Skip to main content

Endpoints not syncing with Nebula

Updated: 

Issue

Tasks issued from Nebula aren't being performed on the endpoint, and block events on the endpoint aren't reported to the console.

To identify affected endpoints, use the Last synced 7+ days ago filter on the Endpoints page, check the Last Synced column, or look for expired commands on the Tasks page.

Causes

  • Temporary network instability or interruptions
  • Firewall or proxy blocking required ThreatDown domains or ports
  • Endpoint Agent service issues (e.g., MBEndpointAgent not running or restarting unexpectedly)
  • Agent bugs, certificate issues, or high-latency connections

Resolution

Work through the following tasks in order until the issue is resolved.

Task 1: Basic Checks on the Endpoint

  1. Confirm the Endpoint Agent service is running (Windows):
    1. Open services.msc.
    2. Locate ThreatDown Endpoint Agent and confirm the status is Running.
    3. If stopped, right-click and select Start.
    4. If the service won't start or stops again, restart the machine or check Event Viewer for errors.
  2. Test connectivity from the endpoint:
    1. Open Command Prompt as Administrator.
    2. Run the following command:
      • "C:\Program Files\Malwarebytes Endpoint Agent\UserAgent\EACmd.exe" -testconnections > connections.txt
  3. Review the output for successful connections to ThreatDown servers (e.g., machines.threatdown.com).
  4. Force a sync:
    1. In the console, go to Endpoints > select the affected endpoint(s).
    2. Click Actions > Check for Protection Updates. This triggers an immediate poll and may help re-establish the WebSocket connection.

Task 2: Check Network and Firewall Requirements

Most sync issues are caused by blocked outbound communication.

  1. Confirm the endpoint can reach ThreatDown's required domains and ports (primarily HTTPS/TCP 443). See Network access requirements and firewall settings for Nebula.
  2. If using a proxy, configure it in the agent settings or system-wide, and whitelist ThreatDown domains in your proxy or firewall rules.
  3. Test basic connectivity by running a ping, nslookup, or browser test against the required domains (e.g., https://detect.threatdown.com).

Task 3: Enable Health Monitoring

  1. Check the policies for the affected endpoints.
  2. Enable Service health monitoring in the Endpoint Agent policy settings.

Task 4: Escalate to Support

If the endpoint is still not syncing, contact ThreatDown Support with the following information:

  • Diagnostic logs
  • Output from the -testconnections command
  • Affected endpoint details (hostname, OS, agent version)
  • Network environment details (proxy, VPN, firewall vendor)
  • Any recent changes (updates, network configuration changes)

Still have questions?

Support is available via chat, phone or by creating a ticket. You can also use our virtual assistant for guided assistance.

Learn more