Some Nebula actions may be performed by command line to help with custom scripting or automation by software deployment and remote monitoring and management (RMM) tools.
The Endpoint Agent Command-line tool, EACmd, is a Windows™ application created to communicate with the Endpoint Agent service. This article covers suggested methods of using EACmd in your scripts or deployment methods.
EACmd works with the Endpoint Agent using the same communication method as the Endpoint Agent Tray program.
- You must open CMD as an administrator and change the directory to: C:\Program Files\Malwarebytes Endpoint Agent\UserAgent\
- Once ready, use the following executable to leverage commands for the endpoint agent: EACmd.exe.
- If an uninstall password is enabled in the endpoint's policy, you will be prompted for the password for certain commands. Refer to the table below to see which commands require the Tamper Protection password. If you forgot the uninstall password, see Tamper protection policy segttings in Nebula
EACmd command list
Command Option | Purpose | Requires Tamper Protection? |
-loglevel=VALUE | The level of logging to set the service. Valid values are Debug and Info. | No |
-assetscan | Runs an asset scan on the endpoint. | No |
-d, -diag | Collect a diagnostic log for the Endpoint Agent service. | No |
-output=VALUE | Sets the output folder for diagnostic logs. The default folder is the Desktop. | No |
-debug | Set the level of logging to debug for the program. | No |
-refreshagentinfo | Update the agent information for the endpoint. This will immediately post the information to the cloud console. | No |
-updateprotection | Manually retrieves freshest rules from the console and updates the protection service. | No |
-updatesoftware | Manually checks for software and definitions update and if one exists, it is downloaded then installed (or paused) based on policy settings. For Patch Management customers, this command also updates supported third-party applications. | No |
-versions | Displays version information for all Endpoint Agent components and plugins. | No |
-runpendingsoftwareupdate | Manually checks for pending software updates and if one exists, it is installed regardless of policy settings. | No |
-h, -help | Display a usage message for the EACmd program with all of the options. | No |
-syncnow | Forces a sync with the Nebula cloud platform. | No |
-testconnections | Tests connection to a list of. See detailed description below. | No |
-certcheck=VALUE | Check if file passes signature check. | No |
-getmachineids | Displays the current Account ID, Machine ID, and Nebula Machine ID of the endpoint. Note: If values are null/empty, then the Endpoint Agent is not registered with the console. | No |
-resetmachineids | Generates a new Machine ID and Nebula Machine ID. Administrative privileges required. | Yes |
-verifyaccounttoken=VALUE | Checks if the supplied account token matches the currently stored account token, returning 0 if matched. Note: This can be used in scripting to check if an endpoint is associated to the correct account. | No |
-changeaccounttoken=VALUE | Changes the current account token and forces this single endpoint register as a new endpoint in the default Group in a different Nebula Console or OneView Site. See Move an endpoint between Nebula accounts or OneView sites for more detail. Administrative privileges required. | Yes |
-proxy.server=VALUE | Changes the current proxy server address. Administrative privileges required. | Yes |
-proxy.bypassOnLocal=VALUE | Enable or disable bypass proxy. Administrative privileges required. | Yes |
-proxy.port=VALUE | Changes the current proxy port number. Administrative privileges required. | Yes |
-proxy.user=VALUE | Changes the current proxy username. Administrative privileges required. | Yes |
-proxy.password=VALUE | Changes the current proxy password. Administrative privileges required. Note: The proxy password is encrypted when stored at the endpoint. | Yes |
-proxy.clear | Clear all proxy settings. Administrative privileges required. | Yes |
-threatScan | Performs a Threat Scan unless Allow Users to run a threat scan is disabled in the policy. | No |
-ContextScan=VALUE | Performs a scan on the directories listed in the target file. The value should be a simple text file that contains the full paths to directories or files to scan on separate lines. | No |
-startmbamservice | Start the Malwarebytes Service. Administrative privileges required. | No |
-stopmbamservice | Stop the Malwarebytes Service. Administrative privileges required. | Yes |
-TamperProtectionEnabled | Check to see if a Tamper Protection password is enabled on the endpoint. Administrative privileges required. | No |
-TamperProtectionPassword=VALUE | Use in conjunction with commands that require the tamper protection password. Indicate the tamper protection password, instead of being prompted for it. | No |
Check for Protection Updates via command line (Windows)
This command performs an immediate check for Protection Updates. It is identical to performing a Protection Updates check from the Endpoints screen in the console.
Scans perform this check before scanning. The Protection Updates check also ensures Real-Time Protection uses the most recent updates.
Syntax
"C:\Program Files\Malwarebytes Endpoint Agent\UserAgent\EACmd.exe" -updateprotection
Check for Software Updates via command-line (Windows)
This command performs an immediate check for updates to the software on the endpoint. It is identical to performing a Software Updates check from the Endpoints screen in the console.
Any manual check for Software Updates ignores the Pause Software Updates policy setting.
Syntax
"C:\Program Files\Malwarebytes Endpoint Agent\UserAgent\EACmd.exe" -updatesoftware
Get Nebula Machine ID via command-line (Windows)
This command displays the current Account ID, Machine ID, and Nebula Machine ID.
Syntax
"C:\Program Files\Malwarebytes Endpoint Agent\UserAgent\EACmd.exe" -getmachineids
Reset Nebula Machine ID via command-line (Windows)
This command generates a new Machine ID and Nebula Machine ID.
Use the command if the Endpoint Agent software was deployed improperly using a cloned Windows OS image.
To verify these changes, run the Get Nebula Machine ID command before and after running the Reset Nebula Machine ID command.
Note: If the endpoint is a virtual machine, verify the VM hardware profile has a unique UUID and is not a duplicate or clone.
Syntax
"C:\Program Files\Malwarebytes Endpoint Agent\UserAgent\EACmd.exe" -resetmachineids
Test connections
This command instructs the Endpoint Agent to test connections to a list of URLs.
For each URL tested, if ExpectedStatusCode matches the received StatusCode, the Result will be true (success). Otherwise false (failure) will be returned.
If any Result is false, the message Command complete: Network Test Failure (1232) - an error occurred during network testing displays.
Syntax
"C:\Program Files\Malwarebytes Endpoint Agent\UserAgent\EACmd.exe" -testconnections
Note:
- There may be individual, transient failures.
- If there are multiple or consistent failures, check Network access requirements and firewall settings for Nebula.