How to deploy Barracuda Malware Removal Tool aka Malwarebytes?

Barracuda_Logo

In previous parts of my deployment how to’s I talked about deploying 7-Zip 9.20 and VLC Media Player 2.0.4 so if you haven’t seen that yet go and check it out.

In today’s post I wanted to share my deployment scripts for Barracuda Malware Removal Tool also known as re-skinned version of Malwarebytes. Barracuda Malware Removal Tool is part of Barracuda Web Filter Vx family of appliances so its a really good idea to take advantage of the software and deploy it out in your organisation.

First script is the Install.bat script which takes care of:

  • Adding EventViewer entry at the start/end of the deployment
  • Removing previous versions of Barracuda Malware Removal Tool or Malwarebytes’ Anti-Malware
  • Deploying Barracuda Malware Removal Tool 1.46 (change the .exe name as appropriate)
  • Silently updating database definitions
  • Note: You can push the script below to x86 as well as x64 architectures.

    Second script is the Scan.bat script which takes care of:

  • Adding EventViewer entry at the start/end of the deployment
  • Pretty much everything that the first script is looking after
  • Running a full (silent) scan on the machine(s), removing any threats found and logging all activity to the log file
  • Note: If you need your machines to reboot add -reboot to the command line but I would strongly suggest use of maintenance windows here instead of rebooting machines as they finish scanning. Machines will only bounce if threats are found.

    Here is some very useful info from the Malwarebytes forums on almost all available command line options.

    Malwarebytes’ Anti-Malware supports a variety of command line parameters, which can be used from either a command prompt, batch file or script. (Note: some of these parameters are available in the PRO version only.)

    mbam.exe

    (where parameters is one or more of the following)

    /errorsilent: suppresses all critical errors and writes the last error to \mbam-error.txt where is the hard drive where Windows is installed, also known as the System Drive.

    Example:

    mbam.exe /errorsilent will suppress all errors when the program is running.
    /proxy : allows the user to update through a proxy server. Leave blank to remove any proxy settings previously set.

    Examples:

    mbam.exe /proxy will remove the proxy settings.
    mbam.exe /proxy proxy.com 80 will use proxy.com on port 80 with no credentials.
    mbam.exe /proxy proxy.com 80 admin password will use proxy.com with the specified credentials.
    /logtofolder: allows the user to save all log files to the specified folder. If this folder does not exist, Malwarebytes’ Anti-Malware attempts to create it. If the path is blank, changes are reverted to default settings. These logs do not show up on the Logs tab.

    Example:

    mbam.exe /logtofolder C:\mbam_log_files will save all future log files to the location C:\mbam_log_files.

    Note: Protection logs created by the protection module will always be saved to the same location
    /logtofile: allows the user to save all log files to the specified file. If this file does not exist, Malwarebytes’ Anti-Malware attempts to create it. Newest entries are appended to top of the file. If the path is blank, changes are reverted to default settings. This log does not show up on the Logs tab.

    Example:

    mbam.exe /logtofile C:\mbam_log_files\mbam-log.txt will save all future log files to the location C:\mbam_log_files\mbam-log.txt.

    Limitations: The path, in the above case C:\mbam_log_files, must exist. This option will not create folders if they don’t exist, only the log file.

    Note: Protection logs created by the protection module will always be saved to the same location
    /debug: allows the user to collect information to send as a bug report.

    Examples:

    mbam.exe /debug will bring up a prompt to save the debug file.
    mbam.exe /debug -silent will save debug file silently to \mbam-info.txt where is the hard drive where Windows is installed, also known as the System Drive.
    /register: allows the user to register the program without displaying the main dialog box.

    Examples:

    mbam.exe /register 12345-67890 AAAA-BBBB-CCCC-DDDD will register the product using the license key passed in the parameters.

    Limitations: Protection must be enabled using the program user interface if it is to be enabled before the system restarts.
    /developer: this command line parameter is used to execute the program in developer mode and will create a log with encrypted information on items detected in a scan. It is used for reporting false positives and allows the researchers to determine why an item is being detected. Example: mbam.exe /developer will start the program with detailed detection information.

    Note: When reporting a false positive, please be sure to use the /developer switch and provide the resulting log to the researchers.
    /update: allows the user to update the product and database.

    Examples:

    mbam.exe /update will attempt to update the database or program, depending on settings.
    mbam.exe /update -silent will attempt to update the database or program silently.
    /scan < optional -terminate>: initiates a scan with the selected options.

    Parameters:

    -quick: initiates a quick scan.
    -full: initiates a full scan using saved drives in the registry.
    -flash: initiates a flash scan of memory and heuristics only.
    -terminate: closes the program after a scan completes and no threats were found (cannot be used with -silent). If an item is detected, the program remains open so that the user can decide whether or not to remove the detected threat(s).
    -log: overrides the save log checkmark on the settings tab. If the Automatically save log after scan completes option is unchecked, a log file will still be saved when the -log parameter is used.
    -silent: hides the GUI while scanning (does not need to be used with -terminate).
    -reboot: reboots the computer if necessary, only valid if -silent is used.
    -remove: automatically removes threats and saves a log file. Unless -silent is specified, GUI stays open.

    Examples:

    mbam.exe /scan will run a default scan.
    mbam.exe /scan -full will run a full scan.
    mbam.exe /scan -flash -terminate will run a flash scan and terminate if no objects are detected.
    mbam.exe /scan -quick -log -silent -remove -reboot will run a quick scan silently, save logs, automatically remove threats, and reboot if necessary.

    Limitations:

    -terminate parameter cannot be used with the -silent parameter since the program will automatically terminate when the -silent parameter is used.
    -reboot parameter is only valid if used with the -silent parameter.
    /schedule: these items allow the user to choose the frequency for the scheduled update or scan to occur:: this item allows the user to set the time for the scheduled scan or update to start.
    For /realtime omit this – the current time is assumed.
    For /random – this item selects a random time to set the scheduled scan or update to occur. /random may only be used with /hourly or /daily and randomizes the Hour and Minute or Hour and Minute and Second respectively: may be used with a scan or an update. Malwarebytes’ Anti-Malware will attempt to wake the computer from sleep to perform the scheduled scan or update.

    Limitations: Not supported with /onreboot for scans or /realtime or /onreboot for updates.Note: only used with /update>

    Examples:

    /schedule /scan -quick -remove -terminate -log /daily /starting 08/10/2010 23:00:00 /every 1 /silent /wakefromsleep will schedule silent daily Quick Scan starting on August 10th, 2010 at 11:00PM that will repeat every 1 day, remove threats, reboot if necessary, force the creation of a scan log and will attempt to wake the computer from sleep to perform the scan.
    /schedule /update /flash /realtime /every 5 will schedule an update to occur in real-time once every 5 minutes and set a Flash Scan to occur after each successful update.
    /unschedule.

    Note: You can remove individual scans or updates by not including the /all switch and specifying the exact switches used to create the scan or update

    /all removes all scheduled scans and updates.
    /all -update removes all scheduled updates.
    /all -scan removes all scheduled scans.

    Examples:

    /unschedule /scan -quick -remove -terminate -log /daily /starting 08/10/2010 23:00:00 /every 1 /silent will delete a scheduled silent daily Quick Scan that was set to start on August 10th, 2010 at 11:00PM that was set to repeat every 1 day, remove threats, reboot if necessary, and force the creation of a scan log.
    /unschedule /update /flash /realtime /every 5 will delete a scheduled update that was to occur in real-time once every 5 minutes and with a Flash Scan set to occur after each successful update.

    Leave a Reply