarebytes Endpoint Agent\Plugins\Asset Manager\Malwarebytes.AssetPro.dll |
Enables the Asset Manager Pro and the OPSWAT OESIS SDK for Vulnerability Assessment and Patch Management features |
Endpoint Protection (EP, MBAM Plugin, NCEP Plugin) |
C:\Program Files\Malwarebytes Endpoint Agent\Plugins\Endpoint Protection\EAMBAMPlugin.dll |
Enables the following features:
|
DNS Content Filtering |
C:\Program Files\Malwarebytes Endpoint Agent\Plugins\DNS Content Filtering\DNSFilterPlugin.dll |
Enables the DNS Filtering feature powered by Cloudflare. |
Endpoint Detection and Response (EDR) |
C:\Program Files\Malwarebytes Endpoint Agent\Plugins\Endpoint Detection and Response\EDRPlugin.dll |
Enables the following EDR features:
|
Active Response Shell (ARS) |
C:\Program Files\Malwarebytes Endpoint Agent\Plugins\Active Response Shell\ARSPlugin.dll |
Enables the following Active Response Shell features in EDR:
|
Windows Remote Intrusion Detection and Prevention / Brute Force Protection (BFP) |
C:\Program Files\Malwarebytes Endpoint Agent\Plugins\Windows Remote Intrusion Detection and Prevention\BFPPlugin.dll |
Enables Brute Force Protection to prevent brute force attacks over common remote communication protocols. |
Security Information and Event Management (SIEM) |
C:\Program Files\Malwarebytes Endpoint Agent\Plugins\SIEM\SIEMPlugin.dll |
Enables reporting and communication for detection events to a configured Syslog server. |
Mac
Directories
The following directories contain files utilized by the Endpoint Agent and its plugins on a Mac endpoint:
Path | Description |
/Library/Application Support/Malwarebytes/Malwarebytes Endpoint Agent |
Application files for the Endpoint Agent and component plugins. |
/Library/Application Support/Malwarebytes/NCEP |
Application files used by Endpoint Protection (NCEP Mac SDK). |
/Users/USERNAME/Library/Application Support/Malwarebytes |
User-specific application data for the Endpoint User Agent. |
/Library/Application Support/Malwarebytes/Malwarebytes Endpoint Agent/Plugins |
Folder where plugins reside. |
Daemons
The following table lists the daemons or system processes that run on a Mac endpoint:
Path | Description |
/Library/Application Support/ Malwarebytes/Malwarebytes Endpoint Agent/EndpointAgentDaemon.app/ |
The Endpoint Agent Daemon provides the Endpoint Agent Engine, plugin framework, and communication to OneView. |
/Library/Application Support/ |
The NCEP Real-Time Protection Daemon provides the protection layers and scanning engine of Endpoint Protection and Incident Response. |
/Library/Application Support/ |
The NCEP Settings Daemon provides functionality used by Endpoint Protection and Incident Response. |
Agents
The following table lists the agents or users) that run on a Mac endpoint:
Path | Description |
/Library/Application Support/ |
Provides user-level and UI capabilities of the Endpoint Agent |
/Library/Application Support/ |
Provides user-level capabilities of NCEP used by Endpoint Protection and Incident Response. |
Network Extensions
The following table lists the network extensions that run on a Mac endpoint endpoint:
Path | Description |
/Library/SystemExtensions/[System-Derived-ID]/ |
Network Extension required to provide Endpoint Detection & Response functionality on Mac. |
/Library/SystemExtensions/[System-Derived-ID]/com.malwarebytes.dns-proxy.ext |
Network Extension that provides system-wide DNS configuration required to enable DNS filtering functionality yon Mac. |
/Library/SystemExtensions/[System-Derived-ID]/com.malwarebytes.ncep.engine.sys.ext |
Network Extension to provide Web Access Control functionality on Mac. |
Processes
The following table lists common processes that run on a Mac endpoint:
Path | Description |
/Library/Application Support/ |
The Endpoint Agent Daemon provides the Endpoint Agent Engine, plugin framework, and communication to OneView. |
