Issue
This article provides step-by-step troubleshooting for scenarios where a ThreatDown endpoint does not appear or has disappeared in the console. This can occur due to removal or deletion, service issues, installation failures, connectivity problems, certificate issues, or platform-specific quirks. The endpoint may still be protected locally, but console visibility and management are affected.
Before Starting:
- Ensure you have admin access to the console and the affected endpoint.
- Log in to the console and check Manage > Endpoints to confirm the device is missing.
- Note the endpoint's OS (Windows, macOS, Linux), agent version (if accessible locally), and any recent changes (e.g., network updates, OS patches).
Symptoms
- Endpoint is missing from the console after having been there previously
- Endpoint not showing in the console after a fresh install
Resolution
Work through the following tasks in order until the issue is resolved.
Task 1: Endpoint Removed Due to Inactivity or Deleted by Admin
Endpoints can auto-remove after prolonged inactivity or be manually deleted.
-
Check Activity Logs:
- Go to Manage > Activity Logs.
- Filter for the endpoint's hostname/MAC address and look for "Endpoint Removed" or "Endpoint Deleted" events.
- Note the reason (e.g., inactivity threshold met) and who performed the action (if manual deletion).
-
If Removed for Inactivity:
- The endpoint should automatically reappear with historical data once it reconnects.
- On the endpoint, verify network connectivity and agent status:
- Open services.msc (Windows) or equivalent (e.g., systemctl on Linux).
- Ensure the ThreatDown Endpoint Agent is Running.
- If not running: Right-click > Restart. If restart fails, skip to the next task.
- Test local functionality: Right-click the ThreatDown system tray icon (Windows) > Start Threat Scan.
- Force reconnection: Restart the endpoint or agent service.
-
If Deleted by Admin:
- Deletion is irreversible; historical data is lost.
- Reinstall the agent
Task 2: Services Aren't Started
The agent services may have stopped, preventing console communication.
-
Check System Tray Icon and Local Scan:
- Look for the ThreatDown icon in the system tray (Windows) or menu bar (Mac).
- If present, right-click > Start Threat Scan to test.
- If icon is missing: Manually launch it from C:\Program Files\Malwarebytes Endpoint Agent\UserAgent\EATray.exe (Windows; adjust path if custom install).
-
Verify Services:
- Open services.msc (Windows).
- Check for:
- Malwarebytes Endpoint Agent Monitor
- Malwarebytes Service
- ThreatDown Endpoint Agent
- All should be Running and set to Automatic startup.
-
Restart Services:
- If any are stopped: Right-click > Start.
- If a restart fails, skip to the next task.
Task 3: Services Are Missing (e.g., Failed Installation)
Common after new installs where only partial services appear.
- Check Installation Logs:
- Navigate to the log folder for the appropriate operating system:
- Windows: C:\ProgramData\Malwarebytes Endpoint Agent\Logs\EndpointAgent.txt
-
macOS:
- /var/log/install.log
- /var/log/com.malwarebytes.EndpointAgent.log
- Linux: /var/log/mbdaemon.log
- Look for errors related to installation failures.
- Navigate to the log folder for the appropriate operating system:
- Verify Installation Issues:
- Potential causes: Blocked network access, outdated certificates, or modified installer files (especially Mac .pkg).
- Test connectivity:
- Windows: Use Endpoint Agent Command-line tool: "C:\Program Files\Malwarebytes Endpoint Agent\UserAgent\EACmd.exe" -testconnections.
- Linux: Use Linux commands (e.g., sudo /opt/malwarebytes/bin/ea-cli test-connections).
- Review output for failed URLs. If failures, update firewall/proxy to allow ThreatDown domains see Network Access Requirements article.
- Reinstall if Needed.
Task 4: Certificates Out of Date
Outdated Windows certificates can block secure communication.
- Check and update certificates on the endpoint.
- Run Windows Update to fetch latest root certificates.
- If issues persist: Manually import/update via certmgr.msc or see Windows endpoint certificates are outdated
Task 5: macOS-Specific Issues
Mac endpoints require specific handling.
- Verify the installation .pkg was unmodified (no renaming).
- If deployed with a Mobile Device Management (MDM) tool, the MDM may automatically rename the package. Ensure that is not happening.
- Re-download from the console and reinstall.
- Ensure Full Disk Access and other permissions are granted in System Preferences > Security & Privacy.
Additional Possible Causes
- Communication Blocked: Often overlaps with network access—ensure firewall allows all required URLs/ports (covered in Network Access Requirements).
- Registration Failed: Agent starts but fails to register (e.g., due to proxy issues or errors). Check logs for registration errors and test connections as above.
- Shared Machine ID: If cloning images without Sysprep, multiple endpoints may share IDs, causing visibility cycling. Prepare images properly. See Prepare an image in Sysprep for endpoint agent
Escalate If Issue Persists
If the endpoint remains missing after troubleshooting:
- Collect diagnostic logs
- Open a support ticket
- Provide: Logs, test connection output, OS/agent details, affected endpoint count, reproduction steps.