/Library/Application Support/ |
The NCEP Real-Time Protection Daemon provides the protection layers and scanning engine of Endpoint Protection and Incident Response. |
/Library/Application Support/ |
The NCEP Settings Daemon provides functionality used by Endpoint Protection and Incident Response. |
/Library/Application Support/ |
Provides user-level and UI capabilities of the Endpoint Agent. |
/Library/Application Support/ |
Provides user-level capabilities of NCEP used by Endpoint Protection and Incident Response. |
/Library/SystemExtensions/[System-Derived-ID]/com.malwarebytes.ncep.engine.sys.ext.systemextension/Contents/MacOS/com.malwarebytes.ncep.engine.sys.ext |
System service process running EDR Network extension. |
/Library/SystemExtensions/[System-Derived-ID]/com.malwarebytes.dns-proxy.ext.systemextension/Contents/MacOS/com.malwarebytes.dns-proxy.ext |
System service process running DNS Network Extension. |
/Library/SystemExtensions/[System-Derived-ID]/com.malwarebytes.ncep.engine.sys.ext.systemextension/Contents/MacOS/com.malwarebytes.ncep.engine.sys.ext |
System service process running Web Access Control Network Extension. |
Plugins
The following table lists the Plugins that the Endpoint Agent utilizes on a Mac endpoint for product functionality:
Name | Path | Description |
Asset Manager |
/Library/Application Support/ |
Enables the Asset Manager for hardware and software asset inventory and the OPSWAT OESIS SDK for Vulnerability Assessment and Patch Management features. |
Endpoint Protection |
/Library/Application Support/ |
Enables the following features:
|
Endpoint Detection and Response |
/Library/Application Support/ |
Enables the following EDR features:
|
DNS Filtering |
/Library/Application Support/Malwarebytes/Malwarebytes Endpoint Agent/PlugIns/epa.mac.plugin.dnsfilter.plugin |
Enables DoH for DNS Filtering functionality. |
DNSProxy Hosting App |
/Applications/.EAMacDNSProxy/DNSProxy.app/ |
An application that contains and manages our Network Extension for DNS. |
Linux
Directories
The following directories contain files utilized by the Endpoint Agent and its plugins on a Linux endpoint:
Path | Description |
/usr/bin/ |
Default Linux system folder for executables and the home of core for Linux processes and executables. |
/usr/share/mblinux/ |
Global application data store for Linux. |
/etc/mblinux |
Global configuration data store for Linux endpoints. |
/var/lib/mblinux/ |
Stores the quarantine and inter-process communication socket used by Linux endpoints. |
/var/log/ |
Default Linux system folder for logs and Linux endpoint logs. |
Daemons
The following table lists the daemons or system processes that run on a Linux endpoint:
Name | Path | Description |
mbdaemon |
/usr/bin/mbdaemon |
The Endpoint Agent Daemon provides the Endpoint Agent Engine, plugin framework, and communication to OneView. |
Kernel modules (Drivers)
The following table lists the Kernel Modules or drivers that run on a Linux endpoint:Name | Install on-demand | Path | Description |
mbedr_drv |
yes |
|
The EDR Driver provides Endpoint Detection & Response functionality on Linux. |
Processes
The following table lists common processes that run on a Linux endpoint:
Path | Description |
/usr/bin/mbdaemon |
The Endpoint Agent Daemon provides the Endpoint Agent Engine, plugin framework, and communication to OneView. |
/usr/bin/mblinux |
This process hosts a command-line interface for interacting with and configuring Linux endpoints. |
/usr/share/mblinux/plugins/ |
This process hosts the Endpoint Detection and Response Plugin. |
Plugins
The following table lists the Plugins that the Endpoint Agent utilizes on a Linux endpoint for product functionality:
Name | Path | Description |
Endpoint Protection |
/usr/bin/mbdaemon |
Enables the following features:
|
Endpoint Detection and Response |
/usr/share/mblinux/plugins/ |
Enables the following EDR features:
|